PRISMA-2022-0227: Go-restful v3.9.0 is vulnerable to Authentication Bypass

[rmorelnetapps]

PRISMA-2022-0227: emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.

It is on the roadmap to fix it?

[liggitt]

The Kubernetes server does not use go-restful CORS matching, so is unaffected by that vulnerability.

Further, client-go doesn't make use of this module at all, so no vulnerabilities in that component are relevant to client-go users.

Separately, updates to the latest version of this module in kubernetes generally are blocked on incompatibilities in the latest version - see https://github.com/kubernetes/kubernetes/pull/115067

/close

[k8s-ci-robot]

@liggitt: Closing this issue.

In response to [this](https://github.com/kubernetes/client-go/issues/1254#issuecomment-1549999313): >The Kubernetes server does not use go-restful CORS matching, so is unaffected by that vulnerability. > >Further, client-go doesn't make use of this module at all, so no vulnerabilities in that component are relevant to client-go users. > >Separately, updates to the latest version of this module in kubernetes generally are blocked on incompatibilities in the latest version - see https://github.com/kubernetes/kubernetes/pull/115067 > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.