Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud-provider-vsphere/cpi/release/manager:v1.28.0 has HIGH vulnerability CVE-2023-44487 #784

Closed
mitchellmaler opened this issue Oct 27, 2023 · 3 comments · Fixed by #785
Closed

cloud-provider-vsphere/cpi/release/manager:v1.28.0 has HIGH vulnerability CVE-2023-44487 #784

mitchellmaler opened this issue Oct 27, 2023 · 3 comments · Fixed by #785
Assignees
@YanzhaoLi
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@mitchellmaler
Copy link

What happened?

Security tooling showing high cve CVE-2023-44487 on the release manager image for the latest version.

What did you expect to happen?

CVE to not exist.

How can we reproduce it (as minimally and precisely as possible)?

N/A

Anything else we need to know (please consider providing level 4 or above logs of CPI)?

This will require upgrading Golang to a later patch version to then pull in a newer version of the net package.

Kubernetes version

N/A

Cloud provider or hardware configuration

N/A

OS version

N/A

Kernel (e.g. uname -a)

N/A

Install tools

N/A

Container runtime (CRI) and and version (if applicable)

N/A

Related plugins (CNI, CSI, ...) and versions (if applicable)

N/A

Others

N/A
@mitchellmaler mitchellmaler added the kind/bug Categorizes issue or PR as related to a bug. label Oct 27, 2023
@mitchellmaler
Copy link
Author

Screenshot 2023-10-27 at 10 37 38 AM

@YanzhaoLi
Copy link
Member

/assign

@YanzhaoLi
Copy link
Member

YanzhaoLi commented Nov 7, 2023
edited
Loading

Bumping golang.org/x/net to 0.17.0 should fix this CVE, see https://github.com/golang/net/releases/tag/v0.17.0 and GHSA-qppj-fm5r-hxr3

@YanzhaoLi YanzhaoLi mentioned this issue Nov 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YanzhaoLi YanzhaoLi

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump golang.org/x/net to v0.17.0 to fix CVE-2023-44487 YanzhaoLi/cloud-provider-vsphere
2 participants
@YanzhaoLi @mitchellmaler