CVE issues
thedadams opened this issue · 0 comments
thedadams commented
A trivy scan of the repo indicates that there a few CVE issues with dependencies (likely k8s libraries). Please consider updating the libraries to address the (>= HIGH) vulnerabilities.
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| github.com/dgrijalva/jwt-go | CVE-2020-26160 | HIGH | 3.2.0+incompatible | v4.0.0-preview1 | jwt-go: access restriction |
| | | | | | bypass vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-26160 |
+-----------------------------+------------------+ +-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | | 0.0.0-20190820162420-60c769a6c586 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+ +------------------+ + +------------------------------------+---------------------------------------+
| | CVE-2020-9283 | | | v0.0.0-20200220183623-bac4c82f6975 | golang.org/x/crypto: Processing |
| | | | | | of crafted ssh-ed25519 |
| | | | | | public keys allows for panic |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9283 |
+-----------------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+