Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-48795 #6781

Closed
adit-cmd opened this issue Apr 30, 2024 · 5 comments
Closed

CVE-2023-48795 #6781

adit-cmd opened this issue Apr 30, 2024 · 5 comments

Comments

@adit-cmd
Copy link

Hi,
Has anyone come across the vulnerability CVE-2023-48795 ( https://nvd.nist.gov/vuln/detail/CVE-2023-48795 )? Does it affect the cas? The current version I am running is cluster-autoscaler:v1.29.0. I did download the docker image locally and did an inspect but I do not see any openssh related packages. It would be great if someone can comment on this vulnerability?

@Shubham82
Copy link
Contributor

Hi @adit-cmd

This vulnerability is resolved in CA 1.30.0, the related package was golang.org/x/crypto. I checked the vulnerability for CA 1.30.0 image here is the output for it (used trivy for scanning):


┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH     │ fixed  │ v0.42.0           │ 0.46.0        │ opentelemetry-go-contrib: DoS vulnerability in otelgrpc due │
│ rg/grpc/otelgrpc                                             │                │          │        │                   │               │ to unbound cardinality metrics                              │
│                                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-47108                  │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

@Shubham82
Copy link
Contributor

Also, issue #5343 opened for the vulnerabilities in the CA.
Please have a look.

@Shubham82
Copy link
Contributor

@adit-cmd, if your concern is resolved so can we close this issue?

@Shubham82
Copy link
Contributor

Closing this issue, Please reopen this issue if there is any concern.

/close

@k8s-ci-robot
Copy link
Contributor

@Shubham82: Closing this issue.

In response to this:

Closing this issue, Please reopen this issue if there is any concern.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants