Update node_exporter to fix CVE-2023-48795

Question

Update node_exporter to fix CVE-2023-48795

arathy-minerva opened this issue 3 months ago · comments

What did you do that produced an error?

node_exporter v1.7.0 is using the crypto package that has GHSA-45x7-px36-x8w8. This requires upgrading crypto package from 0.15.0 to 0.17.0 to resolve the CVE.

Issue Description: Medium Vulnerability found in non-os package type (go-module) - golang.org/x/crypto(cvss_v3_base_score=5.9)(GHSA-45x7-px36-x8w8 - GHSA-45x7-px36-x8w8). Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin
Severity: Medium
CVSS_V3_Base_Score: 5.9
Advisory Name: GHSA-45x7-px36-x8w8

What did you expect to see?

No vulnerabilities should be present in node_exporter

What did you see instead?

Security vulnerabilities found in golang.org/x/crypto 0.15.0 version

Ben Kochie · Answer 1 · Thu Mar 21 2024 16:14:27 GMT+0800 (China Standard Time)

This is already updated.

arathy-minerva · Answer 2 · Thu Mar 21 2024 16:25:57 GMT+0800 (China Standard Time)

I can see the crypto version in 1.7.0 verison is
golang.org/x/crypto v0.14.0 // indirect
Can you give some insight ?