Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing several security vulnerabilities in the version v0.15.0 #706

Closed
thle40 opened this issue May 15, 2024 · 1 comment
Closed

Addressing several security vulnerabilities in the version v0.15.0 #706

thle40 opened this issue May 15, 2024 · 1 comment

Comments

@thle40
Copy link

thle40 commented May 15, 2024

1. Quick Debug Information

  • OS/Version(e.g. RHEL8.6, Ubuntu22.04): Ubuntu 22.04.4 LTS
  • K8s Flavor/Version(e.g. K8s, OCP, Rancher, GKE, EKS): K8s

2. Issue or feature description

Release of version v0.15.0 run under Ubuntu 22.04.4 LTS contains several vulnerabilities
Some vulnerabilities can be fixed by upgrading the version of affected packages as below.

as requirement of our security remediating process in our org, we would like to report vulnerabilities for this version (though we will follow your release process)

<style> </style>
CVE SEVERITY CVSS PACKAGE VERSION STATUS
CVE-2022-3715 medium 7.80 bash 5.1-6ubuntu1 fixed in 5.1-6ubuntu1.1
CVE-2024-2961 medium 0.00 glibc 2.35-0ubuntu3.6 fixed in 2.35-0ubuntu3.7
CVE-2024-28835 medium 0.00 gnutls28 3.7.3-4ubuntu1.4 fixed in 3.7.3-4ubuntu1.5
CVE-2024-28834 medium 0.00 gnutls28 3.7.3-4ubuntu1.4 fixed in 3.7.3-4ubuntu1.5
CVE-2024-28085 medium 0.00 util-linux 2.37.2-4ubuntu3 fixed in 2.37.2-4ubuntu3.3
CVE-2024-26462 medium 0.00 krb5 1.19.2-2ubuntu0.3 deferred
CVE-2024-26461 medium 0.00 krb5 1.19.2-2ubuntu0.3 deferred
CVE-2024-26458 medium 0.00 krb5 1.19.2-2ubuntu0.3 deferred
CVE-2024-2236 medium 0.00 libgcrypt20 1.9.4-3ubuntu3 deferred
CVE-2022-4899 low 7.50 libzstd 1.4.8+dfsg-3build1 needed
CVE-2023-50495 low 6.50 ncurses 6.3-2ubuntu0.1 needed
CVE-2016-2781 low 6.50 coreutils 8.32-4.1ubuntu1.1 deferred
CVE-2023-7008 low 5.90 systemd 249.11-0ubuntu3.12 needed
CVE-2022-27943 low 5.50 gcc-12 12.3.0-1ubuntu1~22.04 needed
CVE-2023-29383 low 3.30 shadow 1:4.8.1-2ubuntu2.2 needed
CVE-2022-3219 low 3.30 gnupg2 2.2.27-3ubuntu2.1 deferred
CVE-2023-45918 low 0.00 ncurses 6.3-2ubuntu0.1 needed
<style> </style>

Compliance vulnerabilities

SEVERITY DESCRIPTION    
high (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user
@thle40 thle40 mentioned this issue May 15, 2024
Closed
@elezar elezar closed this as completed May 23, 2024
@thle40
Copy link
Author

thle40 commented Jun 24, 2024

More CVEs are reported for nvidia plugi v1.15.0

As requirement of our security remediating process in our org, we would like to report vulnerabilities for this version (though we will follow your release process)
CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS
CVE-2022-40735 | medium | 7.50 | openssl | 3.0.2-0ubuntu1.15 | needed
CVE-2024-33602 | medium | 0.00 | glibc | 2.35-0ubuntu3.6 | fixed in 2.35-0ubuntu3.8
CVE-2024-33601 | medium | 0.00 | glibc | 2.35-0ubuntu3.6 | fixed in 2.35-0ubuntu3.8
CVE-2024-33600 | medium | 0.00 | glibc | 2.35-0ubuntu3.6 | fixed in 2.35-0ubuntu3.8
CVE-2024-33599 | medium | 0.00 | glibc | 2.35-0ubuntu3.6 | fixed in 2.35-0ubuntu3.8
CVE-2024-4741 | low | 0.00 | openssl | 3.0.2-0ubuntu1.15 | needed
CVE-2024-4603 | low | 0.00 | openssl | 3.0.2-0ubuntu1.15 | needed
CVE-2024-2511 | low | 0.00 | openssl | 3.0.2-0ubuntu1.15 | needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elezar @thle40