calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

CVEs found in calico/node

Open jignesh01 opened this issue 3 years ago • 1 comments

Our Security Scanning tools have identified CVE in one of your projects calico/node. Can you please review this and provide update on following:

  • Documentation that explains the mitigation strategy that we can apply to reduce the severity level

  • Details on when is this going to be fixed with the expected version number

CVE Reported: CVE-2020-8561: A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10; they can view the redirected responses and headers in the logs.

Calico version in use: 3.23.3

jignesh01 avatar Aug 10 '22 14:08 jignesh01

Calico is not affected by this CVE. It should be resolved in a future Calico release by updating the Kubernetes version that we pin to.

caseydavenport avatar Aug 19 '22 15:08 caseydavenport

I thought we fixed this with: https://github.com/projectcalico/calico/security/dependabot/14 It looks like Calico v3.23 and v3.24 are pinned to recent enough versions of k8s that have resolved the CVE.

lmm avatar Aug 23 '22 16:08 lmm

Going to close this for now, but please reopen the issue if you have further questions.

lmm avatar Sep 20 '22 17:09 lmm