search

kubernetes / ingress-nginx

Ingress-NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.31k stars 8.22k forks source link

Vulnerability (CVE-2022-27782) in the curl package #11388

Closed WahidSyed closed 2 months ago

WahidSyed commented 4 months ago

vulnerability (CVE-2022-27782) in the curl package that's installed. The installed version of curl is 7.79.1-r0, and the vulnerability is marked as HIGH severity. The fixed version is 7.79.1-r2.

vulnerability (CVE-2022-27782) in the curl package that's installed. The installed version of curl is 7.79.1-r0, and the vulnerability is marked as HIGH severity. The fixed version is 7.79.1-r2.

vulnerability (CVE-2022-27782) in the curl package that's installed. The installed version of curl is 7.79.1-r0, and the vulnerability is marked as HIGH severity. The fixed version is 7.79.1-r2.

k8s-ci-robot commented 4 months ago

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
longwuyuan commented 4 months ago

curl is not in the direct path of HTTP requests from clients using ingress I think.

this will get patched when the next release is out.

github-actions[bot] commented 3 months ago

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

longwuyuan commented 2 months ago

% grype registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c ✔ Vulnerability DB [no update available]
✔ Pulled image
✔ Loaded image registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c ✔ Parsed image sha256:25f75d3a80c867fbbe3cbb379d339bea26de76ba120c8cc2f5628dc32a7aca5a ✔ Cataloged contents a9e7db68ea193728cedb9b62e231c65516736d3e8a0d9d8a7e25b34e41b5730a ├── ✔ Packages [209 packages]
├── ✔ File digests [783 files]
├── ✔ File metadata [783 locations]
└── ✔ Executables [214 executables]
✔ Scanned for vulnerabilities [7 vulnerability matches]
├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible (3 unknown) └── by status: 0 fixed, 7 not-fixed, 0 ignored NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY nginx 1.25.5 binary CVE-2024-35200 Medium
nginx 1.25.5 binary CVE-2024-34161 Medium
nginx 1.25.5 binary CVE-2024-32760 Medium
nginx 1.25.5 binary CVE-2024-31079 Medium
stdlib go1.22.4 go-module CVE-2024-24791 Unknown [~] %

/close

k8s-ci-robot commented 2 months ago

@longwuyuan: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/11388#issuecomment-2216375583): >% grype registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c > ✔ Vulnerability DB [no update available] > ✔ Pulled image > ✔ Loaded image registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c > ✔ Parsed image sha256:25f75d3a80c867fbbe3cbb379d339bea26de76ba120c8cc2f5628dc32a7aca5a > ✔ Cataloged contents a9e7db68ea193728cedb9b62e231c65516736d3e8a0d9d8a7e25b34e41b5730a > ├── ✔ Packages [209 packages] > ├── ✔ File digests [783 files] > ├── ✔ File metadata [783 locations] > └── ✔ Executables [214 executables] > ✔ Scanned for vulnerabilities [7 vulnerability matches] > ├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible (3 unknown) > └── by status: 0 fixed, 7 not-fixed, 0 ignored >NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY >nginx 1.25.5 binary CVE-2024-35200 Medium >nginx 1.25.5 binary CVE-2024-34161 Medium >nginx 1.25.5 binary CVE-2024-32760 Medium >nginx 1.25.5 binary CVE-2024-31079 Medium >stdlib go1.22.4 go-module CVE-2024-24791 Unknown >[~] >% > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.