Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities found in velero 1.11.0 #465

Closed
sumitgupta21 opened this issue Jun 12, 2023 · 2 comments
Closed

Vulnerabilities found in velero 1.11.0 #465

sumitgupta21 opened this issue Jun 12, 2023 · 2 comments
Labels
velero

Comments

@sumitgupta21
Copy link

There are below vulnerabilities found in the velero v1.11.0 when performing the scan on docker images with Jfrog Xray

┌──────────┬───────────────────────────┬─────────┬──────────────────────┬──────────┬──────────┬──────┬────────────────┐
│ SEVERITY │ DIRECT                    │ DIRECT  │ IMPACTED             │ IMPACTED │ FIXED    │ TYPE │ CVE            │
│          │ PACKAGE                   │ PACKAGE │ PACKAGE              │ PACKAGE  │ VERSIONS │      │                │
│          │                           │ VERSION │ NAME                 │ VERSION  │          │      │                │
├──────────┼───────────────────────────┼─────────┼──────────────────────┼──────────┼──────────┼──────┼────────────────┤
│ Critical │ sha256__28edbbe2d47d5aceb │         │ github.com/golang/go │ 1.19.8   │ [1.19.9] │ Go   │ CVE-2023-24540 │
│          │ f06eb2474f2a79ab9a9544812 │         │                      │          │ [1.20.4] │      │                │
│          │ 5f818c804cb55f6f0e20e0.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │ sha256__fa98a9c4f111c09cd │         │                      │          │          │      │                │
│          │ 7886d3d0ff82b84e9aa34f223 │         │                      │          │          │      │                │
│          │ e87a4566f57d65155d3ee6.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
├──────────┼───────────────────────────┼─────────┼──────────────────────┼──────────┼──────────┼──────┼────────────────┤
│ High     │ sha256__fa98a9c4f111c09cd │         │ github.com/golang/go │ 1.19.8   │ [1.19.9] │ Go   │ CVE-2023-29400 │
│          │ 7886d3d0ff82b84e9aa34f223 │         │                      │          │ [1.20.4] │      │                │
│          │ e87a4566f57d65155d3ee6.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │ sha256__28edbbe2d47d5aceb │         │                      │          │          │      │                │
│          │ f06eb2474f2a79ab9a9544812 │         │                      │          │          │      │                │
│          │ 5f818c804cb55f6f0e20e0.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
├──────────┼───────────────────────────┼─────────┼──────────────────────┼──────────┼──────────┼──────┼────────────────┤
│ High     │ sha256__fa98a9c4f111c09cd │         │ github.com/golang/go │ 1.19.8   │ [1.19.9] │ Go   │ CVE-2023-24539 │
│          │ 7886d3d0ff82b84e9aa34f223 │         │                      │          │ [1.20.4] │      │                │
│          │ e87a4566f57d65155d3ee6.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │ sha256__28edbbe2d47d5aceb │         │                      │          │          │      │                │
│          │ f06eb2474f2a79ab9a9544812 │         │                      │          │          │      │                │
│          │ 5f818c804cb55f6f0e20e0.ta │         │                      │          │          │      │                │
│          │ r                         │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
│          │                           │         │                      │          │          │      │                │
└──────────┴───────────────────────────┴─────────┴──────────────────────┴──────────┴──────────┴──────┴────────────────┘

Is there any planned release to address these vulnerabilities ?

Vulnerable Docker Images:

  • velero/velero:v1.11.0
  • velero/velero-plugin-for-csi:v0.5.0
  • velero/velero-plugin-for-aws:v1.7.0
@jenting
Copy link
Collaborator

jenting commented Jun 12, 2023

@sumitgupta21 Please file this issue under vmware-tanzu/velero repo. This repo is dedicated to helm chart issues only. Thank you.

@jenting jenting added the velero label Jun 28, 2023
@jenting
Copy link
Collaborator

jenting commented Aug 3, 2023

We bump the Golang version from 1.19.8 to 1.20.6. Here are the related diff

Thanks for your reporting. Closing it.

@jenting jenting closed this as completed Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
velero
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sumitgupta21 @jenting