forked from wolfi-dev/advisories
/
kyverno.advisories.yaml
232 lines (210 loc) · 6.23 KB
/
kyverno.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
schema-version: 2.0.2
package:
name: kyverno
advisories:
- id: CVE-2023-25656
aliases:
- GHSA-87x9-7grx-m28v
events:
- timestamp: 2023-11-16T14:25:50Z
type: fixed
data:
fixed-version: 1.11.0-r1
- id: CVE-2023-30551
aliases:
- GHSA-2h5h-59f5-c5x9
events:
- timestamp: 2023-08-08T23:51:19Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: The vulnerable code in Rekor cannot be imported.
- id: CVE-2023-33199
aliases:
- GHSA-frqx-jfcm-6jjr
events:
- timestamp: 2023-08-08T23:51:19Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: The vulnerable code is effectively private. The vulnerable code is unlikely to ever be imported.
- id: CVE-2023-33959
aliases:
- GHSA-xhg5-42rf-296r
events:
- timestamp: 2023-11-16T14:26:11Z
type: fixed
data:
fixed-version: 1.11.0-r1
- id: CVE-2023-39325
aliases:
- GHSA-4374-p667-p6c8
events:
- timestamp: 2023-10-16T19:07:53Z
type: fixed
data:
fixed-version: 1.10.3-r6
- id: CVE-2023-3978
aliases:
- GHSA-2wrh-6pvc-2jm9
events:
- timestamp: 2023-10-16T19:08:27Z
type: fixed
data:
fixed-version: 1.10.3-r6
- id: CVE-2023-44487
aliases:
- GHSA-qppj-fm5r-hxr3
events:
- timestamp: 2023-10-16T19:08:57Z
type: fixed
data:
fixed-version: 1.10.3-r6
- id: CVE-2023-45142
aliases:
- GHSA-rcjv-mgp8-qvmr
events:
- timestamp: 2023-10-25T21:06:43Z
type: true-positive-determination
data:
note: Confirmed that the affected code is present in the binary, but Kyverno needs to migrate its code off of the Go packages keeping it at the affected version of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp. It looks like the release-1.11 branch has made these adjustments and dependency updates, and once the final 1.11 release is out, this Wolfi package will get updated.
- id: CVE-2023-45283
aliases:
- GHSA-vvjp-q62m-2vph
events:
- timestamp: 2023-11-07T19:32:41Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: Only affects Windows
- id: CVE-2023-45284
aliases:
- GHSA-rq3x-83w4-p28c
events:
- timestamp: 2023-11-07T19:32:43Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: Only affects Windows
- id: CVE-2023-47108
aliases:
- GHSA-8pgv-569h-w5rw
events:
- timestamp: 2023-11-16T15:42:17Z
type: fixed
data:
fixed-version: 1.11.0-r1
- id: CVE-2023-48795
aliases:
- GHSA-45x7-px36-x8w8
events:
- timestamp: 2023-12-20T03:47:59Z
type: fixed
data:
fixed-version: 1.11.1-r2
- id: CVE-2023-49290
aliases:
- GHSA-7f9x-gw85-8grf
events:
- timestamp: 2024-01-24T07:49:15Z
type: fixed
data:
fixed-version: 1.11.4-r1
- id: CVE-2024-21664
aliases:
- GHSA-pvcr-v8j8-j5q3
events:
- timestamp: 2024-01-24T07:49:16Z
type: fixed
data:
fixed-version: 1.11.4-r1
- id: CVE-2024-24786
aliases:
- GHSA-8r3f-844c-mc37
events:
- timestamp: 2024-03-14T11:17:05Z
type: detection
data:
type: scan/v1
data:
subpackageName: kyverno-reports-controller
componentID: 7fd1607563065571
componentName: google.golang.org/protobuf
componentVersion: v1.31.0
componentType: go-module
componentLocation: /usr/bin/reports-controller
scanner: grype
- id: CVE-2024-28122
aliases:
- GHSA-hj3v-m684-v259
events:
- timestamp: 2024-03-09T07:10:04Z
type: detection
data:
type: scan/v1
data:
subpackageName: kyverno-init-container
componentID: 6c06d40d92eaef14
componentName: github.com/lestrrat-go/jwx/v2
componentVersion: v2.0.19
componentType: go-module
componentLocation: /usr/bin/kyvernopre
scanner: grype
- timestamp: 2024-03-09T14:57:56Z
type: fixed
data:
fixed-version: 1.11.4-r6
- id: CVE-2024-28180
aliases:
- GHSA-c5q2-7r4c-mv6g
events:
- timestamp: 2024-03-08T07:06:33Z
type: detection
data:
type: scan/v1
data:
subpackageName: kyverno-reports-controller
componentID: 67c9a1f0142fa0c1
componentName: github.com/go-jose/go-jose/v3
componentVersion: v3.0.1
componentType: go-module
componentLocation: /usr/bin/reports-controller
scanner: grype
- timestamp: 2024-03-08T10:56:39Z
type: fixed
data:
fixed-version: 1.11.4-r5
- id: GHSA-2c7c-3mj9-8fqh
events:
- timestamp: 2023-11-22T16:40:41Z
type: fixed
data:
fixed-version: 1.11.0-r2
- id: GHSA-6xv5-86q9-7xr8
events:
- timestamp: 2023-09-09T15:18:18Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: This vulnerability is only present on Windows.
- id: GHSA-9763-4f94-gfch
events:
- timestamp: 2024-01-11T07:07:18Z
type: detection
data:
type: scan/v1
data:
subpackageName: kyverno-init-container
componentID: 16f7996c56b1558e
componentName: github.com/cloudflare/circl
componentVersion: v1.3.5
componentType: go-module
componentLocation: /usr/bin/kyvernopre
scanner: grype
- id: GHSA-jq35-85cj-fj4p
events:
- timestamp: 2023-10-31T20:03:57Z
type: false-positive-determination
data:
type: vulnerable-code-not-included-in-package
note: This vulnerability is in the container runtime itself, not clients of the container runtime.