search

IBM / cloud-pak-deployer

Configuration-based installation of OpenShift and Cloud Pak for Data/Integration/Watson AIOps on various private and public cloud infrastructure providers. Deployment attempts to achieve the end-state defined in the configuration. If something fails along the way, you only need to restart the process to continue the deployment.
https://ibm.github.io/cloud-pak-deployer/
Apache License 2.0
140 stars 69 forks source link

Cloud-pak-deployer git repo contains a requirements file that lists a version of the python package GitPython (3.1.27) which contains a critical vulnerability. #759

Closed praneetg24 closed 2 months ago

praneetg24 commented 2 months ago

I received the below message from my client

We have discovered that the cloud-pak-deployer git repo contains a requirements file that lists a version of the python package GitPython (3.1.27) which contains a critical vulnerability.

They provided these links:

  1. https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IBM_cloud-2Dpak-2Ddeployer_blob_main_docs_requirements.txt&d=DwMFAg&c=BSDicqBQBDjDI9RkVyTcHQ&r=h96zO5n3cswK0i6SR43v8POLZtfvyHj1dububifBQ2A&m=lUhjJycmPDSD2SPUVblvs1PYnFXQ1VQTxpqvxqFZYXieSAPzKnzRal2xiix1W_Oc&s=aV-pKCCJYbzYZmJNIQH-q3sLlJVc-HxfKGr5ZOpw0WU&e=
  2. https://urldefense.proofpoint.com/v2/url?u=https-3A__nvd.nist.gov_vuln_detail_CVE-2D2023-2D40267&d=DwMFAg&c=BSDicqBQBDjDI9RkVyTcHQ&r=h96zO5n3cswK0i6SR43v8POLZtfvyHj1dububifBQ2A&m=lUhjJycmPDSD2SPUVblvs1PYnFXQ1VQTxpqvxqFZYXieSAPzKnzRal2xiix1W_Oc&s=ahIQCAz6AH16xm8PH5J2jgg-p9cVBUzAOjYSC04a_hU&e=

The company does not allow the this team to open issues or make pull requests on public repositories. This team would like to update this package to mitigate this issue. Is there someone they could contact associated with the repository and do the following?

  1. Inform them of the vulnerability and make a small update to reference a newer version of GitPython (3.1.43 is current)
  2. Ask if and where the package is used

The client also mentioned below:

If someone could provide some instructions on how to manually reach the os where this requirement is installed, The client can issue a ‘pip install –upgrade GitPython’ which would pull the current version. This would allow them to be non-invasive and avoid tearing down and rebuilding the solution.

Any help is appreciated, thanks in advance

fketelaars commented 2 months ago

The package is only used in the Git Pages documentation of Cloud Pak Deployer and would not affect the customer, unless they build the deployer documentation locally.

Fixed the vulnerability anyway.