From c1c8efa5fa2c1bfc5814e7365c79219561d9cb11 Mon Sep 17 00:00:00 2001 From: "vault-token-factory-spectrocloud[bot]" <133815545+vault-token-factory-spectrocloud[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 20:28:09 +0000 Subject: [PATCH] docs: update ghsa-m425-mq94-257g.md (#3399) (#3401) * Update ghsa-m425-mq94-257g.md * chore: typo fix --------- Co-authored-by: Karl Cardenas (cherry picked from commit de32a57cc8f9713c4ad5620c9b12b8fe29292c5b) Co-authored-by: Tom McCollough <35183135+chainsaw2k@users.noreply.github.com> --- .../security-bulletins/reports/ghsa-m425-mq94-257g.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md index b842baff81..42147f6031 100644 --- a/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md +++ b/docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md @@ -12,6 +12,6 @@ tags: ["security", "cve"] We provide the most up-to-date information below. -| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | -| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------- | -| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CCVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | +| CVE ID | Last Update | NIST CVE Summary | Our Official Summary | CVE Severity | Status | +| ------------------------------------------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------- | ------- | +| [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing |