grpc-health-probe icon indicating copy to clipboard operation
grpc-health-probe copied to clipboard

Published 20 hours ago verified publisher icon grpc-ecosystem

Facing vulnerability with stdlib and google.golang.org/grpc

Open rujutaghanekar opened this issue 1 year ago • 3 comments

Facing vulnerability with stdlib package

  • CVE-2024-24791
  • Present in golang 1.22.4 version
  • Fixed in golang 1.22.5 version

Facing vulnerability with google.golang.org/grpc

  • GHSA-xr7q-jx4m-x55m
  • installed_version -> v1.64.0
  • fixed_version -> v1.64.1

We use grpc-health-probe in our project. Our scans are failing because of mentioned vulnerabilities. Please update package and golang versions.

rujutaghanekar avatar Jul 25 '24 10:07 rujutaghanekar

gPRC-go module is already updated to 1.65. And http/1.1 vuln doesn't impact grpc, so it's irrelevant.

ahmetb avatar Jul 26 '24 01:07 ahmetb

Currently, we are also using the grpc-health-probe tool in our project, and we encountered a failed security scan due to the mentioned vulnerability. If possible, we would appreciate an update as soon as possible. Thank you.

trend-shihyi-wu avatar Aug 06 '24 06:08 trend-shihyi-wu

A new release 0.4.38 was released yesterday, including fixes for all currently publicly known security issues.

See https://github.com/grpc-ecosystem/grpc-health-probe/releases/tag/v0.4.38

stefanb avatar May 04 '25 07:05 stefanb