Patch Required for Security Issue in Kubernetes CSI Snapshotter v8.0.1 (CVE-2024-24790) #1127
Labels
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Component: Kubernetes CSI Snapshotter
Version: v8.0.1
Image:
registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
Detected by: Aqua Security Trivy
Description:
I have tested the vulnerabilities for the image
registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
using the Aqua Security Trivy scanner. The results indicate several vulnerabilities in the Go binary used within the image.Steps to produce the issue:
trivy --scanners vuln image registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
Github link for Trivy, https://github.com/aquasecurity/trivy
Trivy Scan Results:
Operating System:
Go Binary Vulnerabilities:
Details:
Private Tokens in Logs:
google.golang.org/grpc
Unexpected Behavior from Is Methods for IPv4-mapped IPv6 Addresses:
stdlib
Is
methods for IPv4-mapped IPv6 addresses in thenet/netip
package, leading to potential security risks.Incorrect Handling of Certain ZIP Files:
stdlib
archive/zip
package in Go has incorrect handling of certain ZIP files, which can lead to security vulnerabilities.Denial of Service Due to Improper 100-Continue Handling:
stdlib
net/http
package due to improper handling of the 100-continue response.Impact:
These vulnerabilities could potentially affect the security and stability of applications using the
csi-snapshotter
component, especially the CRITICAL vulnerability instdlib
that can lead to unexpected behaviors or denial of service.Recommendations:
References:
The text was updated successfully, but these errors were encountered: