Universal Integrator - Framework to easily integrate with other tools to use their APIs, gRPC, DB, Workflows, etc. This framework development is based on Temporal and NATS.
License: Apache License 2.0
Extensible open-source framework that Integrates & Scales your DevSecOps and MLOps stacks as you need
Universal Integrator - Framework to easily integrate with other tools/platforms to use their APIs, gRPC, DB, Workflows, etc. and also to develop workflows around them. This framework development is based on Temporal and NATS.
name -Kad is Haitian Creole word, translates to framework.
############################
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - gorm.io/driver/postgres-v1.5.7Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgx/v5/@v/v5.4.3.mod
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (gorm.io/driver/postgres-v1.5.7 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-27304 |  Critical |
9.8 | github.com/jackc/Pgx/v5-v5.4.3 | Transitive | N/A* | ❌ |
| CVE-2024-27289 |  High |
8.1 | github.com/jackc/Pgx/v5-v5.4.3 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-27304Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.4.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgx/v5/@v/v5.4.3.mod
Dependency Hierarchy:
Found in base branch: main
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
Publish Date: 2024-03-06
URL: CVE-2024-27304
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mrww-27vc-gghv
Release Date: 2024-03-06
Fix Resolution: jackc/pgproto3 - v2.3.3, github.com/jackc/pgx - v4.18.2,v5.5.4
Step up your Open Source Security Game with Mend here
CVE-2024-27289Library home page: https://proxy.golang.org/github.com/jackc/!pgx/v5/@v/v5.4.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgx/v5/@v/v5.4.3.mod
Dependency Hierarchy:
Found in base branch: main
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
Publish Date: 2024-03-06
URL: CVE-2024-27289
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m7wr-2xf7-cm9p
Release Date: 2024-03-06
Fix Resolution: v4.18.2,v5.5.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/gin-GONIC/gin-v1.8.1Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Found in HEAD commit: a6129ad9ee3f387147dc91f0d67ca21dfa191ecf
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/gin-GONIC/gin-v1.8.1 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-26125 | High |
7.3 | github.com/gin-GONIC/gin-v1.8.1 | Direct | v1.9.0 | ❌ |
| CVE-2023-29401 |  Medium |
4.3 | github.com/gin-GONIC/gin-v1.8.1 | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-26125Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Dependency Hierarchy:
Found in HEAD commit: a6129ad9ee3f387147dc91f0d67ca21dfa191ecf
Found in base branch: main
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Publish Date: 2023-05-04
URL: CVE-2023-26125
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-05-04
Fix Resolution: v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2023-29401Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Dependency Hierarchy:
Found in HEAD commit: a6129ad9ee3f387147dc91f0d67ca21dfa191ecf
Found in base branch: main
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Publish Date: 2023-06-08
URL: CVE-2023-29401
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/go-git/go-git/v5-v5.4.2Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod
Found in HEAD commit: ab3cb6049059190e86992db33da58a3059c73b44
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/go-git/go-git/v5-v5.4.2 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-39325 | High |
7.5 | golang.org/x/net-v0.14.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-39325Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.14.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod,/go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod
Dependency Hierarchy:
Found in HEAD commit: ab3cb6049059190e86992db33da58a3059c73b44
Found in base branch: main
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Step up your Open Source Security Game with Mend here
Create a tekton plugin to push the tekton configuration files to the new empty repo in git
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.5.5Path to dependency file: /capten/go.mod
Path to vulnerable library: /capten/go.mod
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/argoproj/argo-cd/v2-v2.5.5 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2021-3636 | Medium |
4.6 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2021-3636Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /capten/go.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service.
Publish Date: 2021-07-30
URL: CVE-2021-3636
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1978621
Fix Resolution: Upgrade to version openshift 4.8 or greater
Step up your Open Source Security Game with Mend here
Support AstraDb for the seas server along with Cassandra
We want new service for handling the vault requests from saas server. Vaultservice will handle secret creation and token creation for other services to fetch secrets from vault.
