Fix CVE-2022-43680 - Githubissues

kiwigrid / k8s-sidecar

This is a docker container intended to run inside a kubernetes cluster to collect config maps with a specified label and store the included files in a local folder.

MIT License

613 stars 183 forks source link

Fix CVE-2022-43680 #232

Closed NicolasStr closed 1 year ago

NicolasStr commented 2 years ago

Fixing expat v2.4.9-r0 to latest by adding an apk add --upgrade expat after installing python requirements.

fixes CVE-2022-43680: https://avd.aquasec.com/nvd/2022/cve-2022-43680/

jekkel commented 2 years ago

Is upstream affected as well? Can we rebuild on top of a fixed base image?

Context: I don't want to clutter the docker file with CVE induced upgrades as it's an issue of the base image and fixing it in on our side increases the image size every time (since the vulnerable version is only shadowed, not removed).

NicolasStr commented 2 years ago

It looks like an issue with python packages being installed. Alpine image does not have that CVE.

jekkel commented 1 year ago

@NicolasStr is the latest version still affected?

jekkel commented 1 year ago

Fixed since v1.21.1.