Security: GO-2024-2687 and GO-2023-1571 #101

cmontemuino · 2024-07-17T11:46:34Z

Found two vulnerabilities with govulncheck:

# $ go version
# go version go1.21.12
# govulncheck against v1.1.3
git clone [email protected]:aquasecurity/kubectl-who-can.git
pushd kubectl-who-can
git checkout v0.4.0
govulncheck ./...
#
# Vulnerability #1: GO-2024-2687
#     HTTP/2 CONTINUATION flood in net/http
#   More info: https://pkg.go.dev/vuln/GO-2024-2687
#   Module: golang.org/x/net
#     Found in: golang.org/x/[email protected]
#     Fixed in: golang.org/x/[email protected]
# Vulnerability #2: GO-2023-1571
#     Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
#   More info: https://pkg.go.dev/vuln/GO-2023-1571
#   Module: golang.org/x/net
#     Found in: golang.org/x/[email protected]
#     Fixed in: golang.org/x/[email protected]
# Your code is affected by 2 vulnerabilities from 1 module.
# This scan also found 5 vulnerabilities in packages you import and 7
# vulnerabilities in modules you require, but your code doesn't appear to call
# these vulnerabilities.

What's needed: upgrade k8s.io packages to version v0.27.15

The text was updated successfully, but these errors were encountered:

PROBLEM: the project incldues some old package versions that come with vulnerabilities SOLUTION: upgrade `k8s.io/xxx` packages to the minimum version that fixes the reported vulnerabilities fixes aquasecurity#101

cmontemuino · 2024-07-17T12:32:39Z

PR to clear-up all the vulnerabilities: #102

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: GO-2024-2687 and GO-2023-1571 #101

Security: GO-2024-2687 and GO-2023-1571 #101

cmontemuino commented Jul 17, 2024

cmontemuino commented Jul 17, 2024

Security: GO-2024-2687 and GO-2023-1571 #101

Security: GO-2024-2687 and GO-2023-1571 #101

Comments

cmontemuino commented Jul 17, 2024

cmontemuino commented Jul 17, 2024