go-restful 访问控制问题漏洞（CVE-2022-1996）

admin

0
文章

0
评论

2023-11-30 07:29:54 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 go-restful 访问控制问题漏洞（CVE-2022-1996）

CVE编号

CVE-2022-1996

利用情况

暂无

补丁情况

没有补丁

披露时间

2022-06-08

漏洞描述

go-restful是使用 Google Go 构建 REST 风格的 Web 服务的包。 go-restful v3.8.0及之前版本存在访问控制问题漏洞，该漏洞源于通过 go-restful 中的用户控制密钥可以绕过授权。

解决建议

目前厂商暂未发布修复措施解决此安全问题，建议用户随时关注厂商主页或参考网址以获取解决办法：https://github.com/emicklei/go-restful

参考链接
https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925...
https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.netapp.com/advisory/ntap-20220923-0005/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	go-restful_project	go-restful	*		Up to (excluding) 3.8.0
	运行在以下环境
	系统	alpine_3.18	gitlab-runner	*		Up to (excluding) 15.10.0-r0
	运行在以下环境
	系统	alpine_edge	gitlab-runner	*		Up to (excluding) 15.10.0-r0
	运行在以下环境
	系统	amazon_2022	golist	*		Up to (excluding) 2.0.2-20.amzn2022
	运行在以下环境
	系统	debian_10	golang-github-emicklei-go-restful	*		Up to (including) 2.4.0-2
	运行在以下环境
	系统	debian_11	golang-github-emicklei-go-restful	*		Up to (including) 2.11.1-2
	运行在以下环境
	系统	debian_12	golang-github-emicklei-go-restful	*		Up to (excluding) 3.10.2-1
	运行在以下环境
	系统	debian_9	golang-github-emicklei-go-restful	*		Up to (including) 1.2-1
	运行在以下环境
	系统	debian_sid	golang-github-emicklei-go-restful	*		Up to (excluding) 3.10.2-1
	运行在以下环境
	系统	fedora_35	fzf-debuginfo	*		Up to (excluding) 3.8.0-1.fc35
	运行在以下环境
	系统	fedora_36	apptainer	*		Up to (excluding) 3.8.0-1.fc36
	运行在以下环境
	系统	fedora_37	grafana-debuginfo	*		Up to (excluding) 5.0.0-1.fc37
	运行在以下环境
	系统	fedora_38	golang-etcd-devel	*		Up to (excluding) 2.8.1-2.20220821gitbc6b745.fc38
	运行在以下环境
	系统	fedora_39	helm	*		Up to (excluding) 3.11.1-1.fc39
	运行在以下环境
	系统	fedora_40	chisel-debuginfo	*		Up to (excluding) 1.9.0-1.fc40
	运行在以下环境
	系统	fedora_EPEL_9	caddy-debugsource	*		Up to (excluding) 2.4.6-3.el9
	运行在以下环境
	系统	opensuse_Leap_15.3	trivy	*		Up to (excluding) 1.43.2-150300.8.9.3
	运行在以下环境
	系统	opensuse_Leap_15.4	trivy	*		Up to (excluding) 1.51.0-150400.4.3.1