[GHSA-x5m7-63c6-fx79] Cluster Monitoring Operator contains a credentials leak #5467
Conversation
|
Hi @rexagod, while I can update the GitHub advisory, I am unable to invalidate the CVE record because GitHub was not the one to assign the CVE ID. If you want the CVE invalidated, you need to contact Red Hat (the assigning CNA) via email at [email protected]. Before I address your comments, when I was reviewing the advisory, I noticed that Red Hat says the issue was introduce in OCP 4.12 with openshift/cluster-monitoring-operator#1747. If that is the case, then none of the versions in the Go registry are affected and I can withdraw advisory on that basis. Is this correct? (a) While it might not have been meant to be used as a module, the Go registry has it as a module and someone might be using it that way. This advisory is to alert anyone using the module from the Go registry that they are affected. Also, GitHub Security Advisories use the versions in the supported registry regardless of what versions are used elsewhere because that is what Dependabot is looking for. (b) Thank you for the updates. If I don't withdraw the advisory, I will update the advisory accordingly. |
|
Hello, @JonathanLEvans.
I can confirm that is correct (the latest version on the registry is a 2018 release, whereas this was introduced in 2022). |
|
Hi @rexagod, the advisory has been withdrawn. |
Updates
Comments
👋 Hello, I'm one of the engineers who work on this downstream. I want to mention a couple of points that invalidate this CVE,
(a) CMO is not meant to be used as a module, but rather as an operator within OCP (for e.g., 1, as referenced in the advisory, does not serve any purpose, since we follow OCP versioning for CMO), and
(b) this was fixed in 2, in addition to a back-port (3) for clusters running the affected version.
As such, we are certain that this is a false alarm, and we'd be happy to engage in any follow-ups that could help close this out.
Thank you!