Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High vulnerabilities CVE-2023-39533 found in Metrics server v0.6.4 #1339

Open
sumit-cyber opened this issue Sep 25, 2023 · 9 comments
Open

High vulnerabilities CVE-2023-39533 found in Metrics server v0.6.4 #1339

sumit-cyber opened this issue Sep 25, 2023 · 9 comments
Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@sumit-cyber
Copy link

Hi Team ,

One high vulnerability CVE-2023-39533 found in Metrics server v0.6.4
This vulnerability is in current go lang version 1.19.11

Along with this 3 other medium vulnerabilities
CVE-2023-29409
CVE-2023-39319
CVE-2023-39318

When there is any release planned with mentioned vulnerability fixes.
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 25, 2023
@dashpole
Copy link

dashpole commented Oct 5, 2023

/traige accepted
/assign @serathius

@dashpole
Copy link

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 19, 2023
@mitchellmaler
Copy link

Hello @dashpole, we are also seeing CVE-2023-44487 as part of the package. This requires upgrading golang to a newer patch version to pull in the latest net package.

@serathius
Copy link
Contributor

Contributions are welcomed!

@sumit-cyber
Copy link
Author

Hi @serathius ,

One new critical CVE-2023-39323 report in existing go-lang package .
Could you please plan to upgrade metric-server version ASAP

Thanks & Regards
Sumit thakur

@serathius
Copy link
Contributor

Contributions are welcomed!

@serathius serathius removed their assignment Nov 3, 2023
@sumit-cyber
Copy link
Author

Hi Team ,
When there is plan for metrics server v0.6.5

@dgrisonnet
Copy link
Member

The plan is to cut v0.7.0 next: #1165

@andrleite andrleite mentioned this issue Nov 29, 2023
Closed
@ricardoapl
Copy link

ricardoapl commented May 27, 2024
edited

I believe https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1 is not affected by any of these

Should we close this issue?

By the way, some of these don't seem to affect metrics-server, namely

Perhaps we can use VEX in the future to communicate this to users instead

#1499

Edited: html/template does seem to come as a transitive dependency from prometheus packages, but I still think metrics-server was not affected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@dashpole @mitchellmaler @serathius @k8s-ci-robot @dgrisonnet @ricardoapl @sumit-cyber