Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE high security vulnerability found in image: quay.io/brancz/kube-rbac-proxy:v0.18.1 #313

Open
vasireddy99 opened this issue Oct 29, 2024 · 2 comments
Open

CVE high security vulnerability found in image: quay.io/brancz/kube-rbac-proxy:v0.18.1 #313

vasireddy99 opened this issue Oct 29, 2024 · 2 comments
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project

Comments

@vasireddy99
Copy link

vasireddy99 commented Oct 29, 2024
edited
Loading

Team,

kube-rbac-proxy image is vulnerable to CVE-2024-34156. In kube-rbace-proxy workflow image built is using 1.23. it seems bumping the go version to 1.23.1 will mitigate the issue.

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.23.0            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Use go version - ~1.23.1
@ibihim ibihim added the not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project label Nov 12, 2024
@ibihim
Copy link
Collaborator

ibihim commented Nov 12, 2024

Hi @vasireddy99,

this is not true. We have a dependency that has that vulnerability, but we don't use encoding/gob package, so we are NOT vulnerable.

I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.

@vasireddy99
Copy link
Author

Hi @vasireddy99,

this is not true. We have a dependency that has that vulnerability, but we don't use encoding/gob package, so we are NOT vulnerable.

I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.

Yes, I used govulncheck and it didn't show any vuln as affected. But it just the scanners that report. I agree

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not a CVE for kube-rbac-proxy It doesn't affect the kube-rbac-proxy project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ibihim @vasireddy99