http-add-on icon indicating copy to clipboard operation
http-add-on copied to clipboard

Published 20 hours ago verified publisher icon kedacore

Critical Vulnerability - CVE-2024-24790

Open willemvs opened this issue 1 year ago • 1 comments

Good day,

I have been on journey to utilize KEDA Http Add On for a PoC and through the adoption process scanned the container images for potential vulnerabilities. The scanning tool used is Prisma, and it has indicated that there are in fact a critical vulnerability for most of the images utilized in kedacore/http-add-on.

It might also be worth considering updating of gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 to v0.14.1 or higher as there are also vulnerabilities that have been addressed.

The images that was scanned on Prisma was the following:

  • ghcr.io/kedacore/http-add-on-operator:0.8.0
  • ghcr.io/kedacore/http-add-on-scaler:0.8.0
  • ghcr.io/kedacore/http-add-on-interceptor:0.8.0

+----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | GRACE DAYS | DESCRIPTION | TRIGGERED FAILURE | +----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.2 | fixed in 1.21.11, 1.22.4 | 84 days | < 1 hour | -25 | The various Is methods (IsPrivate, IsLoopback, | Yes | | | | | | | 85 days ago | | | | etc) did not work as expected for IPv4-mapped IPv6 | | | | | | | | | | | | addresses, returning false for addresses which | | | | | | | | | | | | would... | | +----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+

Regards

willemvs avatar Aug 30 '24 09:08 willemvs

Thanks for reporting! We are going to upgrade golang version asap

JorTurFer avatar Sep 02 '24 22:09 JorTurFer

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 05 '24 01:11 stale[bot]

This issue has been automatically closed due to inactivity.

stale[bot] avatar Nov 16 '24 01:11 stale[bot]

@JorTurFer : gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 is still referenced in the values.yaml. Why is that?

Maybe:

kubeRbacProxy:
        name: quay.io/brancz/kube-rbac-proxy
        tag: v0.20.0

?

Or could there be another solution? This project (https://github.com/brancz/kube-rbac-proxy) seems still not be supported by k8s itself for years now.

khauser avatar Oct 24 '25 08:10 khauser

@JorTurFer : gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 is still referenced in the values.yaml. Why is that?

Maybe:

kubeRbacProxy:
        name: quay.io/brancz/kube-rbac-proxy
        tag: v0.20.0

?

Or could there be another solution? This project (brancz/kube-rbac-proxy) seems still not be supported by k8s itself for years now.

Probably just because nobody has taken care about it. AFAIK controller runtime already supports it natively so maybe it's worth it migrate to it. Are you willing to help with that?

JorTurFer avatar Oct 25 '25 17:10 JorTurFer

JorTurFer: Me and AI were trying to do the needed changes. With some additional changes (e.g. supporting whitespaces in the projects base folder) the tests were passing.

khauser avatar Oct 30 '25 18:10 khauser