Fix CVE in jsonpath-plus (again)

kubernetes-client / javascript

Javascript client

Apache License 2.0

2.02k stars 520 forks source link

Fix CVE in jsonpath-plus (again) #1960

Open soniqua opened 5 days ago

soniqua commented 5 days ago

Describe the bug The jsonpath-plus dependency contains a critical CVE, even after upgrading to 10.0.0: CVE-2024-21534

The library has been fixed as of version 10.0.7 or higher.

There's an open dependabot PR for resolution.

Client Version 0.22.1

Environment (please complete the following information):

NodeJS Client

Additional context

Previous fix: https://github.com/kubernetes-client/javascript/issues/1926

timd73 commented 4 days ago

@mstruebing Any idea on an ETA for a 0.22.x patch release?

brendandburns commented 4 days ago

No current eta, but probably within the week. fwiw, this library only uses this library for kubeconfig file loading. If you have malicious JSONPath in your kubeconfig, you have far worse problems than this RCE.

Also, unless your kubeconfig contains a jsonpath value you're not impacted by this CVE.

timd73 commented 4 days ago

@brendandburns thanks for the update/ETA, and for the added info.

FWIW, I am not concerned about the actual vulnerability, as I'd gathered that it's not truly exploitable. Rather it's about making the vulnerability scanners happy (remind me, do we work for them, or they for us?).

But good to know about how it impacts this library - thanks again!