dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubernetes

broken version of golang.org/x/net used

Open jcpunk opened this issue 3 years ago • 1 comments

What happened?

https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard?modal=security-report

Reports a security issue with dependencies.

golang: net/http: handle server errors after sending GOAWAY

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Fixed in https://pkg.go.dev/golang.org/x/[email protected]

What did you expect to happen?

Some sort of automated check on this side looking for vulnerable dependencies in the project

How can we reproduce it (as minimally and precisely as possible)?

Review the changelog of golang.org/x/net

Anything else we need to know?

No response

What browsers are you seeing the problem on?

No response

Kubernetes Dashboard version

2.7.0

Kubernetes version

1.24

Dev environment

No response

jcpunk avatar Oct 03 '22 20:10 jcpunk

We have such checks but vulnerability alerts are not visible to the non-admin users.

The CVE that you have mentioned does no longer appear as we have updated golang.org/x/net to newer version.

maciaszczykm avatar Oct 04 '22 07:10 maciaszczykm