kube-rbac-proxy
kube-rbac-proxy copied to clipboard
brancz
CVE high security vulnerability found in image: quay.io/brancz/kube-rbac-proxy:v0.18.1
Team,
kube-rbac-proxy image is vulnerable to CVE-2024-34156. In kube-rbace-proxy workflow image built is using 1.23. it seems bumping the go version to 1.23.1 will mitigate the issue.
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-34156 │ HIGH │ fixed │ 1.23.0 │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘
Use go version - ~1.23.1
Hi @vasireddy99,
this is not true. We have a dependency that has that vulnerability, but we don't use encoding/gob package, so we are NOT vulnerable.
I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.
Hi @vasireddy99,
this is not true. We have a dependency that has that vulnerability, but we don't use
encoding/gobpackage, so we are NOT vulnerable.I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.
Yes, I used govulncheck and it didn't show any vuln as affected. But it just the scanners that report. I agree
