Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s.io/apimachinery-v0.24.4: 2 vulnerabilities (highest severity is: 7.5) #28

Closed
mend-for-github-com bot opened this issue Aug 26, 2022 · 1 comment
Closed

k8s.io/apimachinery-v0.24.4: 2 vulnerabilities (highest severity is: 7.5) #28

mend-for-github-com bot opened this issue Aug 26, 2022 · 1 comment
Labels
security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link
Contributor

Vulnerable Library - k8s.io/apimachinery-v0.24.4

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-30633 High 7.5 github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc Transitive N/A
CVE-2022-28131 High 7.5 github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc Transitive N/A

Details

CVE-2022-30633

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/apimachinery-v0.24.4 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Publish Date: 2022-08-10

URL: CVE-2022-30633

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-30633

Release Date: 2022-05-13

Fix Resolution: go1.17.12,go1.18.4

CVE-2022-28131

Vulnerable Library - github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc

[mirror] Go supplementary network libraries

Dependency Hierarchy:

  • k8s.io/apimachinery-v0.24.4 (Root Library)
    • github.com/golang/net-cd36cc0744dd695657988f15f08446dc81e16efc (Vulnerable Library)

Found in HEAD commit: a48a4128f4f8f15392a854ed91698031d4a31bd5

Found in base branch: main

Vulnerability Details

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Publish Date: 2022-08-10

URL: CVE-2022-28131

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28131

Release Date: 2022-03-29

Fix Resolution: go1.17.12,go1.18.4
@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by Mend label Aug 26, 2022
@sheldonhull
Copy link
Contributor

Not applicable to this project, as we use json, not xml.

@sheldonhull sheldonhull closed this as not planned Won't fix, can't repro, duplicate, stale Aug 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sheldonhull