CVE-2018-17847 (High) detected in github.com/kubernetes-sigs/controller-runtime-v0.1.10, github.com/coreos/prometheus-operator-v0.26.0

[mend-bolt-for-github]

CVE-2018-17847 - High Severity Vulnerability

Vulnerable Libraries - github.com/kubernetes-sigs/controller-runtime-v0.1.10, github.com/coreos/prometheus-operator-v0.26.0

github.com/kubernetes-sigs/controller-runtime-v0.1.10

Repo for the controller-runtime subproject of kubebuilder (sig-apimachinery)

Dependency Hierarchy:

• ❌ github.com/kubernetes-sigs/controller-runtime-v0.1.10 (Vulnerable Library)

github.com/coreos/prometheus-operator-v0.26.0

Prometheus Operator creates/configures/manages Prometheus clusters atop Kubernetes

Dependency Hierarchy:

• github.com/operator-framework/operator-sdk-e3225a40338e66e694de23d523e271db43ff0520 (Root Library)
  • ❌ github.com/coreos/prometheus-operator-v0.26.0 (Vulnerable Library)

Found in HEAD commit: 529bd4477562304d2b7ce7774b0f2acd4b189154

Found in base branch: master

Vulnerability Details

The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

Publish Date: 2018-10-01

URL: CVE-2018-17847

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-17847

Release Date: 2018-10-01

Fix Resolution: golang-golang-x-net-dev - 1:0.0+git20181201.351d144+dfsg-3

---

Step up your Open Source Security Game with Mend here