search

snowdrop / istio-java-api

A Java API to generate Istio descriptors, inspired by Fabric8's kubernetes-model.
Apache License 2.0
112 stars 33 forks source link

3 critical CVSS even after upgrade to latest (1.7.7.1) #140

Open uCatu opened 2 years ago

uCatu commented 2 years ago

Hi all, We are running OWASP dependency checker and got 3 critical CVSS: 

istio-common:1.7.7.1 | Istio Before 1.8.6 and 1.9.x Before 1.9.5 Contains a Remotely Exploitable Vulnerability Where an External Client Can Access Unexpected Services in the Cluster, Bypassing Authorization Checks, When a Gateway Is Configured With AUTO_PASSTHROUGH Routing Configuration.(in istio-common-1.7.7.1.jar)
Location Component Name Component Version Group
istio-common-1.7.7.1.jar me.snowdrop:istio-common 1.7.7.1 N
862 CVE-2021-31921 
Mitigation
Update me.snowdrop:istio-common:1.7.7.1 to at least the version recommended in the description

What is your recommendation to solve this? Thanks!

FWiesner commented 2 years ago

the CVEs you refer to are for Istio itself. This library here is "just" a client to the Istio custom resources. Seems the detection configuration in the OWASP rule set leads to a false positive. This project cannot do anything about it