search

databus23 / helm-diff

A helm plugin that shows a diff explaining what a helm upgrade would change
Apache License 2.0
2.71k stars 280 forks source link

CVE-2024-34156 HIGH stdlib Library #673

Closed stamak closed 4 days ago

stamak commented 1 week ago

Plugin helm plugin install https://github.com/databus23/helm-diff --version v3.9.11 Reported by Trivy scanning tool

root/.local/share/helm/plugins/helm-diff/bin/diff (gobinary)                                                                    18:06:59 [5/19294]

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────
─┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title
 │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────
─┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.4            │ 1.22.7, 1.23.1  │ encoding/gob: golang: Calling Decoder.Decode on a message
 │
│         │                │          │        │                   │                 │ which contains deeply nested structures...
 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34156
 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────
─┤
│         │ CVE-2024-24791 │ MEDIUM   │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue
 │
│         │                │          │        │                   │                 │ handling in net/http
 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791
 │
│         ├────────────────┤          │        │                   ├─────────────────┼────────────────────────────────────────────────────────────
─┤
│         │ CVE-2024-34155 │          │        │                   │ 1.22.7, 1.23.1  │ go/parser: golang: Calling any of the Parse functions
 │
│         │                │          │        │                   │                 │ containing deeply nested literals...
 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34155
 │
│         ├────────────────┤          │        │                   │                 ├────────────────────────────────────────────────────────────
─┤
│         │ CVE-2024-34158 │          │        │                   │                 │ go/build/constraint: golang: Calling Parse on a "// +build"
 │
│         │                │          │        │                   │                 │ build tag line with...
 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34158
 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────
─┘
yxxhero commented 4 days ago

@stamak thanks.