High vulnerabilities CVE-2023-39533 found in Metrics server v0.6.4

[sumit-cyber]

Hi Team ,

One high vulnerability CVE-2023-39533 found in Metrics server v0.6.4 This vulnerability is in current go lang version 1.19.11

Along with this 3 other medium vulnerabilities CVE-2023-29409 CVE-2023-39319 CVE-2023-39318

When there is any release planned with mentioned vulnerability fixes.

[dashpole]

/traige accepted /assign @serathius

[dashpole]

/triage accepted

[mitchellmaler]

Hello @dashpole, we are also seeing CVE-2023-44487 as part of the package. This requires upgrading golang to a newer patch version to pull in the latest net package.

[serathius]

Contributions are welcomed!

[sumit-cyber]

Hi @serathius ,

One new critical CVE-2023-39323 report in existing go-lang package . Could you please plan to upgrade metric-server version ASAP

Thanks & Regards Sumit thakur

[serathius]

Contributions are welcomed!

[sumit-cyber]

Hi Team , When there is plan for metrics server v0.6.5

[dgrisonnet]

The plan is to cut v0.7.0 next: https://github.com/kubernetes-sigs/metrics-server/issues/1165

[ricardoapl]

I believe https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1 is not affected by any of these

Should we close this issue?

By the way, some of these don't seem to affect metrics-server, namely

• CVE-2023-39533 because metrics-server doesn't use libp2p
• CVE-2023-39319 because metrics-server doesn't use html/template
• CVE-2023-39318 because metrics-server doesn't use html/template

Perhaps we can use VEX in the future to communicate this to users instead

https://github.com/kubernetes-sigs/metrics-server/pull/1499

Edited: html/template does seem to come as a transitive dependency from prometheus packages, but I still think metrics-server was not affected