search

kubernetes / ingress-nginx

Ingress-NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
16.95k stars 8.14k forks source link

CVEs in controller:v1.10.1 #11532

Open dsmithsl opened 3 days ago

dsmithsl commented 3 days ago

What scanner and version reported the CVE?

$ grype --version grype 0.79.1

What CVE was reported in the scanner findings?

NAME              INSTALLED   FIXED-IN    TYPE       VULNERABILITY        SEVERITY
busybox           1.36.1-r15  1.36.1-r16  apk        CVE-2023-42366       Medium
busybox           1.36.1-r15  1.36.1-r19  apk        CVE-2023-42365       Medium
busybox           1.36.1-r15  1.36.1-r19  apk        CVE-2023-42364       Medium
busybox           1.36.1-r15  1.36.1-r17  apk        CVE-2023-42363       Medium
busybox-binsh     1.36.1-r15  1.36.1-r16  apk        CVE-2023-42366       Medium
busybox-binsh     1.36.1-r15  1.36.1-r19  apk        CVE-2023-42365       Medium
busybox-binsh     1.36.1-r15  1.36.1-r19  apk        CVE-2023-42364       Medium
busybox-binsh     1.36.1-r15  1.36.1-r17  apk        CVE-2023-42363       Medium
curl              8.5.0-r0                apk        CVE-2024-0853        Medium
curl              8.5.0-r0                apk        CVE-2024-2466        Unknown
curl              8.5.0-r0                apk        CVE-2024-2398        Unknown
curl              8.5.0-r0                apk        CVE-2024-2004        Unknown
golang.org/x/net  v0.22.0     0.23.0      go-module  GHSA-4v7x-pqxf-cx7m  Medium
libcrypto3        3.1.4-r6    3.1.6-r0    apk        CVE-2024-5535        Unknown
libcrypto3        3.1.4-r6    3.1.6-r0    apk        CVE-2024-4741        Unknown
libcrypto3        3.1.4-r6    3.1.5-r0    apk        CVE-2024-4603        Unknown
libssl3           3.1.4-r6    3.1.6-r0    apk        CVE-2024-5535        Unknown
libssl3           3.1.4-r6    3.1.6-r0    apk        CVE-2024-4741        Unknown
libssl3           3.1.4-r6    3.1.5-r0    apk        CVE-2024-4603        Unknown
libxml2           2.11.7-r0   2.11.8-r0   apk        CVE-2024-34459       Unknown
nghttp2-libs      1.58.0-r0               apk        CVE-2024-28182       Medium
nginx             1.25.3                  binary     CVE-2024-24990       High
nginx             1.25.3                  binary     CVE-2024-24989       High
nginx             1.25.3                  binary     CVE-2024-35200       Medium
nginx             1.25.3                  binary     CVE-2024-34161       Medium
nginx             1.25.3                  binary     CVE-2024-32760       Medium
nginx             1.25.3                  binary     CVE-2024-31079       Medium
openssl           3.1.4-r6    3.1.6-r0    apk        CVE-2024-5535        Unknown
openssl           3.1.4-r6    3.1.6-r0    apk        CVE-2024-4741        Unknown
openssl           3.1.4-r6    3.1.5-r0    apk        CVE-2024-4603        Unknown
ssl_client        1.36.1-r15  1.36.1-r16  apk        CVE-2023-42366       Medium
ssl_client        1.36.1-r15  1.36.1-r19  apk        CVE-2023-42365       Medium
ssl_client        1.36.1-r15  1.36.1-r19  apk        CVE-2023-42364       Medium
ssl_client        1.36.1-r15  1.36.1-r17  apk        CVE-2023-42363       Medium
stdlib            go1.22.2                go-module  CVE-2024-24790       Critical
stdlib            go1.22.2                go-module  CVE-2024-24789       Medium
stdlib            go1.22.2                go-module  CVE-2024-24788       Unknown
stdlib            go1.22.2                go-module  CVE-2024-24787       Unknown
yajl              2.1.0-r8    2.1.0-r9    apk        CVE-2023-33460       Medium

What versions of the controller did you test with?

registry.k8s.io/ingress-nginx/controller:v1.10.1

rikatz commented 3 days ago

/unassign

strongjz commented 3 days ago

We are working on a release this week.

/assign @strongjz /triage accepted /kind bug