Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability (CVE-2023-39325) in node-collector image #1636

Closed
chen-keinan opened this issue Nov 15, 2023 · 0 comments · Fixed by #1637
Closed

Vulnerability (CVE-2023-39325) in node-collector image #1636

chen-keinan opened this issue Nov 15, 2023 · 0 comments · Fixed by #1637
Labels
kind/security security issues priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@chen-keinan
Copy link
Contributor

chen-keinan commented Nov 15, 2023
edited
Loading 

$ trivy image  ghcr.io/aquasecurity/node-collector:0.0.8

Global options:  
2023-11-15T00:09:27.491Z  INFO  Need to update DB
2023-11-15T00:09:27.491Z  INFO  DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-15T00:09:27.491Z  INFO  Downloading DB...
40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [-------------------------------------------------] 100.00% 38.19 MiB p/s 1.3s2023-11-15T00:09:28.931Z  INFO  Vulnerability scanning is enabled
2023-11-15T00:09:28.931Z  INFO  Secret scanning is enabled
2023-11-15T00:09:28.931Z  INFO  If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-15T00:09:28.931Z  INFO  Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-15T00:09:30.094Z  INFO  Detected OS: alpine
2023-11-15T00:09:30.094Z  WARN  This OS version is not on the EOL list: alpine 3.19_alpha20230901
2023-11-15T00:09:30.094Z  INFO  Detecting Alpine vulnerabilities...
2023-11-15T00:09:30.095Z  INFO  Number of language-specific files: 1
2023-11-15T00:09:30.095Z  INFO  Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/node-collector:2dfdfac30f73a8251bc3b70f432fba99d7b16478-amd64 (alpine 3.19_alpha20230901)
==============================================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/node-collector (gobinary)
=======================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.13.0           │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. kind/security security issues priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning and removed kind/bug Categorizes issue or PR as related to a bug. labels Nov 15, 2023
@chen-keinan chen-keinan mentioned this issue Nov 15, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/security security issues priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sec: bump node-collector v0.0.9 fix node-collector CVE-2023-39325 chen-keinan/trivy-operator
1 participant
@chen-keinan