Skip to content

Commit

Permalink
kiali not affected by CVE-2023-37920
Browse files Browse the repository at this point in the history
  • Loading branch information
jmazzitelli committed Dec 20, 2024
1 parent cf6cbc1 commit f6e04f1
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions data/security/cve.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ versionRange:
severity: n/a
description: "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set"
notes: "Kiali is not affected. ISO-2022-CN-EXT has been removed. To confirm, run the validation command `podman run -it --rm --entrypoint '' quay.io/kiali/kiali:v2.2.0 iconv -l | grep -E 'CN-?EXT'`. See https://access.redhat.com/security/cve/CVE-2024-2961"
- cve: "CVE-2023-37920"
severity: low
description: "A flaw was found in the python-certifi package. This issue occurs when the e-Tugra root certificate in Certifi is removed, resulting in an unspecified error that has an unknown impact and attack vector."
notes: "Kiali is not affected. This was fixed in RHEL9 base images with RHBA-2024:5691. Per the CVE page, these certs are included and marked as 'don't trust', but will not be removed until Mozilla removes them. Browsers are most at risk, which already understand and parse 'don't trust after'. Furthermore, note that Microsoft has not removed the certificate from their code-signing CA list that are merged with Mozilla's CA list, so the certificate is still there marked as trusted for code signing. See: https://access.redhat.com/security/cve/cve-2023-37920 and https://access.redhat.com/errata/RHBA-2024:5691"
- cve: "CVE-2022-27191"
severity: high
description: "golang.org/x/crypto/ssh allows an attacker to crash a server in certain circumstances involving AddHostKey"
Expand Down

0 comments on commit f6e04f1

Please sign in to comment.