security vulnerability for csi-resizer:v1.8.0

kubernetes-csi / external-resizer

Sidecar container that watches Kubernetes PersistentVolumeClaims objects and triggers controller side expansion operation against a CSI endpoint

Apache License 2.0

120 stars 122 forks source link

security vulnerability for csi-resizer:v1.8.0 #329

Closed Jainbrt closed 3 months ago

Jainbrt commented 10 months ago

registry.k8s.io/sig-storage/csi-resizer:v1.8.0

CVE               SEV  CVSS  PACKAGE                            VERSION  TYPE  STATUS                    PATH
---               ---  ----  -------                            -------  ----  ------                    ----
PRISMA-2022-0227  H    7.5   github.com/emicklei/go-restful/v3  v3.9.0   go    fixed in v3.10.0          /csi-resizer
CVE-2023-29404    C    9.8   go                                 1.20.3   app   fixed in 1.20.5, 1.19.10  /csi-resizer
CVE-2023-29400    H    7.3   go                                 1.20.3   app   fixed in 1.20.4, 1.19.9   /csi-resizer
CVE-2023-29405    C    9.8   go                                 1.20.3   app   fixed in 1.20.5, 1.19.10  /csi-resizer
CVE-2023-29402    C    9.8   go                                 1.20.3   app   fixed in 1.20.5, 1.19.10  /csi-resizer
CVE-2023-24539    H    7.3   go                                 1.20.3   app   fixed in 1.20.4, 1.19.9   /csi-resizer
CVE-2023-39533    H    7.5   go                                 1.20.3   app   fixed in 1.20.7, 1.19.12  /csi-resizer
CVE-2023-24540    C    9.8   go                                 1.20.3   app   fixed in 1.20.4, 1.19.9   /csi-resizer
CVE-2023-29403    H    7.8   go                                 1.20.3   app   fixed in 1.20.5, 1.19.10  /csi-resizer

We need help in fixing above listed CVEs

coltonfreeman26 commented 9 months ago

Good day all, We are using 1.9.1 and have multiple findings in regards to the go version being used. Mostly mediums but a couple highs. All fixed with golang-1.20.10

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen
Mark this issue as fresh with /remove-lifecycle rotten
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 3 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-csi/external-resizer/issues/329#issuecomment-2028581854): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.