Open c3y1huang opened 3 weeks ago
What happened:
The recent trivy scan showed there are some CRITICAL and HIGH severity vulnerabilities in v6.3.4.
registry.k8s.io/sig-storage/csi-snapshotter:v6.3.4 (debian 11.9) ================================================================ Total: 0 (HIGH: 0, CRITICAL: 0) csi-snapshotter (gobinary) ========================== Total: 5 (HIGH: 4, CRITICAL: 1) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.20.5 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │ │ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-39325 │ HIGH │ │ │ 1.20.10, 1.21.3 │ golang: net/http, x/net/http2: rapid stream resets can cause │ │ │ │ │ │ │ │ excessive work (CVE-2023-44487) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │ │ │ │ │ │ │ │ prefix as... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ │ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │ │ │ │ │ │ │ │ which contains deeply nested structures... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
It seems some had been fixed in newer major versions. However, we cannot update to the major versions due to potential breaking changes mentioned in https://kubernetes-csi.github.io/docs/project-policies.html#versioning.
What is the supporting period for the minor versions? And could we have those CVE issues fixed?
What you expected to happen:
The CVE issues should be handled with the minor/patch release.
How to reproduce it:
Anything else we need to know?:
Environment:
kubectl version
uname -a
What happened:
The recent trivy scan showed there are some CRITICAL and HIGH severity vulnerabilities in v6.3.4.
It seems some had been fixed in newer major versions. However, we cannot update to the major versions due to potential breaking changes mentioned in https://kubernetes-csi.github.io/docs/project-policies.html#versioning.
What is the supporting period for the minor versions? And could we have those CVE issues fixed?
What you expected to happen:
The CVE issues should be handled with the minor/patch release.
How to reproduce it:
Anything else we need to know?:
Environment:
kubectl version):uname -a):