external-attacher icon indicating copy to clipboard operation
external-attacher copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-csi

Version 3.5.0 vulnerability with CVE-2022-1996

Open briantopping opened this issue 1 year ago • 3 comments

Hello, release 3.5.0 is apparently vulnerable with a score of 9+ https://nvd.nist.gov/vuln/detail/CVE-2022-1996

NIST CVSS scoreNIST: NVDBase Score: 9.1 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Nist CVSS score does not match with CNA score CNA: huntr.devBase Score: 9.3 CRITICAL

briantopping avatar Aug 17 '22 21:08 briantopping

@briantopping: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

/area security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 17 '22 21:08 k8s-ci-robot

https://github.com/kubernetes/client-go/commit/2a9f95519059bcb745428698c59bf4a376c3f383 never made it in to a 1.24 release of client-go. go-restful will always be pulled in until that's cured.

briantopping avatar Aug 18 '22 16:08 briantopping

It's not just that, apimachinery as late as v0.24.4 (yesterday) is still at https://github.com/kubernetes/apimachinery/commit/00f071187c120e93eae88bb0c35ef31fbb442a2b. Until that comes up to at least https://github.com/kubernetes/apimachinery/commit/e4283bb979b0ff67ba6432345e32bb91c099869b and dependents are updated (including transitives such as https://github.com/kubernetes/api/blob/release-1.24/go.mod), there will be continued inclusion of the vulnerable version.

Curious, is it even possible to do this?

briantopping avatar Aug 19 '22 01:08 briantopping