Currently we are using the kelseyhightower/envconfig for reading the config values. We need to use viper to have better control over the configuration
We want to add the installed apps by CLI to database of agent. We need new sync worker to sync data to database
This involves creation of new API in the SaaS side and agent with GRPC + we need to forward the input to the sync worker of climb
Vulnerable Library - k8s.io/Apimachinery-v0.24.2null
Library home page: https://proxy.golang.org/k8s.io/apimachinery/@v/v0.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apimachinery/@v/v0.24.2.mod
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (k8s.io/Apimachinery-v0.24.2 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-44487 | High |
7.5 | k8s.io/Apimachinery-v0.24.2 | Direct | org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-44487null
Library home page: https://proxy.golang.org/k8s.io/apimachinery/@v/v0.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apimachinery/@v/v0.24.2.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - helm.sh/helm/v3-v3.9.4The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.9.4.zip
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helm.sh/helm/v3-v3.9.4 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-23526 |  High |
7.5 | helm.sh/helm/v3-v3.9.4 | Direct | v3.10.3 | ❌ |
| CVE-2022-23524 | High |
7.5 | helm.sh/helm/v3-v3.9.4 | Direct | v3.10.3 | ❌ |
| CVE-2022-23525 | High |
7.5 | helm.sh/helm/v3-v3.9.4 | Direct | v3.10.3 | ❌ |
| CVE-2022-23471 |  Medium |
6.5 | github.com/containerd/containerd-v1.6.6 | Transitive | N/A* | ❌ |
| CVE-2022-36109 | Medium |
6.3 | github.com/docker/docker-v20.10.17+incompatible | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-23526The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.9.4.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The chartutil package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The chartutil package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the chartutil package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the chartutil functions.
Publish Date: 2022-12-15
URL: CVE-2022-23526
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67fx-wx78-jx33
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23524The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.9.4.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the strvals package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the strvals functions.
Publish Date: 2022-12-15
URL: CVE-2022-23524
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6rx9-889q-vv2r
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23525The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.9.4.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The repo package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The repo package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the repo package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the repo functions.
Publish Date: 2022-12-15
URL: CVE-2022-23525
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23525
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23471An open and reliable container runtime
Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.6.6.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
Publish Date: 2022-12-07
URL: CVE-2022-23471
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23471
Release Date: 2022-12-07
Fix Resolution: v1.6.12
Step up your Open Source Security Game with Mend here
CVE-2022-36109Library home page: https://proxy.golang.org/github.com/docker/docker/@v/v20.10.17+incompatible.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the "USER $USERNAME" Dockerfile instruction. Instead by calling ENTRYPOINT ["su", "-", "user"] the supplementary groups will be set up properly.
Publish Date: 2022-09-09
URL: CVE-2022-36109
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rc4r-wh2q-q6c4
Release Date: 2022-09-09
Fix Resolution: v20.10.18
Step up your Open Source Security Game with Mend here
Vulnerable Library - helm.sh/helm/v3-v3.10.1The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.1.zip
Found in HEAD commit: 57ddb5ca43c0409d3923685a01aadec95c599838
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helm.sh/helm/v3-v3.10.1 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-23526 | High |
7.5 | helm.sh/helm/v3-v3.10.1 | Direct | v3.10.3 | ❌ |
| CVE-2022-23524 | High |
7.5 | helm.sh/helm/v3-v3.10.1 | Direct | v3.10.3 | ❌ |
| CVE-2022-23525 | High |
7.5 | helm.sh/helm/v3-v3.10.1 | Direct | v3.10.3 | ❌ |
| CVE-2022-23471 | Medium |
6.5 | github.com/containerd/containerd-v1.6.8 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-23526The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.1.zip
Dependency Hierarchy:
Found in HEAD commit: 57ddb5ca43c0409d3923685a01aadec95c599838
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The chartutil package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The chartutil package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the chartutil package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the chartutil functions.
