Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(weaver): uncontrolled Resource Consumption in promhttp CVE-2022-21698 #2918

Open
petermetz opened this issue Dec 6, 2023 · 1 comment
Open

fix(weaver): uncontrolled Resource Consumption in promhttp CVE-2022-21698 #2918

petermetz opened this issue Dec 6, 2023 · 1 comment
Labels
bug Something isn't working dependent P2 Priority 2: High Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.
Milestone
vT.B.D

Comments

@petermetz
Copy link
Contributor

petermetz commented Dec 6, 2023
edited
Loading

  1. Fix the vulnerability: Uncontrolled Resource Consumption in promhttp - \
    1. https://github.com/hyperledger/cacti/security/dependabot/595

github.com/prometheus/client_golang (Go) · weaver/samples/fabric/go-cli/go.mod
Dependabot encountered the following error:
go: github.com/hyperledger/cacti/weaver/common/[email protected]:
reading github.com/hyperledger/cacti/weaver/common/protos-go/go.mod
at revision weaver/common/protos-go/v1.5.4: unknown revision weaver/common/protos-go/v1.5.4

Impact
HTTP server susceptible to a Denial of Service through unbounded cardinality,
and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Weaknesses

  • WeaknessCWE-400
  • WeaknessCWE-772
    CVE ID
  • CVE-2022-21698
    GHSA ID
  • GHSA-cg3q-j54f-5p7p

cc: @VRamakrishna @sandeepnRES

Depends on hyperledger/fabric-sdk-go#284
@petermetz petermetz added bug Something isn't working Security Related to existing or potential security vulnerabilities P2 Priority 2: High Weaver Tasks related to the future of Cactus & Weaver together. labels Dec 6, 2023
@petermetz petermetz added this to the vT.B.D milestone Dec 6, 2023
@petermetz petermetz mentioned this issue Dec 6, 2023
Open
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 6, 2023

This PR/issue depends on:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependent P2 Priority 2: High Security Related to existing or potential security vulnerabilities Weaver Tasks related to the future of Cactus & Weaver together.
Projects
None yet
Milestone
vT.B.D
Development

No branches or pull requests
1 participant
@petermetz