"Uncontrolled Resource Consumption in promhttp (CVE-2022-21698)" #1513
aldousalvarez
started this conversation in
General
Replies: 2 comments
-
|
GoQuorum does not implement a prometheus server and does not use |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Noted on this one. Thanks for the update! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello, Good Day. We are trying to implement docker vulnerability scan using Quorum v22.7.0 as an image and detected "Uncontrolled Resource Consumption in promhttp (CVE-2022-21698)". As per investigation the package that is afftected is prometheus/client_golang from go.mod file. The package that uses prometheus/client_golang is prometheus/tsdb v0.7.1 that has already been migrated to the prometheus repository with the latest tsdb v0.10.0 and uses the newer version of prometheus/client_golang. Based on the resolution mentioned in vulnerability CVE-2022-21698 GHSA-cg3q-j54f-5p7p a version bump is needed (v1.11.1 release of client_golang) to address the issue.I would like also just to ask if there is a roadmap to update the golang version or tsdb or are there any same issues encountered that would fix the vulnerability.
Beta Was this translation helpful? Give feedback.
All reactions