Publish Date: 2022-12-15
URL: CVE-2022-23526
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-67fx-wx78-jx33
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23524The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.1.zip
Dependency Hierarchy:
Found in HEAD commit: 57ddb5ca43c0409d3923685a01aadec95c599838
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the strvals package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the strvals functions.
Publish Date: 2022-12-15
URL: CVE-2022-23524
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6rx9-889q-vv2r
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23525The Kubernetes Package Manager
Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.1.zip
Dependency Hierarchy:
Found in HEAD commit: 57ddb5ca43c0409d3923685a01aadec95c599838
Found in base branch: main
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The repo package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The repo package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the repo package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the repo functions.
Publish Date: 2022-12-15
URL: CVE-2022-23525
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23525
Release Date: 2022-12-15
Fix Resolution: v3.10.3
Step up your Open Source Security Game with Mend here
CVE-2022-23471An open and reliable container runtime
Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.6.8.zip
Dependency Hierarchy:
Found in HEAD commit: 57ddb5ca43c0409d3923685a01aadec95c599838
Found in base branch: main
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.
Publish Date: 2022-12-07
URL: CVE-2022-23471
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-23471
Release Date: 2022-12-07
Fix Resolution: v1.6.12
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/grpc-v1.57.0Path to dependency file: /server/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod
Found in HEAD commit: 1b63ec74f1f20f301a5b348ef0ab415d030e8b30
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (google.golang.org/grpc-v1.57.0 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-39325 | High |
7.5 | golang.org/x/net-v0.14.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2023-39325Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.14.0.zip
Path to dependency file: /server/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.14.0.mod
Dependency Hierarchy:
Found in HEAD commit: 1b63ec74f1f20f301a5b348ef0ab415d030e8b30
Found in base branch: main
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/gin-gonic/gin-v1.8.1Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/gin-gonic/gin-v1.8.1 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-26125 | High |
7.3 | github.com/gin-gonic/gin-v1.8.1 | Direct | v1.9.0 | ❌ |
| CVE-2023-29401 | Medium |
4.3 | github.com/gin-gonic/gin-v1.8.1 | Direct | N/A | ❌ |
CVE-2023-26125Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning.
Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
Publish Date: 2023-05-04
URL: CVE-2023-26125
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-05-04
Fix Resolution: v1.9.0
Step up your Open Source Security Game with Mend here
CVE-2023-29401Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.8.1.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Publish Date: 2023-06-08
URL: CVE-2023-29401
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Vulnerable Library - github.com/argoproj/argo-cd/v2-v2.8.9Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/argoproj/argo-cd/v2-v2.8.9 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-21652 | Critical |
9.8 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.13,v2.9.9,v2.10.4 | ❌ |
| CVE-2024-28175 | Critical |
9.0 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.12,v2.9.8,v2.10.3 | ❌ |
| CVE-2023-3955 | High |
8.8 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2023-3676 | High |
8.8 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2024-21662 | High |
7.5 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.13,v2.9.9,v2.10.4 | ❌ |
| CVE-2024-21661 | High |
7.5 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.13,v2.9.9,v2.10.4 | ❌ |
| CVE-2023-45288 | High |
7.5 | golang.org/x/net-v0.21.0 | Transitive | N/A* | ❌ |
| CVE-2023-44487 | High |
7.5 | k8s.io/apiserver-v0.24.2 | Transitive | N/A* | ❌ |
| CVE-2023-5408 | High |
7.2 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2024-32476 | Medium |
6.5 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.17,v2.9.13,v2.10.8 | ❌ |
| CVE-2024-29893 | Medium |
6.5 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.14,v2.9.10,v2.10.5 | ❌ |
| CVE-2023-2728 | Medium |
6.5 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2023-2727 | Medium |
6.5 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2023-50726 | Medium |
6.4 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.12,v2.9.8,v2.10.3 | ❌ |
| CVE-2023-2431 | Medium |
5.5 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
| CVE-2024-31990 | Medium |
4.8 | github.com/argoproj/argo-cd/v2-v2.8.9 | Direct | v2.8.16,v2.9.12,v2.10.7 | ❌ |
| CVE-2024-28180 | Medium |
4.3 | github.com/go-jose/go-jose/v3-v3.0.2 | Transitive | N/A* | ❌ |
| CVE-2024-3177 |  Low |
2.7 | k8s.io/kuberneteS-v1.24.2 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-21652Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21652
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-21652
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2024-28175Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
Publish Date: 2024-03-13
URL: CVE-2024-28175
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jwv5-8mqv-g387
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
CVE-2023-3955Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
Publish Date: 2023-10-31
URL: CVE-2023-3955
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q3/126
Release Date: 2023-07-27
Fix Resolution: v1.24.17,v1.25.13,v1.26.8,v1.27.5,v1.28.1
Step up your Open Source Security Game with Mend here
CVE-2023-3676Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
A security issue was discovered in Kubernetes where a user
that can create pods on Windows nodes may be able to escalate to admin
privileges on those nodes. Kubernetes clusters are only affected if they
include Windows nodes.
Publish Date: 2023-10-31
URL: CVE-2023-3676
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-07-14
Fix Resolution: v1.24.17,v1.25.13,v1.26.8,v1.27.5,v1.28.1
Step up your Open Source Security Game with Mend here
CVE-2024-21662Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a defaultMaxCacheSize of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.
Publish Date: 2024-03-18
URL: CVE-2024-21662
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2vgg-9h6w-m454
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2024-21661Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Publish Date: 2024-03-18
URL: CVE-2024-21661
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6v85-wr92-q4p7
Release Date: 2024-03-18
Fix Resolution: v2.8.13,v2.9.9,v2.10.4
Step up your Open Source Security Game with Mend here
CVE-2023-45288Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod
Dependency Hierarchy:
Found in base branch: main
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Publish Date: 2024-04-04
URL: CVE-2023-45288
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-10-06
Fix Resolution: golang/net - v0.23.0
Step up your Open Source Security Game with Mend here
CVE-2023-44487Library for writing a Kubernetes-style API server.
Library home page: https://proxy.golang.org/k8s.io/apiserver/@v/v0.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/apiserver/@v/v0.24.2.mod
Dependency Hierarchy:
Found in base branch: main
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
CVE-2023-5408Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.
Publish Date: 2023-11-02
URL: CVE-2023-5408
Base Score Metrics:
Step up your Open Source Security Game with Mend here
CVE-2024-32476Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
Publish Date: 2024-04-26
URL: CVE-2024-32476
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9m6p-x4h2-6frq
Release Date: 2024-04-26
Fix Resolution: v2.8.17,v2.9.13,v2.10.8
Step up your Open Source Security Game with Mend here
CVE-2024-29893Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.
Publish Date: 2024-03-29
URL: CVE-2024-29893
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jhwx-mhww-rgc3
Release Date: 2024-03-29
Fix Resolution: v2.8.14,v2.9.10,v2.10.5
Step up your Open Source Security Game with Mend here
CVE-2023-2728Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.
Publish Date: 2023-07-03
URL: CVE-2023-2728
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-05-16
Fix Resolution: v1.24.15,v1.25.11,v1.26.6,v1.27.3
Step up your Open Source Security Game with Mend here
CVE-2023-2727Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.
Publish Date: 2023-07-03
URL: CVE-2023-2727
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-05-16
Fix Resolution: v1.24.15,v1.25.11,v1.26.6,v1.27.3
Step up your Open Source Security Game with Mend here
CVE-2023-50726Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have create privileges but not override privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing applications, create RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.
