search

int128 / kubelogin

kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Apache License 2.0
1.7k stars 193 forks source link

CVE-2023-39325 in 1.28.0 release #1062

Closed pjonsson closed 4 months ago

pjonsson commented 7 months ago

Describe the issue

Security scanners such as Trivy will flag the 1.28.0 release binary with CVE-2023-39325.

The main branch seems to use updated libraries, so making a release should fix this issue.

To reproduce

Run Trivy on any Docker image that contains the release binary:

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.11.0           │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Your environment

int128 commented 4 months ago

The new release v1.28.1 should fix this.