Report the use of components with vulnerabilities in hwameistor

[HouqiyuA]

Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.
Qiyu Hou

Details:
{
"id": "CVE-2023-26125",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.3,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
}
],
"cwes": [
20
],
"description": "Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. Note: Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.",
"published": "2023-05-04T05:15:00Z",
"updated": "2023-11-07T04:09:00Z",
"affect_components": [
[
{
"name": "github.com/gin-gonic/gin",
"version": "v1.8.1",
"purl": "pkg:golang/github.com/gin-gonic/[email protected]?goarch=arm64&goos=darwin&type=module",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/gin-gonic/gin"
}
],
"type": "library"
}
]
]
}
{
"id": "CVE-2023-29401",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.3,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"cwes": [
494
],
"description": "The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.",
"published": "2023-06-08T21:15:00Z",
"updated": "2023-06-16T12:45:00Z",
"affect_components": [
[
{
"name": "github.com/gin-gonic/gin",
"version": "v1.8.1",
"purl": "pkg:golang/github.com/gin-gonic/[email protected]?goarch=arm64&goos=darwin&type=module",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/gin-gonic/gin"
}
],
"type": "library"
}
]
]
}
{
"id": "CVE-2019-15562",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv2",
"vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
89
],
"description": "GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm",
"published": "2019-08-26T13:15:00Z",
"updated": "2024-04-11T01:04:00Z",
"affect_components": [
[
{
"name": "github.com/jinzhu/gorm",
"version": "v1.9.16",
"purl": "pkg:golang/github.com/jinzhu/[email protected]?goarch=arm64&goos=darwin&type=module",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/jinzhu/gorm"
}
],
"type": "library"
}
]
]
}
{
"id": "CVE-2019-19355",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.4,
"severity": "medium",
"method": "CVSSv2",
"vector": "(AV:L/AC:M/Au:N/C:P/I:P/A:P)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.0,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
266
],
"description": "An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. This CVE is specific to the openshift/ansible-operator-container as shipped in Openshift 4.",
"published": "2020-03-18T17:15:00Z",
"updated": "2023-02-12T23:38:00Z",
"affect_components": [
[
{
"name": "github.com/operator-framework/operator-sdk",
"version": "v0.18.2",
"purl": "pkg:golang/github.com/operator-framework/[email protected]?goarch=arm64&goos=darwin&type=module",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/operator-framework/operator-sdk"
}
],
"type": "library"
}
]
]
}
{
"id": "CVE-2023-47108",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes": [
770
],
"description": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.",
"published": "2023-11-10T19:15:00Z",
"updated": "2023-11-20T19:34:00Z",
"affect_components": [
[
{
"name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
"version": "v0.20.0",
"purl": "pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-48795",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 5.9,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"cwes": [
354
],
"description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"published": "2023-12-18T16:15:00Z",
"updated": "2024-04-25T22:15:00Z",
"affect_components": [
[
{
"name": "golang.org/x/crypto",
"version": "v0.1.0",
"purl": "pkg:golang/golang.org/x/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-39325",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"cwes": [
770
],
"description": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.",
"published": "2023-10-11T22:15:00Z",
"updated": "2024-03-23T03:15:00Z",
"affect_components": [
[
{
"name": "golang.org/x/net",
"version": "v0.7.0",
"purl": "pkg:golang/golang.org/x/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-3978",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 6.1,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
],
"cwes": [
79
],
"description": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.",
"published": "2023-08-02T20:15:00Z",
"updated": "2023-11-07T04:20:00Z",
"affect_components": [
[
{
"name": "golang.org/x/net",
"version": "v0.7.0",
"purl": "pkg:golang/golang.org/x/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-32731",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"description": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  grpc/grpc#33005 grpc/grpc#33005",
"published": "2023-06-09T11:15:00Z",
"updated": "2023-06-15T22:18:00Z",
"affect_components": [
[
{
"name": "google.golang.org/grpc",
"version": "v1.38.0",
"purl": "pkg:golang/google.golang.org/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2024-24786",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"severity": "unknown",
"method": "other"
}
],
"description": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.",
"published": "2024-03-05T23:15:00Z",
"updated": "2024-03-24T03:15:00Z",
"affect_components": [
[
{
"name": "google.golang.org/protobuf",
"version": "v1.28.1",
"purl": "pkg:golang/google.golang.org/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2020-8561",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.0,
"severity": "medium",
"method": "CVSSv2",
"vector": "(AV:N/AC:L/Au:S/C:P/I:N/A:N)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.1,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"
}
],
"cwes": [
610
],
"description": "A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.",
"published": "2021-09-20T17:15:00Z",
"updated": "2021-11-06T03:04:00Z",
"affect_components": [
[
{
