Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.0
-
Security Level: Public
-
CVE-2022-21698
-
CBG Sprint 99
-
2
Description
There's a high severity security vulnerability in the client_golang library as part of the Prometheus package which can cause resource usage and a denial of service in versions prior to 1.11.1. https://nvd.nist.gov/vuln/detail/CVE-2022-21698
According to Blackduck we use several versions in SGW 3.0.x
1.0.0 = github.com/prometheus/client_golang:v1.0.0
1.7.1 = godeps/src/github.com/prometheus/client_golang/
1.8.0 = godeps/src/github.com/prometheus/client_golang/prometheus/promhttp/
The vulnerability requires software to use specific functionality in the library. Discussing with engineering in Slack, we don't think the affected methods are used in Sync Gateway, so it is unlikely that SGW is vulnerable.
We should look to upgrade promethus / client_golang to prevent any unforeseen issues and false positives from security scans.