security: CVE-2023-49569 - go-git/v5 - kube-prometheus-stack-grafana
mfreeman451 opened this issue · comments
Michael Freeman commented
What happened?
It looks like grafana
in the kube-prometheus-stack-grafana
deployment has been built with a vulnerable version of the go-git/v5
library.
Specifically usr/share/grafana/bin/grafana (gobinary)
CVE-2023-49569 in github.com/go-git/go-git/v5
Severity: CRITICAL
Resource: monitoring/Deployment/kube-prometheus-stack-grafana
Installed Version: v5.4.2
Fixed Version: 5.11.0
Did you expect to see some different?
How to reproduce it (as minimally and precisely as possible):
❯ trivy image docker.io/grafana/grafana:10.2.2
Environment
- Prometheus Operator version:
N/A
- Kubernetes version information:
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9
- Kubernetes cluster kind:
EKS
- Manifests:
NA
- Prometheus Operator Logs:
NA
- Prometheus Logs:
NA
Anything else we need to know?: