-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 #281
Comments
I encounter the same issue and committed a pr , but no one reply me |
Hi, I will take a look, but CVEs in dependencies that are not within the code path of kube-rbac-proxy are not a priority. kube-rbac-proxy doesn't use any instrumentation itself. I am the only maintainer and I need to prioritize and code changes to satisfy code scanners are not at the top. (In case you are curious: 1. Real CVEs, 2. Bugs, 3. the work to make it a kubernetes project is). |
@changluyi, your PRs are not working. It would be nice if you could at least check if it builds. |
Should be fixed with #287 |
Does it not? I assumed that k8s fixed it in v1.29 https://github.com/kubernetes/kubernetes/blob/master/go.mod#L68 Curious why upstream doesn't fix it... ... Anyway, I will try to bump it then by hand. It is not easy to bump the telemetry stuff. It looks like their dependencies are a "Kuddelmuddel", we would say in Germany. A mess. And it doesn't effect krp. |
Should be fixed. If not, please reopen. #298 |
We're seeing above vulnerability in the latest (v0.16.0) version of the kube-rbac-proxy. What is the mitigation timeline for fixing this?
The text was updated successfully, but these errors were encountered: