Description of problem: There is an security warning on the fasthttp used by consumer example code. The version of fasthttp needs to be updated. https://github.com/redhat-cne/cloud-event-proxy/security/dependabot/1 The package github.com/valyala/fasthttp before 1.34.0 is vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. Note: This security issue impacts Windows users only. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Note that this issue does not apply to production code.
Fix merged https://github.com/redhat-cne/cloud-event-proxy/pull/103
verified by Github Dependabot.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.11.0 extras and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5070