Fix High/Medium severity CVEs
ramandeepsharma opened this issue · 1 comments
ramandeepsharma commented
Checklist:
- I've included steps to reproduce the bug.
- [ ✔️ ] I've included the version of argo rollouts.
Describe the bug
An Orca scan detected the following CVEs:
GHSA-9763-4f94-gfch
CVE-2023-39325
CVE-2023-44487
GHSA-m425-mq94-257g
CVE-2023-3676
CVE-2023-3955
CVE-2023-5528
CVE-2023-2253
CVE-2023-48795
CVE-2023-3978
CVE-2023-45288
CVE-2024-24786
CVE-2023-2431
CVE-2023-2727
CVE-2023-2728
To Reproduce
N/A
Expected behavior
listed vulnerabilities not showing up
Screenshots
CVE detail along with fix version
Vulnerability_id | Package Name | Vulnerable Version | Fixed Version | Type |
---|---|---|---|---|
GHSA-9763-4f94-gfch | github.com/cloudflare/circl | v1.3.3 | 1.3.7 | gobinary |
CVE-2023-39325 | golang.org/x/net | v0.12.0 | 0.17.0 | gobinary |
CVE-2023-44487 | golang.org/x/net | v0.12.0 | 0.17.0 | gobinary |
GHSA-m425-mq94-257g | google.golang.org/grpc | v1.57.0 | 1.56.3, 1.57.1, 1.58.3 | gobinary |
CVE-2023-2253 | github.com/docker/distribution | v2.8.1+incompatible | 2.8.2-beta.1 | gobinary |
CVE-2023-48795 | golang.org/x/crypto | v0.11.0 | 0.17.0 | gobinary |
CVE-2023-3978 | golang.org/x/net | v0.12.0 | 0.13.0 | gobinary |
CVE-2023-45288 | golang.org/x/net | v0.12.0 | 0.23.0 | gobinary |
CVE-2024-24786 | google.golang.org/protobuf | v1.31.0 | 1.33.0 | gobinary |
some CVE found related to k8s.io/kubernetes version as well:
Vulnerability_id | Package Name | Vulnerable Version | Fixed Version | Type |
---|---|---|---|---|
CVE-2023-3676 | k8s.io/kubernetes | v1.25.8 | 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 | gobinary |
CVE-2023-3955 | k8s.io/kubernetes | v1.25.8 | 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 | gobinary |
CVE-2023-5528 | k8s.io/kubernetes | v1.25.8 | 1.28.4, 1.27.8, 1.26.11, 1.25.16 | gobinary |
CVE-2023-2431 | k8s.io/kubernetes | v1.25.8 | 1.24.14, 1.25.10, 1.26.5, 1.27.2 | gobinary |
CVE-2023-2727 | k8s.io/kubernetes | v1.25.8 | 1.27.3, 1.26.6, 1.25.11, 1.24.15 | gobinary |
CVE-2023-2728 | k8s.io/kubernetes | v1.25.8 | 1.27.3, 1.26.6, 1.25.11, 1.24.15 | gobinary |
Version
1.6.6
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.