search

hyperledger / cacti

Hyperledger Cacti is a new approach to the blockchain interoperability problem
https://wiki.hyperledger.org/display/cactus
Apache License 2.0
339 stars 277 forks source link

fix(weaver): uncontrolled Resource Consumption in promhttp CVE-2022-21698 #2918

Open petermetz opened 9 months ago

petermetz commented 9 months ago
  1. Fix the vulnerability: Uncontrolled Resource Consumption in promhttp - \
    1. https://github.com/hyperledger/cacti/security/dependabot/595

github.com/prometheus/client_golang (Go) · weaver/samples/fabric/go-cli/go.mod Dependabot encountered the following error: go: github.com/hyperledger/cacti/weaver/common/protos-go@v1.5.4: reading github.com/hyperledger/cacti/weaver/common/protos-go/go.mod at revision weaver/common/protos-go/v1.5.4: unknown revision weaver/common/protos-go/v1.5.4

Impact HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Weaknesses

  • WeaknessCWE-400
  • WeaknessCWE-772 CVE ID
  • CVE-2022-21698 GHSA ID
  • GHSA-cg3q-j54f-5p7p

cc: @VRamakrishna @sandeepnRES

Depends on https://github.com/hyperledger/fabric-sdk-go/issues/284

github-actions[bot] commented 9 months ago

This PR/issue depends on: