x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

GoVulnBot · 2023-07-19T01:01:17Z

In GitHub Security Advisory GHSA-f4w6-3rh6-6q4q, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
k8s.io/kubernetes		> 1.16

Cross references:

Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qh36-44jv-c8xj #617 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/apiserver: GHSA-pmqp-h87c-mr78 #703 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/util/mount: GHSA-wqwf-x5cj-rg56 #886 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8561, GHSA-74j8-88mm-7496 #904 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25735, GHSA-g42g-737j-qx6j #907 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25737, GHSA-mfv7-gq43-w965 #908 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25740, GHSA-vw47-mr44-3jf9 #909 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2021-25741, GHSA-f5f7-6478-qm6p #910 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: CVE-2020-8554, GHSA-j9wf-vvm6-4r9w #940 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes/pkg/kubectl: CVE-2021-25743, GHSA-f9jg-8p32-2f55 #983 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2jx2-76rc-2v7v #1492 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-xc8m-28vv-4pjc #1864 EFFECTIVELY_PRIVATE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-qc2g-gmh6-95p4 #1891 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-cgcv-5272-97pr #1892 NOT_IMPORTABLE
Module k8s.io/kubernetes appears in issue dummy issue #64
Module k8s.io/kubernetes appears in issue dummy issue #65
Module k8s.io/kubernetes appears in issue dummy issue #66
Module k8s.io/kubernetes appears in issue x/vulndb: potential Go vuln in github.com/kubernetes/kubernetes: GHSA-jp32-vmm6-3vf5 #701

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: k8s.io/kubernetes
      versions:
        - introduced: TODO (earliest fixed "", vuln range "> 1.16")
      vulnerable_at: 1.27.3
      packages:
        - package: k8s.io/kubernetes
summary: Kubernetes CSI Sidecar Containers Can Allow Unauthorized Data Access
description: |-
    Improper input validation in Kubernetes CSI sidecar containers for
    external-provisioner (<v0.4.3, <v1.0.2, v1.1, <v1.2.2, <v1.3.1),
    external-snapshotter (<v0.4.2, <v1.0.2, v1.1, <1.2.2), and external-resizer
    (v0.1, v0.2) could result in unauthorized PersistentVolume data access or volume
    mutation during snapshot, restore from snapshot, cloning and resizing
    operations.
cves:
    - CVE-2019-11255
ghsas:
    - GHSA-f4w6-3rh6-6q4q
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-11255
    - report: https://github.com/kubernetes/kubernetes/issues/85233
    - web: https://access.redhat.com/errata/RHSA-2019:4054
    - web: https://access.redhat.com/errata/RHSA-2019:4096
    - web: https://access.redhat.com/errata/RHSA-2019:4099
    - web: https://access.redhat.com/errata/RHSA-2019:4225
    - web: https://groups.google.com/forum/#!topic/kubernetes-security-announce/aXiYN0q4uIw
    - web: https://security.netapp.com/advisory/ntap-20200810-0003/
    - advisory: https://github.com/advisories/GHSA-f4w6-3rh6-6q4q

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-25T21:19:39Z

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports

neild self-assigned this Jul 25, 2023

neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 25, 2023

gopherbot closed this as completed in c30dc8f Jul 25, 2023

This was referenced Jul 26, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-mm7g-f2gg-cw8g #1977

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-2h9c-34v6-3qmr #1985

Closed

GoVulnBot mentioned this issue Nov 1, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-q78c-gwqw-jcmc #2170

Closed

This was referenced Nov 10, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-7fxm-f474-hf8w #2330

Closed

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-hq6q-c2x6-hmch #2341

Closed

GoVulnBot mentioned this issue Apr 23, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-pxhw-596r-rwq5 #2746

Closed

GoVulnBot mentioned this issue Jul 18, 2024

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-82m2-cv7p-4m75 #2994

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 25, 2023

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

x/vulndb: potential Go vuln in k8s.io/kubernetes: GHSA-f4w6-3rh6-6q4q #1943

Comments

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 25, 2023