Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACK Detected Controllers CVEs #2295

Open
ack-bot opened this issue Feb 12, 2025 · 1 comment
Open

ACK Detected Controllers CVEs #2295

ack-bot opened this issue Feb 12, 2025 · 1 comment
Assignees
@rushmash91
Labels
kind/cve Categorizes issue or PR as related to CVE. prow/auto-gen PRs related to prow auto generation automation

Comments

@ack-bot
Copy link
Collaborator

ack-bot commented Feb 12, 2025

CVE ID Type Severity Installed Version Fixed Version Affected Controllers Title
CVE-2024-24788 gobinary HIGH 1.22.2 1.22.3 [elasticache] golang: net: malformed DNS message can cause infinite loop
CVE-2024-34156 gobinary HIGH 1.22.2 1.22.7, 1.23.1 [elasticache] encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion
CVE-2024-24791 gobinary MEDIUM 1.22.2 1.21.12, 1.22.5 [elasticache] net/http: Denial of service due to improper 100-continue handling in net/http
CVE-2024-34158 gobinary MEDIUM 1.22.2 1.22.7, 1.23.1 [elasticache] go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion
CVE-2024-45338 gobinary HIGH v0.23.0 0.33.0 [elasticache] golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html
CVE-2024-24790 gobinary CRITICAL 1.22.2 1.21.11, 1.22.4 [elasticache] golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
CVE-2024-24789 gobinary MEDIUM 1.22.2 1.21.11, 1.22.4 [elasticache] golang: archive/zip: Incorrect handling of certain ZIP files
CVE-2024-34155 gobinary MEDIUM 1.22.2 1.22.7, 1.23.1 [elasticache] go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion
CVE-2024-45336 gobinary MEDIUM 1.22.2 1.22.11, 1.23.5, 1.24.0-rc.2 [elasticache] golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect
CVE-2024-45341 gobinary MEDIUM 1.22.2 1.22.11, 1.23.5, 1.24.0-rc.2 [elasticache] golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
CVE-2025-22866 gobinary MEDIUM 1.23.5 1.22.12, 1.23.6, 1.24.0-rc.3 [acmpca apigateway cloudwatch dynamodb keyspaces lambda memorydb ram recyclebin athena cloudwatchlogs ecr efs iam wafv2 cloudfront networkfirewall organizations route53 sagemaker sns documentdb eks emrcontainers kinesis ssm apigatewayv2 elbv2 kafka rds route53resolver s3 s3control secretsmanager ses applicationautoscaling codeartifact prometheusservice cognitoidentityprovider elasticache kms sqs acm cloudtrail ecrpublic ecs eventbridge mq opensearchservice pipes sfn] crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec
CVE-2024-39689 amazon LOW 2023.2.64-1.amzn2.0.1 2023.2.68-1.amzn2.0.1 [elasticache] python-certifi: Remove root certificates from GLOBALTRUST from the root store
@ack-bot ack-bot added kind/cve Categorizes issue or PR as related to CVE. prow/auto-gen PRs related to prow auto generation automation labels Feb 12, 2025
@rushmash91
Copy link
Member

The Team is aware of the vulnerabilities impacting the ElastiCache controller and is actively working on a patch. We anticipate having an update available soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rushmash91 rushmash91

Labels
kind/cve Categorizes issue or PR as related to CVE. prow/auto-gen PRs related to prow auto generation automation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rushmash91 @ack-bot