search

Dabz / ccloudexporter

Prometheus exporter for Confluent Cloud API metric
https://docs.confluent.io/current/cloud/metrics-api.html
87 stars 53 forks source link

Fix CVE-2019-11254 in gopkg.in/yaml.v2 by upgrading to v2.2.8 #88

Closed atharvai closed 2 years ago

atharvai commented 3 years ago

During a recent vulnerability scan we run internally this was identified in the ccloudexporter binary. Could I ask for a fix for this please?

{
    "Target": "ccloudexporter",
    "Type": "gobinary",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2019-11254",
        "PkgName": "gopkg.in/yaml.v2",
        "InstalledVersion": "v2.2.5",
        "FixedVersion": "v2.2.8",
        "Layer": {
          "DiffID": "sha256:c87148c01e568bde3a58ce90550eb43596a0d9c36bb0bfcb25d31df097c8439f"
        },
        "SeveritySource": "nvd",
        "PrimaryURL": "https://nvd.nist.gov/vuln/detail/CVE-2019-11254",
        "Title": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users",
        "Description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
        "Severity": "MEDIUM",
        "CVSS": {
          "nvd": {
            "V2Vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "V2Score": 4,
            "V3Score": 6.5
          },
          "redhat": {
            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "V3Score": 6.5
          }
        },
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11254",
          "https://github.com/kubernetes/kubernetes/issues/89535",
          "https://groups.google.com/d/msg/kubernetes-announce/ALL9s73E5ck/4yHe8J-PBAAJ",
          "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wuwEwZigXBc",
          "https://linux.oracle.com/cve/CVE-2019-11254.html",
          "https://linux.oracle.com/errata/ELSA-2020-5653.html",
          "https://security.netapp.com/advisory/ntap-20200413-0003/"
        ],
        "PublishedDate": "2020-04-01T21:15:00Z",
        "LastModifiedDate": "2020-10-02T17:37:00Z"
      }
    ]
  }
Dabz commented 2 years ago

Thanks for the comment, I will update this component in the next version :+1:

Dabz commented 2 years ago

After reviewing this message, it does not look critical for the exporter as it the YAML parser is only used for the configuration file. This CVE is actually For old version of Kubernetes.

I nonetheless updated all the dependencies in #93 .