search

kedacore / http-add-on

Add-on for KEDA to scale HTTP workloads
https://kedacore.github.io/http-add-on/
Apache License 2.0
373 stars 97 forks source link

Critical Vulnerability - CVE-2024-24790 #1123

Closed willemvs closed 1 week ago

willemvs commented 2 months ago

Good day,

I have been on journey to utilize KEDA Http Add On for a PoC and through the adoption process scanned the container images for potential vulnerabilities. The scanning tool used is Prisma, and it has indicated that there are in fact a critical vulnerability for most of the images utilized in kedacore/http-add-on.

It might also be worth considering updating of gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0 to v0.14.1 or higher as there are also vulnerabilities that have been addressed.

The images that was scanned on Prisma was the following:

+----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | GRACE DAYS | DESCRIPTION | TRIGGERED FAILURE | +----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+ | CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.2 | fixed in 1.21.11, 1.22.4 | 84 days | < 1 hour | -25 | The various Is methods (IsPrivate, IsLoopback, | Yes | | | | | | | 85 days ago | | | | etc) did not work as expected for IPv4-mapped IPv6 | | | | | | | | | | | | addresses, returning false for addresses which | | | | | | | | | | | | would... | | +----------------+----------+------+-----------+---------+--------------------------+-----------+------------+------------+----------------------------------------------------+-------------------+

Regards

JorTurFer commented 2 months ago

Thanks for reporting! We are going to upgrade golang version asap

stale[bot] commented 3 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] commented 1 week ago

This issue has been automatically closed due to inactivity.