brancz / kube-rbac-proxy

Kubernetes RBAC authorizing HTTP proxy for a single upstream.
Apache License 2.0
589 stars 189 forks source link

CVE high security vulnerability found in image: quay.io/brancz/kube-rbac-proxy:v0.18.1 #313

Open vasireddy99 opened 4 weeks ago

vasireddy99 commented 4 weeks ago

Team,

kube-rbac-proxy image is vulnerable to CVE-2024-34156. In kube-rbace-proxy workflow image built is using 1.23. it seems bumping the go version to 1.23.1 will mitigate the issue.

 ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.23.0            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Use go version - ~1.23.1

ibihim commented 2 weeks ago

Hi @vasireddy99,

this is not true. We have a dependency that has that vulnerability, but we don't use encoding/gob package, so we are NOT vulnerable.

I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.

vasireddy99 commented 2 weeks ago

Hi @vasireddy99,

this is not true. We have a dependency that has that vulnerability, but we don't use encoding/gob package, so we are NOT vulnerable.

I will take this as an opportunity to bump the deps soon, before people become upset that their vuln scanners report this.

Yes, I used govulncheck and it didn't show any vuln as affected. But it just the scanners that report. I agree