search

kubernetes-sigs / metrics-server

Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.
https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/
Apache License 2.0
5.73k stars 1.86k forks source link

CVE-2024-0567 and CVE-2023-5981 vulnerabilities reported in 0.7.0 #1427

Closed cbugneac-nex closed 5 months ago

cbugneac-nex commented 7 months ago

What would you like to be added: These vulnerabilities fixed.

$ trivy image --ignore-unfixed public.ecr.aws/bitnami/metrics-server:0.7.0
...
public.ecr.aws/bitnami/metrics-server:0.7.0 (debian 11.9)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2024-0567 │ HIGH     │ fixed  │ 3.7.1-5+deb11u4   │ 3.7.1-5+deb11u5 │ gnutls: rejects certificate chain with distributed trust  │
│             │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-0567                 │
│             ├───────────────┼──────────┤        │                   │                 ├───────────────────────────────────────────────────────────┤
│             │ CVE-2023-5981 │ MEDIUM   │        │                   │                 │ gnutls: timing side-channel in the RSA-PSK authentication │
│             │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-5981                 │
└─────────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘

Why is this needed: Keep good security posture and reduce attack surface.

/kind feature

dashpole commented 6 months ago

/assign @dgrisonnet /triage accepted

zhangguanzhang commented 5 months ago

need close

[root@guan ~]# trivy image registry.k8s.io/metrics-server/metrics-server:v0.7.1
2024-03-28T09:56:37.635+0800    INFO    Detected OS: debian
2024-03-28T09:56:37.635+0800    INFO    Detecting Debian vulnerabilities...
2024-03-28T09:56:37.635+0800    INFO    Number of language-specific files: 1
2024-03-28T09:56:37.635+0800    INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/metrics-server/metrics-server:v0.7.1 (debian 11.9)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
yangjunmyfm192085 commented 5 months ago

/cc @cbugneac-nex

cbugneac-nex commented 5 months ago

Thanks @zhangguanzhang