aws-efs-csi-driver.advisories.yaml

schema-version: 2.0.2

package:
  name: aws-efs-csi-driver

advisories:
  - id: CGA-2fvq-57pf-9xg6
    aliases:
      - CVE-2019-11255
      - GHSA-f4w6-3rh6-6q4q
    events:
      - timestamp: 2023-08-11T19:43:11Z
        type: false-positive-determination
        data:
          type: component-vulnerability-mismatch
          note: Vulnerable code is part of an external csi driver outside of Kubernetes source repository

  - id: CGA-339g-xmjm-w8p5
    aliases:
      - CVE-2023-45284
      - GHSA-rq3x-83w4-p28c
    events:
      - timestamp: 2023-11-07T19:23:23Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CGA-39qp-hg6m-4jr5
    aliases:
      - CVE-2024-24788
      - GHSA-2jwv-jmq4-4j3r
    events:
      - timestamp: 2024-05-15T07:24:53Z
        type: fixed
        data:
          fixed-version: 2.0.2-r1

  - id: CGA-3hx9-8324-8rv8
    aliases:
      - CVE-2023-45289
      - GHSA-32ch-6x54-q4h9
    events:
      - timestamp: 2024-03-13T09:11:24Z
        type: fixed
        data:
          fixed-version: 1.7.6-r1

  - id: CGA-3v3x-h7hr-25p5
    aliases:
      - CVE-2024-3177
      - GHSA-pxhw-596r-rwq5
    events:
      - timestamp: 2024-04-24T07:41:08Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: 2e521c880322904f
            componentName: k8s.io/kubernetes
            componentVersion: v1.26.11
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-05-07T20:13:59Z
        type: pending-upstream-fix
        data:
          note: The non vulnerable code requires to upgrade Kubernetes dependencies to v1.27.13 but this package has a dependency of k8s.io/client-go@v1.26.15. So it requires upstream changes to support newer Kubernetes versions.

  - id: CGA-43v9-gw5h-mxwf
    aliases:
      - CVE-2023-45283
      - GHSA-vvjp-q62m-2vph
    events:
      - timestamp: 2023-11-07T19:23:21Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CGA-4mv2-94mh-jjc8
    aliases:
      - CVE-2024-24784
      - GHSA-fgq5-q76c-gx78
    events:
      - timestamp: 2024-03-13T09:11:21Z
        type: fixed
        data:
          fixed-version: 1.7.6-r1

  - id: CGA-754c-4gp9-66fm
    aliases:
      - CVE-2023-5528
      - GHSA-hq6q-c2x6-hmch
    events:
      - timestamp: 2023-11-22T09:19:11Z
        type: fixed
        data:
          fixed-version: 1.7.1-r1

  - id: CGA-83jv-3r5g-fpx8
    aliases:
      - CVE-2024-34155
      - GHSA-8xfx-rj4p-23jm
    events:
      - timestamp: 2024-09-10T10:01:42Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: 8a3ad83a63baa317
            componentName: stdlib
            componentVersion: go1.22.6
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-09-12T19:05:41Z
        type: fixed
        data:
          fixed-version: 2.0.7-r1

  - id: CGA-87j8-pv6j-542w
    aliases:
      - CVE-2023-39325
      - GHSA-4374-p667-p6c8
    events:
      - timestamp: 2023-10-13T12:39:03Z
        type: fixed
        data:
          fixed-version: 1.7.0-r5

  - id: CGA-8h59-7f4f-gj59
    aliases:
      - CVE-2024-24785
      - GHSA-j6m3-gc37-6r6q
    events:
      - timestamp: 2024-03-13T09:11:22Z
        type: fixed
        data:
          fixed-version: 1.7.6-r1

  - id: CGA-8q8v-w44c-wmc2
    aliases:
      - CVE-2024-24783
      - GHSA-3q2c-pvp5-3cqp
    events:
      - timestamp: 2024-03-13T09:11:27Z
        type: fixed
        data:
          fixed-version: 1.7.6-r1

  - id: CGA-8wxf-pvcw-7xgp
    aliases:
      - CVE-2023-2728
      - GHSA-cgcv-5272-97pr
    events:
      - timestamp: 2023-08-11T19:45:18Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-in-execution-path
          note: Vulnerable code is part of the Kubernetes ServiceAccount admission plugin which is not in the execution path of aws-efs-csi-driver

  - id: CGA-98jw-q53j-x696
    aliases:
      - CVE-2023-2727
      - GHSA-qc2g-gmh6-95p4
    events:
      - timestamp: 2023-08-11T19:41:17Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-in-execution-path
          note: Vulnerable code is part of the Kubernetes API server which is not in the execution path of aws-efs-csi-driver

  - id: CGA-9qhr-xqp2-qgxq
    aliases:
      - CVE-2024-5321
      - GHSA-82m2-cv7p-4m75
    events:
      - timestamp: 2024-07-19T07:01:36Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: 121d1d4a0e63c16a
            componentName: k8s.io/kubernetes
            componentVersion: v1.26.11
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-07-22T20:13:59Z
        type: pending-upstream-fix
        data:
          note: The non vulnerable code requires to upgrade Kubernetes dependencies to v1.27.16 but this package has a dependency of k8s.io/client-go@v1.26.15. So it requires upstream changes to support newer Kubernetes versions.

