search

ForgeRock / secret-agent

Generate random Kubernetes secrets and optionally store them in a Cloud Secret Manager
Apache License 2.0
17 stars 20 forks source link

sigs.k8s.io/controller-runtime-v0.8.3: 3 vulnerabilities (highest severity is: 7.5) - autoclosed #251

Closed mend-for-github-com[bot] closed 3 months ago

mend-for-github-com[bot] commented 11 months ago
Vulnerable Library - sigs.k8s.io/controller-runtime-v0.8.3

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/prometheus/client_golang/@v/v1.7.1.mod

Found in HEAD commit: f72485996d8c18101bbdfdd784accb8cfaded7b2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (sigs.k8s.io/controller-runtime-v0.8.3 version) Remediation Possible**
CVE-2022-21698 High 7.5 github.com/prometheus/client_golang-v1.7.1 Transitive N/A*
CVE-2021-25735 Medium 6.5 k8s.io/apiextensions-APIServer-v0.20.1 Transitive N/A*
CVE-2022-29526 Medium 5.3 golang.org/x/sys-v0.0.0-20201112073958-5cba982894dd Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-21698 ### Vulnerable Library - github.com/prometheus/client_golang-v1.7.1

Prometheus instrumentation library for Go applications

Library home page: https://proxy.golang.org/github.com/prometheus/client_golang/@v/v1.7.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/github.com/prometheus/client_golang/@v/v1.7.1.mod

Dependency Hierarchy: - sigs.k8s.io/controller-runtime-v0.8.3 (Root Library) - :x: **github.com/prometheus/client_golang-v1.7.1** (Vulnerable Library)

Found in HEAD commit: f72485996d8c18101bbdfdd784accb8cfaded7b2

Found in base branch: master

### Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

CVE-2021-25735 ### Vulnerable Library - k8s.io/apiextensions-APIServer-v0.20.1

API server for API extensions like CustomResourceDefinitions

Library home page: https://proxy.golang.org/k8s.io/apiextensions-apiserver/@v/v0.20.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apiextensions-apiserver/@v/v0.20.1.mod

Dependency Hierarchy: - sigs.k8s.io/controller-runtime-v0.8.3 (Root Library) - :x: **k8s.io/apiextensions-APIServer-v0.20.1** (Vulnerable Library)

Found in HEAD commit: f72485996d8c18101bbdfdd784accb8cfaded7b2

Found in base branch: master

### Vulnerability Details

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Publish Date: 2021-09-06

URL: CVE-2021-25735

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1937562

Release Date: 2021-01-22

Fix Resolution: v1.18.18, v1.19.10, v1.20.6, v1.21.0

CVE-2022-29526 ### Vulnerable Library - golang.org/x/sys-v0.0.0-20201112073958-5cba982894dd

Library home page: https://proxy.golang.org/golang.org/x/sys/@v/v0.0.0-20201112073958-5cba982894dd.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/sys/@v/v0.0.0-20201112073958-5cba982894dd.mod

Dependency Hierarchy: - sigs.k8s.io/controller-runtime-v0.8.3 (Root Library) - github.com/prometheus/client_golang-v1.7.1 - github.com/prometheus/procfs-v0.2.0 - :x: **golang.org/x/sys-v0.0.0-20201112073958-5cba982894dd** (Vulnerable Library)

Found in HEAD commit: f72485996d8c18101bbdfdd784accb8cfaded7b2

Found in base branch: master

### Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

mend-for-github-com[bot] commented 6 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 4 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.