-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High vulnerabilities CVE-2023-39533 found in Metrics server v0.6.4 #1339
Comments
/traige accepted |
/triage accepted |
Hello @dashpole, we are also seeing CVE-2023-44487 as part of the package. This requires upgrading golang to a newer patch version to pull in the latest net package. |
Contributions are welcomed! |
Hi @serathius , One new critical CVE-2023-39323 report in existing go-lang package . Thanks & Regards |
Contributions are welcomed! |
Hi Team , |
The plan is to cut v0.7.0 next: #1165 |
I believe https://github.com/kubernetes-sigs/metrics-server/releases/tag/v0.7.1 is not affected by any of these Should we close this issue? By the way, some of these don't seem to affect metrics-server, namely
Perhaps we can use VEX in the future to communicate this to users instead Edited: html/template does seem to come as a transitive dependency from prometheus packages, but I still think metrics-server was not affected |
Hi Team ,
One high vulnerability CVE-2023-39533 found in Metrics server v0.6.4
This vulnerability is in current go lang version 1.19.11
Along with this 3 other medium vulnerabilities
CVE-2023-29409
CVE-2023-39319
CVE-2023-39318
When there is any release planned with mentioned vulnerability fixes.
The text was updated successfully, but these errors were encountered: