Multiple CVEs in blackbox exporter binary.

Question

Multiple CVEs in blackbox exporter binary.

Closed this issue 23 days ago · 1 comments

Sorry for being a bit paranoid here, but we are running blackbox exporter in a critical environment and we are trying to minimize security risks.

Host operating system: output of `uname -a`

Linux P2-5CG2113YFF 5.15.153.1-microsoft-standard-WSL2 #1 SMP Fri Mar 29 23:14:13 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

blackbox_exporter version: output of `blackbox_exporter --version`

blackbox_exporter, version 0.25.0 (branch: HEAD, revision: ef3ff4fef195333fb8ee0039fb487b2f5007908f)
  build user:       root@47d5b0d99f18
  build date:       20240409-12:58:39
  go version:       go1.22.2
  platform:         linux/amd64
  tags:             unknown

What did you expect to see?

I expect that blackbox exporter is built with the latest version of go that minimizes the vulnerabilities.

What did you see instead?

We see the following CVEs in the blackbox exporter binary:

All of these can be mitigated with the latest 1.22 go version.

Are there any new releases planned?

Answer 1 · 2024-12-03T14:30:07.000Z

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying.

Please verify vulnerability reports and include specific details as to which components are directly exploitable.

also see #1318

Host operating system: output of uname -a

blackbox_exporter version: output of blackbox_exporter --version

What did you expect to see?

What did you see instead?

Host operating system: output of `uname -a`

blackbox_exporter version: output of `blackbox_exporter --version`