x/vulndb: potential Go vuln in sigs.k8s.io/aws-load-balancer-controller: GHSA-rjfv-pjvx-mjgv

[GoVulnBot]

Advisory GHSA-rjfv-pjvx-mjgv references a vulnerability in the following Go modules:

Module
sigs.k8s.io/aws-load-balancer-controller

Description:

Summary 

The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] alb.ingress.kubernetes.io/wafv2-acl-arn or alb.ingress.kubernetes.io/waf-acl-id was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted ve...

References:

• ADVISORY: https://github.com/advisories/GHSA-rjfv-pjvx-mjgv
• ADVISORY: https://github.com/kubernetes-sigs/aws-load-balancer-controller/security/advisories/GHSA-rjfv-pjvx-mjgv
• WEB: https://aws.amazon.com/security/vulnerability-reporting
• WEB: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2%C2%A0
• WEB: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons
• WEB: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: sigs.k8s.io/aws-load-balancer-controller
      non_go_versions:
        - introduced: 2.0.0
        - fixed: 2.8.2
      vulnerable_at: 1.1.9
summary: |-
    AWS Load Balancer Controller automatically detaches externally associated web
    ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller
ghsas:
    - GHSA-rjfv-pjvx-mjgv
references:
    - advisory: https://github.com/advisories/GHSA-rjfv-pjvx-mjgv
    - advisory: https://github.com/kubernetes-sigs/aws-load-balancer-controller/security/advisories/GHSA-rjfv-pjvx-mjgv
    - web: https://aws.amazon.com/security/vulnerability-reporting
    - web: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2%C2%A0
    - web: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons
    - web: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons
source:
    id: GHSA-rjfv-pjvx-mjgv
    created: 2024-10-24T20:01:22.148788687Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports