"Uncontrolled Resource Consumption in promhttp (CVE-2022-21698)" #1513
aldousalvarez
started this conversation in
General
Replies: 2 comments
-
|
GoQuorum does not implement a prometheus server and does not use |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Noted on this one. Thanks for the update! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, Good Day. We are trying to implement docker vulnerability scan using Quorum v22.7.0 as an image and detected "Uncontrolled Resource Consumption in promhttp (CVE-2022-21698)". As per investigation the package that is afftected is prometheus/client_golang from go.mod file. The package that uses prometheus/client_golang is prometheus/tsdb v0.7.1 that has already been migrated to the prometheus repository with the latest tsdb v0.10.0 and uses the newer version of prometheus/client_golang. Based on the resolution mentioned in vulnerability CVE-2022-21698 GHSA-cg3q-j54f-5p7p a version bump is needed (v1.11.1 release of client_golang) to address the issue.I would like also just to ask if there is a roadmap to update the golang version or tsdb or are there any same issues encountered that would fix the vulnerability.
Beta Was this translation helpful? Give feedback.
All reactions