Skip to content

HIGH CVE in v0.8.20 #994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rishpar17 opened this issue Dec 12, 2024 · 4 comments · Fixed by #1035
Closed

HIGH CVE in v0.8.20 #994

rishpar17 opened this issue Dec 12, 2024 · 4 comments · Fixed by #1035

Comments

@rishpar17
Copy link

rishpar17 commented Dec 12, 2024
edited
Loading

We see 1 high CVE in our latest scan. Please help address this.

"CVE-2024-45337": {
        "description": "Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.",
        "fixed_version": "0.31.0",
        "installed_version": "v0.25.0",
        "pkg_name": "golang.org/x/crypto",
        "references": [
            "http://www.openwall.com/lists/oss-security/2024/12/11/2",
            "https://github.com/golang/crypto",
            "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909",
            "https://go.dev/cl/635315",
            "https://go.dev/issue/70779",
            "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ",
            "https://pkg.go.dev/vuln/GO-2024-3321"
        ],
        "severity": "HIGH",
        "title": "Applications and libraries which misuse the ServerConfig.PublicKeyCall ...",
        "vulnerability_id": "CVE-2024-45337"
    }
@mounchin
Copy link

One new HIGH CVE and earlier CVE got upgraded to CRITICAL

trivy image --severity LOW,MEDIUM,HIGH,CRITICAL --ignore-unfixed --exit-code 3 --exit-on-eol 7 --scanners vuln registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.20


registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.20 (debian 12.7)

Total: 0 (LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


home/kubernetes/bin/log-counter (gobinary)

Total: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.27.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

node-problem-detector (gobinary)

Total: 2 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.25.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2024-45338 │ HIGH     │        │ v0.27.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                     │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │

@daveoy daveoy mentioned this issue Jan 9, 2025
Closed
@daveoy
Copy link
Contributor

daveoy commented Jan 9, 2025

#1005 this might do it?

@aaronfern
Copy link

CVEs found in v0.8.20

Affected Package CVE CVE Score Severity Rescoring Suggestion Package Version(s)
glibc CVE-2023-0687 9.8 CRITICAL NONE 2.36-9+deb12u8
zlib CVE-2023-45853 9.8 CRITICAL NONE 1.2.13.dfsg-1

daveoy added a commit to daveoy/node-problem-detector that referenced this issue Mar 10, 2025
@daveoy
chore(go.mod): update deps for high cves kubernetes#994
f24ca57
@daveoy daveoy mentioned this issue Mar 10, 2025
Merged
k8s-ci-robot added a commit that referenced this issue Mar 10, 2025
@k8s-ci-robot
Merge pull request #1035 from daveoy/dy/994-2
e858c3d 
chore(go.mod): update deps to fix high cve #994
@aaronfern
Copy link

Hello maintainers
Is a release planned with this PR included? I see that the last release was in Oct of last year and quite a few changes have already merged
Is there a plan for such releases?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@daveoy @aaronfern @mounchin @rishpar17