helm-diff icon indicating copy to clipboard operation
helm-diff copied to clipboard

Published 20 hours ago verified publisher icon databus23

CVE in containerd library

Open crazymushrooms opened this issue 3 years ago • 5 comments

Trviy scan found the CVE-2022-23648 would be nice if you bump the containerd patch version.

root/.local/share/helm/plugins/helm-diff/bin/diff (gobinary)
============================================================
Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+----------------------------------+------------------+----------+---------------------+-----------------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY |  INSTALLED VERSION  |     FIXED VERSION     |                 TITLE                 |
+----------------------------------+------------------+----------+---------------------+-----------------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2022-23648   | HIGH     | v1.4.11             | 1.4.13, 1.5.10, 1.6.1 | containerd: insecure                  |
|                                  |                  |          |                     |                       | handling of image volumes             |
|                                  |                  |          |                     |                       | -->avd.aquasec.com/nvd/cve-2022-23648 |
+                                  +------------------+----------+                     +-----------------------+---------------------------------------+
|                                  | GMS-2021-175     | UNKNOWN  |                     | 1.4.12, 1.5.8         | Ambiguous OCI manifest parsing        |
+----------------------------------+------------------+          +---------------------+-----------------------+---------------------------------------+
| github.com/docker/distribution   | GMS-2022-20      |          | v2.7.1+incompatible | v2.8.0                | OCI Manifest Type Confusion           |
|                                  |                  |          |                     |                       | Issue                                 |
+----------------------------------+------------------+----------+---------------------+-----------------------+---------------------------------------+

probably this is a trivial update:

-	github.com/containerd/containerd v1.4.11 // indirect
+	github.com/containerd/containerd v1.4.13 // indirect

crazymushrooms avatar Apr 05 '22 14:04 crazymushrooms

Any update on fixing this vulnerability?

msharbaji avatar May 13 '22 07:05 msharbaji

Please feel free to submit a pr for the update!

mumoshu avatar May 13 '22 08:05 mumoshu

Sure, I will issue a PR to update

msharbaji avatar May 13 '22 11:05 msharbaji

@mumoshu BTW, I see the master branch has the update for containerd package, but there is no update on the latest release 3.4.2 for this package, how and when do we have a new release? is it something we can do, or we need your help?

msharbaji avatar May 13 '22 12:05 msharbaji

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 13 '22 07:08 stale[bot]