Open soniqua opened 5 days ago
@mstruebing
Any idea on an ETA for a 0.22.x
patch release?
No current eta, but probably within the week. fwiw, this library only uses this library for kubeconfig file loading. If you have malicious JSONPath in your kubeconfig, you have far worse problems than this RCE.
Also, unless your kubeconfig contains a jsonpath value you're not impacted by this CVE.
@brendandburns thanks for the update/ETA, and for the added info.
FWIW, I am not concerned about the actual vulnerability, as I'd gathered that it's not truly exploitable. Rather it's about making the vulnerability scanners happy (remind me, do we work for them, or they for us?).
But good to know about how it impacts this library - thanks again!
Describe the bug The jsonpath-plus dependency contains a critical CVE, even after upgrading to
10.0.0
: CVE-2024-21534The library has been fixed as of version 10.0.7 or higher.
There's an open dependabot PR for resolution.
Client Version
0.22.1
Environment (please complete the following information):
Additional context