Closed rmorelnetapps closed 1 year ago
The Kubernetes server does not use go-restful CORS matching, so is unaffected by that vulnerability.
Further, client-go doesn't make use of this module at all, so no vulnerabilities in that component are relevant to client-go users.
Separately, updates to the latest version of this module in kubernetes generally are blocked on incompatibilities in the latest version - see https://github.com/kubernetes/kubernetes/pull/115067
/close
@liggitt: Closing this issue.
PRISMA-2022-0227: emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.
It is on the roadmap to fix it?