  - id: CGA-g675-xr52-846m
    aliases:
      - CVE-2024-24787
      - GHSA-5fq7-4mxc-535h
    events:
      - timestamp: 2024-05-15T07:24:51Z
        type: fixed
        data:
          fixed-version: 2.0.2-r1

  - id: CGA-g6v5-cw72-xxc4
    aliases:
      - CVE-2023-3978
      - GHSA-2wrh-6pvc-2jm9
    events:
      - timestamp: 2023-10-13T12:38:17Z
        type: fixed
        data:
          fixed-version: 1.7.0-r5

  - id: CGA-ghxm-jj53-fmq2
    aliases:
      - CVE-2021-25743
      - GHSA-f9jg-8p32-2f55
    events:
      - timestamp: 2023-10-03T20:11:33Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: The vulnerable code is specific to kubectl.

  - id: CGA-h3vc-52fq-mjp6
    aliases:
      - CVE-2023-45288
      - GHSA-4v7x-pqxf-cx7m
    events:
      - timestamp: 2024-04-13T07:05:25Z
        type: fixed
        data:
          fixed-version: 1.7.7-r1

  - id: CGA-jr9w-hxfh-vq5q
    aliases:
      - CVE-2024-34156
      - GHSA-crqm-pwhx-j97f
    events:
      - timestamp: 2024-09-10T10:01:49Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: 8a3ad83a63baa317
            componentName: stdlib
            componentVersion: go1.22.6
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-09-12T19:05:41Z
        type: fixed
        data:
          fixed-version: 2.0.7-r1

  - id: CGA-p3wv-wqgx-5f9g
    aliases:
      - CVE-2023-44487
      - GHSA-m425-mq94-257g
      - GHSA-qppj-fm5r-hxr3
    events:
      - timestamp: 2023-11-02T12:14:19Z
        type: fixed
        data:
          fixed-version: 1.7.0-r6

  - id: CGA-qv9r-w22w-39xx
    aliases:
      - CVE-2023-3955
      - GHSA-q78c-gwqw-jcmc
    events:
      - timestamp: 2023-11-02T12:23:22Z
        type: fixed
        data:
          fixed-version: 1.7.0-r6

  - id: CGA-rg46-5c79-8phf
    aliases:
      - CVE-2023-2431
      - GHSA-xc8m-28vv-4pjc
    events:
      - timestamp: 2023-08-11T19:38:34Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-in-execution-path
          note: Vulnerable code is part of the Kubernetes kubelet which is not in the execution path of the aws-efs-csi-driver

  - id: CGA-rgj7-6h43-r6vm
    aliases:
      - CVE-2024-24791
      - GHSA-hw49-2p59-3mhj
    events:
      - timestamp: 2024-07-04T10:13:15Z
        type: fixed
        data:
          fixed-version: 2.0.5-r1

  - id: CGA-vm59-h37f-mvvw
    aliases:
      - CVE-2024-34158
      - GHSA-j7vj-rw65-4v26
    events:
      - timestamp: 2024-09-10T10:01:56Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: 8a3ad83a63baa317
            componentName: stdlib
            componentVersion: go1.22.6
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-09-12T19:05:42Z
        type: fixed
        data:
          fixed-version: 2.0.7-r1

  - id: CGA-w67c-39q4-62q3
    aliases:
      - CVE-2024-24786
      - GHSA-8r3f-844c-mc37
    events:
      - timestamp: 2024-03-14T16:20:16Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: aws-efs-csi-driver
            componentID: ef041f687274f2b8
            componentName: google.golang.org/protobuf
            componentVersion: v1.31.0
            componentType: go-module
            componentLocation: /usr/bin/aws-efs-csi-driver
            scanner: grype
      - timestamp: 2024-03-15T18:09:19Z
        type: fixed
        data:
          fixed-version: 1.7.6-r2

  - id: CGA-wvv3-h89j-7rr4
    aliases:
      - CVE-2023-45290
      - GHSA-rr6r-cfgf-gc6h
    events:
      - timestamp: 2024-03-13T09:11:26Z
        type: fixed
        data:
          fixed-version: 1.7.6-r1