kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

High Severity vulnerability found in all latest versions - github.com/getkin/kin-openapi/openapi3filter

Open SabaOrk opened this issue 6 months ago • 4 comments

Hi, there is a high severity vulnerability found in recent haproxytech/kubernetes-ingress images. more details about the vulnerability:

Please update openapi3filter package to latest version where they fix this vulnereability.

SabaOrk avatar Jun 13 '25 08:06 SabaOrk

@SabaOrk what tool you used that detected this ? we do not have such package at all

oktalz avatar Jun 14 '25 10:06 oktalz

@oktalz this is detected in multiple tools like ORCA tool or Google Cloud Console container scanning tool, both showing same vulnerability, could this package be inside DATAPLANE_API here: https://github.com/haproxytech/haproxy-docker-alpine/blob/main/3.2/Dockerfile#L3 ?

SabaOrk avatar Jun 14 '25 10:06 SabaOrk

@SabaOrk thx for the info. we are removing dataplaneapi in image for this controller as you can see here https://github.com/haproxytech/kubernetes-ingress/blob/14d2e66da405e7d600aa1a71344e4f7c39c30fe1/build/Dockerfile#L45

though I checked it now, it seems there is one additional binary /usr/local/bin/dataplaneapi-v2 that needs to be removed, that might be an issue.

If you want you can create a PR for this removal too :)

If not, we can do that and release new images without it (in few days)

oktalz avatar Jun 14 '25 12:06 oktalz

@oktalz thanks for checking that, I have created a PR:

please review it and proceed accordingly or tell me if you need anything else from me.

SabaOrk avatar Jun 14 '25 13:06 SabaOrk