Giters

prometheus-operator / kube-prometheus

Use Prometheus to monitor Kubernetes and applications running on Kubernetes

Home Page:https://prometheus-operator.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

security: CVE-2023-49569 - go-git/v5 - kube-prometheus-stack-grafana

mfreeman451 opened this issue · comments

commented

What happened?

It looks like grafana in the kube-prometheus-stack-grafana deployment has been built with a vulnerable version of the go-git/v5 library.

Specifically usr/share/grafana/bin/grafana (gobinary)

CVE-2023-49569 in github.com/go-git/go-git/v5
Severity: CRITICAL

Resource: monitoring/Deployment/kube-prometheus-stack-grafana

Installed Version: v5.4.2

Fixed Version: 5.11.0

Did you expect to see some different?

How to reproduce it (as minimally and precisely as possible):

❯ trivy image docker.io/grafana/grafana:10.2.2

Environment

  • Prometheus Operator version:

N/A

  • Kubernetes version information:

Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9

  • Kubernetes cluster kind:

EKS

  • Manifests:

NA

  • Prometheus Operator Logs:

NA

  • Prometheus Logs:

NA

Anything else we need to know?:

Screenshot 2024-01-11 at 10 28 33 AM