search

otterize / network-mapper

Map Kubernetes traffic: in-cluster, to the Internet, and to AWS IAM and export as text, intents, or an image
Apache License 2.0
612 stars 23 forks source link

CVE-2023-24535 - High vulnerability in google protobuf package #135

Closed MickaelAlliel closed 1 year ago

MickaelAlliel commented 1 year ago

Hi team!

We've identified a category high vulnerability (CVE-2023-24535) in the docker image caused by google.golang.org/protobuf@v1.29.0 which can be resolved by upgrading to google.golang.org/protobuf@v1.29.1. It seems to be an indirect dependency from another module of yours (intents-operator).

Is it something that can be updated and taken care of or are you reliant on this specific protobuf version?

Import graph:

❯ go mod graph | grep protobuf@v1.29.0
github.com/otterize/network-mapper/src google.golang.org/protobuf@v1.29.0
github.com/otterize/intents-operator/src@v0.0.0-20230823142133-caf026796b72 google.golang.org/protobuf@v1.29.0
google.golang.org/protobuf@v1.29.0 github.com/golang/protobuf@v1.5.0
google.golang.org/protobuf@v1.29.0 github.com/google/go-cmp@v0.5.5

Aquasecurity scan: image

Thank you!

orishoshan commented 1 year ago

Thanks @MickaelAlliel! Will fix ASAP