Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - PRISMA-2022-0227 - High Sev - emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable #521

Closed
YolandaZhang369369 opened this issue Feb 6, 2023 · 3 comments
Closed

Security - PRISMA-2022-0227 - High Sev - emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable #521

YolandaZhang369369 opened this issue Feb 6, 2023 · 3 comments

Comments

@YolandaZhang369369
Copy link

Description:
github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system.

Severity:
High

CVE:
PRISMA-2022-0227

Hi There,
The above High Severity issue is blocking our product release, could you please generate fixed in v3.10.0 as soon as possible by end of Feb. 2023? Thanks a lot!
@emicklei
Copy link
Owner

emicklei commented Feb 8, 2023

@YolandaZhang369369 are you aware that there is a new release v3.10.1 that fixes this issue?

emicklei added a commit that referenced this issue Feb 28, 2023
@emicklei
introduce MergePathStrategy for #521 #519
20c7443
emicklei added a commit that referenced this issue Mar 9, 2023
@emicklei
introduce MergePathStrategy for #521 #519 (#523)
de058a5 
* introduce MergePathStrategy for #521 #519

* update readme, set default to new strategy, add extra test

* link to security issue
@Swati1310 Swati1310 mentioned this issue Apr 4, 2023
Closed
@pmerrison pmerrison mentioned this issue Jul 18, 2023
Closed
emicklei added a commit that referenced this issue Aug 5, 2023
@emicklei @ggicci @Gerrit91
allow multiple samples for Write, issue #514 (#515)
bdefcac 
* allow multiple samples for Write, issue #514

* update changelog

* chore: example handling request parameters with httpin (#518)

* use path package to join slash fragments #519 (#520)

* update hist

* update example openapi to use 3.10.1

* Add test for client request with and without trailing slash. (#522)

* Add test for client request with and without trailing slash.

* Correction.

* introduce MergePathStrategy

* Revert "introduce MergePathStrategy"

This reverts commit 709cf80.

* introduce MergePathStrategy for #521 #519 (#523)

* introduce MergePathStrategy for #521 #519

* update readme, set default to new strategy, add extra test

* link to security issue

* update change hist

* add hello world with TrimSlashStrategy

* two route example

* examples to show differences #519

* more route examples #519

* add examples for issue519 with path in root

* remove obsolete swagger example

* Update README.md

remover swagger12 mention

* allow multiple samples for Write, issue #514

---------

Co-authored-by: Ggicci <ggicci.t@gmail.com>
Co-authored-by: Gerrit <Gerrit91@users.noreply.github.com>
@emicklei
Copy link
Owner

See #519 (comment)

@emicklei
Copy link
Owner

fixed in 3.11.0 and v4.0.0 (upcoming)

@brasstax brasstax mentioned this issue Aug 30, 2023
Open
@amdabhad amdabhad mentioned this issue Sep 22, 2023
Closed
@troy0820 troy0820 mentioned this issue Sep 22, 2023
Merged
1 task
@sf-nwaller sf-nwaller mentioned this issue Oct 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emicklei @YolandaZhang369369