github.com/kubernetes/client-go-v0.17.2: 4 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - github.com/kubernetes/client-go-v0.17.2

Go client for Kubernetes.

Found in HEAD commit: 669793d8de1d48ad154501cdf5541f7589c6003b

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-27191	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Transitive	N/A	❌
CVE-2020-29652	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Transitive	N/A	❌
CVE-2021-43565	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Transitive	N/A	❌
CVE-2020-8565	Medium	5.5	github.com/kubernetes/client-go-v0.17.2	Direct	v1.20.0-alpha.2	❌

Details

CVE-2022-27191

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• github.com/kubernetes/client-go-v0.17.2 (Root Library)
  • ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: 669793d8de1d48ad154501cdf5541f7589c6003b

Found in base branch: improbable

Vulnerability Details

golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-29652

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• github.com/kubernetes/client-go-v0.17.2 (Root Library)
  • ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: 669793d8de1d48ad154501cdf5541f7589c6003b

Found in base branch: improbable

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

CVE-2021-43565

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• github.com/kubernetes/client-go-v0.17.2 (Root Library)
  • ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: 669793d8de1d48ad154501cdf5541f7589c6003b

Found in base branch: improbable

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-8565

Vulnerable Library - github.com/kubernetes/client-go-v0.17.2

Go client for Kubernetes.

Dependency Hierarchy:

• ❌ github.com/kubernetes/client-go-v0.17.2 (Vulnerable Library)

Found in HEAD commit: 669793d8de1d48ad154501cdf5541f7589c6003b

Found in base branch: improbable

Vulnerability Details

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.

Publish Date: 2020-12-07

URL: CVE-2020-8565

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0064

Release Date: 2020-12-07

Fix Resolution: v1.20.0-alpha.2