Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

publicly reported security vulnerabilities #2054

Closed
dppatel99 opened this issue Apr 28, 2023 · 4 comments · Fixed by #2056
Closed

publicly reported security vulnerabilities #2054

dppatel99 opened this issue Apr 28, 2023 · 4 comments · Fixed by #2056
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@dppatel99
Copy link

dppatel99 commented Apr 28, 2023
edited
Loading

Hi team,

In our vulnerability scan report there are 3 HIGH and 2 CRITICAL vulnerabilities in kube-state-metrics/kube-state-metrics:2.7.0

Component Vulnerability Severity Installed Version Latest Version Description
golang-runtime CVE-2023-24538 CRITICAL 1.19.4 1.20.3 GHSA-v4m2-x4rp-hv22
golang-runtime CVE-2023-24536 HIGH 1.19.4 1.20.3 GHSA-9f7g-gqwh-jpf5
golang-runtime CVE-2023-24534 HIGH 1.19.4 1.20.3 GHSA-8v5j-pwr7-w5f8
golang-runtime CVE-2023-24537 HIGH 1.19.4 1.20.3 GHSA-fp86-2355-v99r
etcd CVE-2021-28235 CRITICAL MISSING v3.6.0-alpha.0 GHSA-gmph-wf7j-9gcm

My suggestion: Golang version update to 1.20.3 should solve the problem.
@dppatel99 dppatel99 added the kind/bug Categorizes issue or PR as related to a bug. label Apr 28, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 28, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@RamakrishnanArun
Copy link
Contributor

I did not create a Pull Request as yet but this comparison from my fork to the main branch upstream should resolve the issues. I ran a scan after building an image locally with 1.20.3 and see no issues reported.

main...RamakrishnanArun:kube-state-metrics:security/1.20.3

This was referenced Apr 29, 2023
Closed
Merged
@RamakrishnanArun
Copy link
Contributor

RamakrishnanArun commented May 1, 2023
edited
Loading

Submitted a PR #2056 for this.
Note: this address the "golang-runtime" related issues.

@dppatel99
Copy link
Author

Thanks !! I will be waiting for it to get merged and released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
3 participants
@RamakrishnanArun @k8s-ci-robot @dppatel99