CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 about kube-rbac-proxy HOT 14 OPEN

Thx for reporting this to us. We will create an update.

Most of the times the CVEs don't impact us directly, as we don't use those code paths.

from kube-rbac-proxy.

Those are indirect dependencies. I would need to bump k8s.io, which would lead to a potential err on everyone using deprecated flags. I need to check how to resolve this.

from kube-rbac-proxy.

thanks so much for working on this, appreciated.

from kube-rbac-proxy.

Hm, as I am working on that, I am surprised that it claims that we have go.opentelemetry.io/contrib/instrumentation v0.20.0.

We have already a replace directive to bump it to v0.44.0. So CVE-2023-45142 shouldn't be reported. I hope your tool interprets replace directives.

from kube-rbac-proxy.

The CVEs are related to the HTTP/2 issue, right? We added the capability to disable HTTP/2.

from kube-rbac-proxy.

The tool: trivy or grype are open source vulnerabilities scan tools, you can install them on your machine and scan the image.

Not sure if you can upgrade the dependency according to below instructions?

thanks

Jane

from kube-rbac-proxy.

Oh, thanks for the hint. I will check them out!

from kube-rbac-proxy.

#276, should solve it.

from kube-rbac-proxy.

With v0.16.0 only otelgrpc remained as go.mod has v0.42.0 and fix is in v0.46.0
│ go.opentelemetry.io/contrib/instrumentation/google.golang.o- │ CVE-2023-47108 │ HIGH │ v0.20.0 │ 0.46.0 │ otelgrpc DoS vulnerability due to unbound cardinality │ │ rg/grpc/otelgrpc

from kube-rbac-proxy.

@ibihim there is still one high security vuln which needs to be fixed:

grype quay.io/brancz/kube-rbac-proxy:v0.16.0
 ✔ Vulnerability DB                [updated]  
 ✔ Parsed image                                                                                   sha256:2e4f0cff00eb27ccf559d9e80b7f4f46c673dcab0979aa1838718df415d4c1ee
 ✔ Cataloged packages              [101 packages]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
[0040]  WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME                                                                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  v0.42.0    0.46.0    go-module  GHSA-8pgv-569h-w5rw  High

Affected code: https://github.com/brancz/kube-rbac-proxy/blob/release-0.16.0/go.mod#L72

Could you help fix it?

thanks

Jane

from kube-rbac-proxy.

Hi,

I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself.

I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is).

It is especially annoying to fix if upstream doesn't care too:
kubernetes/kubernetes#121338 (comment)

from kube-rbac-proxy.

Should be fixed with: #287

from kube-rbac-proxy.