Keda 2.13.1 Sysdig scan Vulnerabilities CVE-2024-27304 CVE-2024-24786 CVE-2024-28110 CVE-2024-28180 about keda HOT 6 CLOSED

I am closing this issue as KEDA 2.14.0 has passed the scan. I highly appreciate the remediation. Thanks a lot for the awesome project.

from keda.

Hello @amardeep2006 ,
Thanks for reporting! We don't have plans for any hotfix release for versions v2.13 as the v2.14 will be released this month. Some of the issues are already solved in main (such us this) but it'd be nice if you can test main tag to double check if there are still present on that version.

from keda.

Thanks @JorTurFer . I did a rescan of main tag and CVE-2024-28180 in github.com/go-jose/go-jose/v3 - v3.0.1 is fixed.

Here are the Vulnerabilities that still needs to be looked into :

GHSA-mrww-27vc-gghv in github.com/jackc/pgx/v5 - v5.5.2
GHSA-8r3f-844c-mc37 in google.golang.org/protobuf - v1.32.0
GHSA-5pf6-2qwx-pxm2 in github.com/cloudevents/sdk-go/v2 - v2.14.0

from keda.

keda-metrics-apiserver also needs some dependency bump .

GHSA-mrww-27vc-gghv in github.com/jackc/pgx/v5 - v5.5.2
GHSA-8r3f-844c-mc37 in google.golang.org/protobuf - v1.32.0

from keda.

Thanks for reporting, let's mitigate these in 2.14

from keda.

I am closing this issue as KEDA 2.14.0 has passed the scan. I highly appreciate the remediation. Thanks a lot for the awesome project.

Thank you for checking it and reporting the feedback too! ❤️

from keda.