"name": "k8s.io/apiserver",
"version": "v0.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2020-8561",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.0,
"severity": "medium",
"method": "CVSSv2",
"vector": "(AV:N/AC:L/Au:S/C:P/I:N/A:N)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 4.1,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N"
}
],
"cwes": [
610
],
"description": "A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs.",
"published": "2021-09-20T17:15:00Z",
"updated": "2021-11-06T03:04:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2021-25740",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 3.5,
"severity": "low",
"method": "CVSSv2",
"vector": "(AV:N/AC:M/Au:S/C:P/I:N/A:N)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 3.1,
"severity": "low",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
}
],
"cwes": [
610
],
"description": "A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.",
"published": "2021-09-20T17:15:00Z",
"updated": "2021-11-06T02:49:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2021-25743",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 2.1,
"severity": "low",
"method": "CVSSv2",
"vector": "(AV:N/AC:H/Au:S/C:N/I:P/A:N)"
},
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 3.0,
"severity": "low",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
}
],
"description": "kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.",
"published": "2022-01-07T00:15:00Z",
"updated": "2022-02-28T15:22:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2021-25749",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 7.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.",
"published": "2023-05-24T17:15:00Z",
"updated": "2023-06-01T13:14:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2022-3162",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
}
],
"cwes": [
22
],
"description": "Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.",
"published": "2023-03-01T19:15:00Z",
"updated": "2023-05-11T15:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2022-3172",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.2,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"
}
],
"cwes": [
918
],
"description": "A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as forwarding the client's API server credentials to third parties.",
"published": "2023-11-03T20:15:00Z",
"updated": "2023-12-21T22:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2022-3294",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.",
"published": "2023-03-01T19:15:00Z",
"updated": "2023-05-05T20:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-2431",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 5.5,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.",
"published": "2023-06-16T08:15:00Z",
"updated": "2023-07-01T06:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-2727",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
}
],
"description": "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.",
"published": "2023-07-03T21:15:00Z",
"updated": "2023-08-03T15:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-2728",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
}
],
"description": "Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.",
"published": "2023-07-03T21:15:00Z",
"updated": "2023-08-03T15:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-3676",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
20
],
"description": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
"published": "2023-10-31T21:15:00Z",
"updated": "2023-11-30T22:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-3893",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy.",
"published": "2023-11-03T18:15:00Z",
"updated": "2023-12-21T22:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-3955",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
20
],
"description": "A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.",
"published": "2023-10-31T21:15:00Z",
"updated": "2023-12-21T22:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2023-5528",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"score": 8.8,
"severity": "high",
"method": "CVSSv3",
"vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.",
"published": "2023-11-14T21:15:00Z",
"updated": "2024-01-19T16:15:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}
{
"id": "CVE-2024-3177",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/"
},
"severity": "unknown",
"method": "other"
}
],
"description": "A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.",
"published": "2024-04-22T23:15:00Z",
"updated": "2024-04-25T06:16:00Z",
"affect_components": [
[
{
"name": "k8s.io/kubernetes",
"version": "v1.24.0",
"purl": "pkg:golang/k8s.io/[email protected]?goarch=arm64&goos=darwin&type=module",
"type": "library"
}
]
]
}

[SSmallMonster]

@HouqiyuA Thank you for your feedback.

In fact, we have performed some vulnerability detection (against the built images), but there might still be some packages that haven't been covered. We will carefully analyze the versions of some packages. For some serious issues, I think we should upgrade the versions.

[HouqiyuA]

@HouqiyuA Thank you for your feedback.

In fact, we have performed some vulnerability detection (against the built images), but there might still be some packages that haven't been covered. We will carefully analyze the versions of some packages. For some serious issues, I think we should upgrade the versions.

By the way,Can hwameistor team reward our team after fixiing this problem? For example, apply for a CVE ID to our team for this problem or other Vulnerability Reward Program?

[github-actions]

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.