Publish Date: 2024-03-13
URL: CVE-2023-50726
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g623-jcgg-mhmm
Release Date: 2024-03-13
Fix Resolution: v2.8.12,v2.9.8,v2.10.3
Step up your Open Source Security Game with Mend here
CVE-2023-2431Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.
Publish Date: 2023-06-16
URL: CVE-2023-2431
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-2431
Release Date: 2023-06-16
Fix Resolution: v1.24.14,v1.25.9,v1.26.4,v1.27.1
Step up your Open Source Security Game with Mend here
CVE-2024-31990Declarative Continuous Deployment for Kubernetes
Library home page: https://proxy.golang.org/github.com/argoproj/argo-cd/v2/@v/v2.8.9.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/argoproj/argo-cd/v2/@v/v2.8.9.mod
Dependency Hierarchy:
Found in base branch: main
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16.
Publish Date: 2024-04-15
URL: CVE-2024-31990
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2gvw-w6fj-7m3c
Release Date: 2024-04-15
Fix Resolution: v2.8.16,v2.9.12,v2.10.7
Step up your Open Source Security Game with Mend here
CVE-2024-28180An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.2.mod
Dependency Hierarchy:
Found in base branch: main
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-3177Library home page: https://proxy.golang.org/k8s.io/kubernetes/@v/v1.24.2.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.24.2.mod
Dependency Hierarchy:
Found in base branch: main
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
Publish Date: 2024-04-22
URL: CVE-2024-3177
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-04-02
Fix Resolution: v1.27.13.v1.28.9,v1.29.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - go.temporal.io/sdk-v1.17.0
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (go.temporal.io/sdk-v1.17.0 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-32149 | High |
7.5 | golang.org/x/text-v0.3.7 | Transitive | N/A* | ❌ |
| CVE-2022-41721 | High |
7.5 | golang.org/x/net-v0.0.0-20220906165146-f3363e06e74c | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2022-32149Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.7.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
Publish Date: 2022-10-14
URL: CVE-2022-32149
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-32149
Release Date: 2022-10-14
Fix Resolution: v0.3.8
Step up your Open Source Security Game with Mend here
CVE-2022-41721[mirror] Go supplementary network libraries
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.0.0-20220906165146-f3363e06e74c.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Publish Date: 2023-01-13
URL: CVE-2022-41721
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-01-13
Fix Resolution: v0.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - gorm.io/driver/postgres-v1.0.8Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgx/v4/@v/v4.10.1.mod
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (gorm.io/driver/postgres-v1.0.8 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-27304 | Critical |
9.8 | github.com/jackc/pgproto3/v2-v2.0.7 | Transitive | N/A* | ❌ |
| CVE-2024-27289 | High |
8.1 | github.com/jacKc/pgx/v4-v4.10.1 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-27304null
Library home page: https://proxy.golang.org/github.com/jackc/pgproto3/v2/@v/v2.0.7.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgproto3/v2/@v/v2.0.7.mod
Dependency Hierarchy:
Found in base branch: main
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control. The problem is resolved in v4.18.2 and v5.5.4. As a workaround, reject user input large enough to cause a single query or bind message to exceed 4 GB in size.
Publish Date: 2024-03-06
URL: CVE-2024-27304
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mrww-27vc-gghv
Release Date: 2024-03-06
Fix Resolution: jackc/pgproto3 - v2.3.3, github.com/jackc/pgx - v4.18.2,v5.5.4
Step up your Open Source Security Game with Mend here
CVE-2024-27289PostgreSQL driver and toolkit for Go
Library home page: https://proxy.golang.org/github.com/jackc/pgx/v4/@v/v4.10.1.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/jackc/pgx/v4/@v/v4.10.1.mod
Dependency Hierarchy:
Found in base branch: main
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.
