Closed krishnaindani closed 6 months ago
/triage accepted /assign
I think there's already work in progress for PRISMA-2022-0227 at https://github.com/kubernetes/kube-state-metrics/issues/2253
Thank you, what about these two CVE-2023-45285 and CVE-2023-45283?
2253
I see the PR is closed https://github.com/kubernetes/kube-state-metrics/pull/2254, is it not the hook to patch the package?
Are we safe to ignore with this comment from here https://github.com/kubernetes/kube-state-metrics/pull/2254#issuecomment-1837606989. I see with the version 3.11.0 prism is silent.
I can contribute here for the updates, can we get some action plan?
I suggest the discussion on PRISMA-2022-0227 be kept at #2253
I don't think kube-state-metrics is affected by CVE-2023-48795 because it doesn't make use of crypto/ssh, but I could be mistaken
I believe we can update Go regardless of whether or not the remaining ones are false positives
Disclaimer: I'm not a maintainer for kube-state-metrics
v2.11.0 has been released. I assume these have been mitigated. If not, please feel free to reopen and share the ones you believe kube-state-metrics is really affected.
What happened: Ran a twistlock scan on kube state metrics version v2.10.1 and found following vulnerabilities