search

grafana / helm-charts

Apache License 2.0
1.67k stars 2.29k forks source link

3 critical vulns in k8s-sidecar:1.27.4 #3340

Closed trenslow closed 1 month ago

trenslow commented 1 month ago

Hi community,

My vulnerability scanners are reporting 3 critical vulnerabilities in the k8s-sidecar:1.27.4 image of the Grafana Helm chart:

trivy image quay.io/kiwigrid/k8s-sidecar:1.27.4 --severity HIGH,CRITICAL
2024-10-04T10:33:47+02:00   INFO    [vuln] Vulnerability scanning is enabled
2024-10-04T10:33:47+02:00   INFO    [secret] Secret scanning is enabled
2024-10-04T10:33:47+02:00   INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-04T10:33:47+02:00   INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-04T10:33:49+02:00   INFO    Detected OS family="alpine" version="3.20.0"
2024-10-04T10:33:49+02:00   INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=37
2024-10-04T10:33:49+02:00   INFO    Number of language-specific files   num=1
2024-10-04T10:33:49+02:00   INFO    [python-pkg] Detecting vulnerabilities...
2024-10-04T10:33:49+02:00   WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

quay.io/kiwigrid/k8s-sidecar:1.27.4 (alpine 3.20.0)

Total: 3 (HIGH: 0, CRITICAL: 3)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2024-45490 │ CRITICAL │ fixed  │ 2.6.2-r0          │ 2.6.3-r0      │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│          ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2024-45491 │          │        │                   │               │ libexpat: Integer Overflow or Wraparound                    │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│          ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│          │ CVE-2024-45492 │          │        │                   │               │ libexpat: integer overflow                                  │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

k8s-sidecar was updated last week to 1.28.0 and doesn't have the above vulnerabilities.

Could we look into updating to this image's newer version in the Grafana Helm chart?

Thanks for your consideration