Publish Date: 2024-03-06
URL: CVE-2024-27289
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m7wr-2xf7-cm9p
Release Date: 2024-03-06
Fix Resolution: v4.18.2,v5.5.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - google.golang.org/grpc-v1.50.1
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (google.golang.org/grpc-v1.50.1 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-41723 | High |
7.5 | golang.org/x/net-v0.5.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
CVE-2022-41723Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.5.0.zip
Dependency Hierarchy:
Found in HEAD commit: 8f950c4fe3c892e8dcf33c2bda5d12798b34de69
Found in base branch: main
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Publish Date: 2023-02-28
URL: CVE-2022-41723
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2023-1568
Release Date: 2022-09-29
Fix Resolution: v0.7.0
Step up your Open Source Security Game with Mend here
clean up the code for customerID based agent selection as the code is messy.
Vulnerable Library - github.com/intelops/go-common-v1.0.20Path to dependency file: /server/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.0.mod
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (github.com/intelops/go-common-v1.0.20 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0431 | Medium |
6.5 | github.com/go-jose/go-jose/v3-v3.0.0 | Transitive | N/A* | ❌ |
| CVE-2024-28180 | Medium |
4.3 | github.com/go-jose/go-jose/v3-v3.0.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
WS-2023-0431An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.0.zip
Path to dependency file: /server/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.0.mod
Dependency Hierarchy:
Found in base branch: main
The go-jose package before 3.0.1 is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Publish Date: 2023-11-22
URL: WS-2023-0431
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2c7c-3mj9-8fqh
Release Date: 2023-11-22
Fix Resolution: v3.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-28180An implementation of JOSE standards (JWE, JWS, JWT) in Go
Library home page: https://proxy.golang.org/github.com/go-jose/go-jose/v3/@v/v3.0.0.zip
Path to dependency file: /server/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/go-jose/go-jose/v3/@v/v3.0.0.mod
Dependency Hierarchy:
Found in base branch: main
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - helm.sh/helm/v3-v3.10.3Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (helm.sh/helm/v3-v3.10.3 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-26147 | High |
7.5 | helm.sh/helm/v3-v3.10.3 | Direct | v3.14.2 | ❌ |
| CVE-2024-25620 | Medium |
6.4 | helm.sh/helm/v3-v3.10.3 | Direct | v3.14.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
CVE-2024-26147Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the LoadIndexFile or DownloadIndexFile functions in the repo package or the LoadDir function in the plugin package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use recover to catch the panic.
Publish Date: 2024-02-21
URL: CVE-2024-26147
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r53h-jv2g-vpx6
Release Date: 2024-02-21
Fix Resolution: v3.14.2
Step up your Open Source Security Game with Mend here
CVE-2024-25620Library home page: https://proxy.golang.org/helm.sh/helm/v3/@v/v3.10.3.zip
Path to dependency file: /capten/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/helm.sh/helm/v3/@v/v3.10.3.mod
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the Chart.yaml file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the Chart.yaml file. This includes dependencies.
Publish Date: 2024-02-14
URL: CVE-2024-25620
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-25620
Release Date: 2024-02-14
Fix Resolution: v3.14.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - k8s.io/apimachinery-v0.24.2null
Library home page: https://proxy.golang.org/k8s.io/apimachinery/@v/v0.24.2.zip
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (k8s.io/apimachinery-v0.24.2 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-3172 | Medium |
5.1 | k8s.io/apimachinery-v0.24.2 | Direct | v0.25.1,kubernetes-1.22.14,kubernetes-1.23.11,kubernetes-1.24.5,kubernetes-1.25.1 | ❌ |
CVE-2022-3172null
Library home page: https://proxy.golang.org/k8s.io/apimachinery/@v/v0.24.2.zip
Dependency Hierarchy:
Found in HEAD commit: ef6d2d14ba20ad161dda103d1ac6ed92c19687bb
Found in base branch: main
A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties
Publish Date: 2022-09-10
URL: CVE-2022-3172
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-09-10
Fix Resolution: v0.25.1,kubernetes-1.22.14,kubernetes-1.23.11,kubernetes-1.24.5,kubernetes-1.25.1
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
