High severity vulnerability found by Snyk scanner - Denial of Service (DoS)

[pavol-antalik-mox]

/kind bug

What happened?

Snyk scan in our CI pipeline revealed vulnerabilities in the 1.24.0 release image:

✗ High severity vulnerability found in google.golang.org/grpc
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
  Introduced through: google.golang.org/[email protected]
  From: google.golang.org/[email protected]
  Fixed in: 1.56.3, 1.57.1, 1.58.3

✗ High severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
  Introduced through: golang.org/x/net/[email protected]
  From: golang.org/x/net/[email protected]
  Fixed in: 0.17.0

More info:
https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328
and
https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327

What you expected to happen?

Please, update packages to above suggested versions with fix.

[ConnorJC3]

We're in the process of releasing versions 1.23.2 and 1.24.1 which will contain updated dependencies with a fix for these CVEs.

[torredil]

Hi @pavol-antalik-mox, thank you for reporting this. The CVEs mentioned above have been fixed in our latest releases: 1.23.2 and 1.24.1.

/close

[k8s-ci-robot]

@torredil: Closing this issue.

In response to this:

Hi @pavol-antalik-mox, thank you for reporting this. The CVEs mentioned above have been fixed in our latest releases: 1.23.2 and 1.24.1.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pavol-antalik-mox]

Thank you, our build now finishes the Snyk check without issues.