Update node_exporter to fix CVE-2023-48795
arathy-minerva opened this issue · comments
What did you do that produced an error?
node_exporter v1.7.0 is using the crypto package that has GHSA-45x7-px36-x8w8. This requires upgrading crypto package from 0.15.0 to 0.17.0 to resolve the CVE.
Issue Description: Medium Vulnerability found in non-os package type (go-module) - golang.org/x/crypto(cvss_v3_base_score=5.9)(GHSA-45x7-px36-x8w8 - GHSA-45x7-px36-x8w8). Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin
Severity: Medium
CVSS_V3_Base_Score: 5.9
Advisory Name: GHSA-45x7-px36-x8w8
What did you expect to see?
No vulnerabilities should be present in node_exporter
What did you see instead?
Security vulnerabilities found in golang.org/x/crypto 0.15.0 version
This is already updated.
I can see the crypto version in 1.7.0 verison is
golang.org/x/crypto v0.14.0 // indirect
Can you give some insight ?