Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple CVEs found in latest release #9

Open
nh250146 opened this issue Oct 7, 2024 · 2 comments · Fixed by #10
Open

Multiple CVEs found in latest release #9

nh250146 opened this issue Oct 7, 2024 · 2 comments · Fixed by #10

Comments

@nh250146
Copy link

nh250146 commented Oct 7, 2024
edited
Loading

The latest image in Docker hub reveals multiple CVEs under trivy.

It looks like they can be resolved simply by bumping the relevant packages to the earliest fixed version.

Target kvaps/dnsmasq-controller (debian 12.5)

No Vulnerabilities found

No Misconfigurations found

Target dnsmasq-controller

Vulnerabilities (31)

Package ID Severity Installed Version Fixed Version
github.com/dgrijalva/jwt-go CVE-2020-26160 HIGH v3.2.0+incompatible
github.com/gogo/protobuf CVE-2021-3121 HIGH v1.2.2-0.20190723190241-65acae22fc9d 1.3.2
github.com/prometheus/client_golang CVE-2022-21698 HIGH v1.0.0 1.11.1
golang.org/x/crypto CVE-2020-29652 HIGH v0.0.0-20190820162420-60c769a6c586 0.0.0-20201216223049-8b5274cf687f
golang.org/x/crypto CVE-2020-7919 HIGH v0.0.0-20190820162420-60c769a6c586 0.0.0-20200124225646-8b5121be2f68
golang.org/x/crypto CVE-2020-9283 HIGH v0.0.0-20190820162420-60c769a6c586 0.0.0-20200220183623-bac4c82f6975
golang.org/x/crypto CVE-2021-43565 HIGH v0.0.0-20190820162420-60c769a6c586 0.0.0-20211202192323-5770296d904e
golang.org/x/crypto CVE-2022-27191 HIGH v0.0.0-20190820162420-60c769a6c586 0.0.0-20220314234659-1baeb1ce4c0b
golang.org/x/crypto CVE-2023-48795 MEDIUM v0.0.0-20190820162420-60c769a6c586 0.17.0
golang.org/x/net CVE-2021-33194 HIGH v0.0.0-20191004110552-13f9640d40b9 0.0.0-20210520170846-37e1c6afe023
golang.org/x/net CVE-2022-27664 HIGH v0.0.0-20191004110552-13f9640d40b9 0.0.0-20220906165146-f3363e06e74c
golang.org/x/net CVE-2022-41723 HIGH v0.0.0-20191004110552-13f9640d40b9 0.7.0
golang.org/x/net CVE-2023-39325 HIGH v0.0.0-20191004110552-13f9640d40b9 0.17.0
golang.org/x/net CVE-2021-31525 MEDIUM v0.0.0-20191004110552-13f9640d40b9 0.0.0-20210428140749-89ef3d95e781
golang.org/x/net CVE-2022-41717 MEDIUM v0.0.0-20191004110552-13f9640d40b9 0.4.0
golang.org/x/net CVE-2023-3978 MEDIUM v0.0.0-20191004110552-13f9640d40b9 0.13.0
golang.org/x/net CVE-2023-44487 MEDIUM v0.0.0-20191004110552-13f9640d40b9 0.17.0
golang.org/x/net CVE-2023-45288 MEDIUM v0.0.0-20191004110552-13f9640d40b9 0.23.0
golang.org/x/sys CVE-2022-29526 MEDIUM v0.0.0-20190826190057-c7b8b68b1456 0.0.0-20220412211240-33da011f77ad
golang.org/x/text CVE-2021-38561 HIGH v0.3.2 0.3.7
golang.org/x/text CVE-2022-32149 HIGH v0.3.2 0.3.8
golang.org/x/text CVE-2020-14040 MEDIUM v0.3.2 0.3.3
gopkg.in/yaml.v2 CVE-2019-11254 MEDIUM v2.2.4 2.2.8
k8s.io/apimachinery CVE-2020-8559 MEDIUM v0.17.2 0.16.13, 0.17.9, 0.18.7
k8s.io/client-go CVE-2020-8565 MEDIUM v0.17.2 0.19.6, 0.20.0-alpha.2, 0.18.14, 0.17.16
stdlib CVE-2024-24790 CRITICAL 1.22.3 1.21.11, 1.22.4
stdlib CVE-2024-34156 HIGH 1.22.3 1.22.7, 1.23.1
stdlib CVE-2024-24789 MEDIUM 1.22.3 1.21.11, 1.22.4
stdlib CVE-2024-24791 MEDIUM 1.22.3 1.21.12, 1.22.5
stdlib CVE-2024-34155 MEDIUM 1.22.3 1.22.7, 1.23.1
stdlib CVE-2024-34158 MEDIUM 1.22.3 1.22.7, 1.23.1

No Misconfigurations found
@nh250146 nh250146 mentioned this issue Oct 18, 2024
Merged
@nh250146
Copy link
Author

@kvaps I have a PR opened that should resolve the CVEs that were detected. No other changes to the code has been made, so should be a simple image rebuild. If there are other concerns though I'm happy to address them

@kvaps kvaps closed this as completed in #10 Oct 20, 2024
@kvaps
Copy link
Member

kvaps commented Oct 20, 2024

Let's keep it open until new images release

@kvaps kvaps reopened this Oct 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies to resolve CVEs nh250146/dnsmasq-controller
2 participants
@kvaps @nh250146