Possible gRPC logging vulnerability GHSA-xr7q-jx4m-x55m

[rkennedy]

GitHub advisory GHSA-xr7q-jx4m-x55m reports an issue with version 1.64.0 of github.com/grpc/grpc-go, a.k.a. google.golang.org/grpc. That's precisely the version kube-rbac-proxy uses. It's resolved in versions 1.64.1 and 1.65.0.

The issue occurs if a context gets logged that contains gRPC metadata with tokens in it. Do the requests that kube-rbac-proxy handles include tokens? (I could imagine they would.) And does kube-rbac-proxy log gRPC metadata?

If kube-rbac-proxy isn't susceptible to this issue, then that's great, but I hope the grpc library could still get updated. In my case, it's Trivy that finds matching library versions and concludes that there must be a vulnerability.