rkennedy
commented
1 month ago Turns out there's alerady a PR for the fix: https://github.com/brancz/kube-rbac-proxy/pull/301
Closed rkennedy closed 1 week ago
rkennedy
commented
1 month ago Turns out there's alerady a PR for the fix: https://github.com/brancz/kube-rbac-proxy/pull/301
GitHub advisory GHSA-xr7q-jx4m-x55m reports an issue with version 1.64.0 of github.com/grpc/grpc-go, a.k.a. google.golang.org/grpc. That's precisely the version kube-rbac-proxy uses. It's resolved in versions 1.64.1 and 1.65.0.
The issue occurs if a context gets logged that contains gRPC metadata with tokens in it. Do the requests that kube-rbac-proxy handles include tokens? (I could imagine they would.) And does kube-rbac-proxy log gRPC metadata?
If kube-rbac-proxy isn't susceptible to this issue, then that's great, but I hope the grpc library could still get updated. In my case, it's Trivy that finds matching library versions and concludes that there must be a vulnerability.