Reloader icon indicating copy to clipboard operation
Reloader copied to clipboard

Published 20 hours ago verified publisher icon stakater

Few CVEs found when scanning container.

Open ietashish opened this issue 4 years ago • 5 comments

Description Running container scan on NMI container (stakater/reloader:v0.0.100) reveals few vulnerabilities that have not been fixed. This is problematic since, we deploy on Azure GovCloud cluster which needs to be compliant with FedRAMP regulations that asks us to explain every un-remediated vulnerability.

Can you comment if any of these vulnerabilities are getting fixed in upcoming releases, or explain why they have not been fixed yet.

Steps To Reproduce Run any container scanning tool (like Docker Snyk, Aqua Trivy, Jfrog Xray) on stakater/reloader:v0.0.100. We ran Jfrog Xray scan and found the following CVEs,

CVES CVSS3 score Vulnerable Component Summary Fixed versions
CVE-2020-29652 7.5 go://golang.org/x/crypto:0.0.0-20201016220609-9e8e0b390897 A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. 0.0.0-20201216223049-8b5274cf687f
CVE-2020-28852 7.5 go://golang.org/x/text:0.3.4 In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) 0.3.5
CVE not available (Issue description at: https://github.com/kubernetes/kubernetes/issues/78467) 6.1 go://k8s.io/apimachinery:0.21.0-alpha.0 Kubernetes /proxy/ pagesize Parameter Reflected XSS 1.16.0-alpha.3

Expected behavior Container should not have any vulnerabilities.

Version v0.0.100

ietashish avatar Oct 08 '21 10:10 ietashish

Can someone please provide any sort of update on this.

ietashish avatar Oct 18 '21 07:10 ietashish

Hello, We will try to add this in our upcoming releases. But in the meanwhile we welcome the community contributions via pull requests :)

faizanahmad055 avatar Oct 18 '21 07:10 faizanahmad055

It's seems many of the CVE's comes from dependency argoproj/argo-rollouts which in turn is from the k8s.io/kubernetes project with dependencies. I've created a PR to update those deps: https://github.com/argoproj/argo-rollouts/pull/1785

smuda avatar Jan 18 '22 21:01 smuda

@smuda can we close this?

rasheedamir avatar Jul 05 '22 15:07 rasheedamir

@rasheedamir I'm currently on vacation but if it's ok with you I'll look into this in 2-3 weeks.

smuda avatar Jul 15 '22 20:07 smuda

This should be fixed.

faizanahmad055 avatar Jan 05 '23 21:01 faizanahmad055