From 1b2d9ad71d07dd998f6a51c2b678168dd024697d Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 07:43:49 +0000
Subject: [PATCH] Adding Advisory GHSA-8495-4g3g-x7pr for kserve (#9145)

Co-authored-by: octo-sts[bot] <157150467+octo-sts@users.noreply.github.com>
---
 kserve.advisories.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/kserve.advisories.yaml b/kserve.advisories.yaml
index c554bd19c..9e6f4ebcd 100644
--- a/kserve.advisories.yaml
+++ b/kserve.advisories.yaml
@@ -136,6 +136,24 @@ advisories:
         data:
           note: The commons-io:commons-io:2.7.0 dependency is transitive from a direct dependency on the python package ray. To fix this vulnerability, we'd require ray to upgrade to commons-io:commons-io:2.14.0 (there is currently no released version of ray with that fix) and we'd have to upgrade the version of ray used in kserve to that fixed version.
 
+  - id: CGA-j6j7-cxqc-pwjf
+    aliases:
+      - CVE-2024-52304
+      - GHSA-8495-4g3g-x7pr
+    events:
+      - timestamp: 2024-11-19T07:34:37Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: kserve
+            componentID: e8d3143d57519281
+            componentName: aiohttp
+            componentVersion: 3.10.5
+            componentType: python
+            componentLocation: /usr/lib/python3.11/site-packages/aiohttp-3.10.5.dist-info/METADATA, /usr/lib/python3.11/site-packages/aiohttp-3.10.5.dist-info/RECORD, /usr/lib/python3.11/site-packages/aiohttp-3.10.5.dist-info/top_level.txt
+            scanner: grype
+
   - id: CGA-w2cp-3rgq-pfhv
     aliases:
       - CVE-2024-30251