Bugzilla – Bug 1200528
VUL-0: CVE-2022-1996: go-restful: CORS bypass
Last modified: 2024-03-07 12:30:21 UTC
rh#2094982 Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1 https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 References: https://bugzilla.redhat.com/show_bug.cgi?id=2094982 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1996 https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1996 https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1
There are a lot of Go packages embedding this library and containing the affected code. The ones that I could find: - SUSE:SLE-12:Update/containerd - openSUSE:Factory/containerd - SUSE:SLE-15-SP2:Update/containerized-data-importer - SUSE:SLE-15-SP3:Update/containerized-data-importer - SUSE:SLE-15-SP4:Update/containerized-data-importer - openSUSE:Factory/containerized-data-importer - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/cri-o - openSUSE:Factory/cri-o - openSUSE:Leap:15.3/cri-o - openSUSE:Leap:15.4/cri-o - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3 - SUSE:SLE-12:Update/kubernetes - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/kubernetes - openSUSE:Backports:SLE-15-SP3/flannel - openSUSE:Backports:SLE-15-SP4/flannel - SUSE:SLE-15:Update/aws-iam-authenticator - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/skuba - SUSE:SLE-15-SP1:Update:Products:SES6:Update/rook - SUSE:SLE-15-SP2:Update:Products:SES7:Update/rook - openSUSE:Backports:SLE-15-SP3/ceph-csi - SUSE:SLE-15-SP2:Update/terraform-provider-kubernetes - SUSE:SLE-15-SP1:Update/terraform-provider-helm - SUSE:SLE-15-SP2:Update/terraform-provider-helm
Public Cloud team will take responsibility for aws-iam-authenticator terraform-provider-kubernetes terraform-provider-helm All other packages need to be distributed to other teams.
I will investigate it
`containerized-data-importer` is not affected. The vulnerable code is not used and eventually it is not linked into the binaries. Also `kubevirt` package depends on `go-restful`. It is not affected either (the code is not used).
(In reply to Vasily Ulyanov from comment #5) > `containerized-data-importer` is not affected. The vulnerable code is not > used and eventually it is not linked into the binaries. Also `kubevirt` > package depends on `go-restful`. It is not affected either (the code is not > used). Thanks, I've updated the tracking
This is an autogenerated message for OBS integration: This bug (1200528) was mentioned in https://build.opensuse.org/request/show/994401 Factory / helm
SUSE-SU-2022:3321-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1199392,1199460,1199603,1200528,1202516 CVE References: CVE-2022-1798,CVE-2022-1996,CVE-2022-29162 JIRA References: Sources used: openSUSE Leap 15.3 (src): kubevirt-0.49.0-150300.8.13.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): kubevirt-0.49.0-150300.8.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3335-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1200528 CVE References: CVE-2022-1996 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerized-data-importer-1.43.2-150300.8.9.3 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerized-data-importer-1.43.2-150300.8.9.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3333-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1199392,1199460,1199603,1200528,1202516 CVE References: CVE-2022-1798,CVE-2022-1996,CVE-2022-29162 JIRA References: Sources used: openSUSE Leap 15.4 (src): kubevirt-0.54.0-150400.3.3.2 SUSE Linux Enterprise Module for Containers 15-SP4 (src): kubevirt-0.54.0-150400.3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3334-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1200528 CVE References: CVE-2022-1996 JIRA References: Sources used: openSUSE Leap 15.4 (src): containerized-data-importer-1.51.0-150400.4.3.1 SUSE Linux Enterprise Module for Containers 15-SP4 (src): containerized-data-importer-1.51.0-150400.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3666-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1200528,1203054 CVE References: CVE-2022-1996,CVE-2022-36055 JIRA References: Sources used: openSUSE Leap 15.4 (src): helm-3.9.4-150000.1.10.3 openSUSE Leap 15.3 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Containers 15-SP4 (src): helm-3.9.4-150000.1.10.3 SUSE Linux Enterprise Module for Containers 15-SP3 (src): helm-3.9.4-150000.1.10.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Any updates, please? We are still missing fixes for the following: - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/cri-o - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/helm3 - SUSE:SLE-12:Update/kubernetes - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/kubernetes - SUSE:SLE-15-SP1:Update:Products:CASP40:Update/skuba - SUSE:SLE-15:Update/aws-iam-authenticator - SUSE:SLE-15-SP1:Update/terraform-provider-helm - SUSE:SLE-15-SP2:Update/terraform-provider-helm - SUSE:SLE-15-SP1:Update/terraform-provider-kubernetes - SUSE:SLE-15-SP2:Update/terraform-provider-kubernetes
This is an autogenerated message for OBS integration: This bug (1200528) was mentioned in https://build.opensuse.org/request/show/1066971 Backports:SLE-15-SP4 / helm
Package submitted: https://build.suse.de/request/show/294215
SUSE-SU-2023:2002-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1200528 CVE References: CVE-2022-1996 Sources used: SUSE CaaS Platform 4.0 (src): helm-2.16.12-150100.3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4727-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1200528 CVE References: CVE-2022-1996 Sources used: openSUSE Leap Micro 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 openSUSE Leap Micro 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 openSUSE Leap 15.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 openSUSE Leap 15.5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro 5.3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro 5.4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro 5.5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 Containers Module 15-SP4 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 Containers Module 15-SP5 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Enterprise Storage 7.1 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE CaaS Platform 4.0 (src): catatonit-0.2.0-150000.3.6.1, containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro 5.2 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): containerd-1.7.8-150000.103.1, runc-1.1.10-150000.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0799-1: An update that solves one vulnerability can now be installed. Category: security (critical) Bug References: 1200528 CVE References: CVE-2022-1996 Sources used: Containers Module 12 (src): containerd-1.7.8-16.91.7 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.