cloudnativer / kube-install

一键安装k8s(kubernetes):二進位離線方式部署,支持定時安裝、添加與銷毀node、銷毀與修復master、一鍵卸載集羣等。Install k8s (kubernetes): one click offline installation of highly available multiple kubernetes cluster, supports schedule installation, addition of nodes, rebuild of kubernetes master, and uninstallation of clusters.
Apache License 2.0
422 stars 118 forks source link

There are security vulnerabilities such as low version DOS security attack of `go-yaml` package. #30

Closed ghost closed 2 years ago

ghost commented 2 years ago

检测到 cloudnativer/kube-install 一共引入了231个开源组件,存在3个漏洞

漏洞标题:go-yaml < 2.2.8拒绝服务漏洞
缺陷组件:gopkg.in/yaml.v2@v2.2.2
漏洞编号:CVE-2019-11254
漏洞描述:gopkg.in/yaml.v2是go语言中用于处理yaml格式的包。
在2.2.8之前的版本中,处理恶意的yaml数据时,会导致CPU资源耗尽。
漏洞由Kubernetes开发者在fuzz测试中发现并提交修复补丁。
国家漏洞库信息:https://www.cnvd.org.cn/flaw/show/CNVD-2020-35519
影响范围:(∞, 2.2.8)
最小修复版本:2.2.8
缺陷组件引入路径:kube-install@->github.com/gin-gonic/gin@v1.7.7->github.com/stretchr/testify@v1.4.0->gopkg.in/yaml.v2@v2.2.2
kube-install@->github.com/leodido/go-urn@v1.2.0->github.com/stretchr/testify@v1.4.0->gopkg.in/yaml.v2@v2.2.2
kube-install@->k8s.io/kube-openapi@v0.0.0-20211115234752-e816edb12b65->github.com/go-openapi/swag@v0.19.5->gopkg.in/yaml.v2@v2.2.2
kube-install@->k8s.io/kube-openapi@v0.0.0-20211115234752-e816edb12b65->github.com/stretchr/testify@v1.5.1->gopkg.in/yaml.v2@v2.2.2

另外还有3个漏洞,详细报告:https://mofeisec.com/jr?p=aea335

cloudnativer commented 2 years ago

Thank you for your security vulnerability tips. We will fix the related vulnerabilities in the next version.