calico.advisories.yaml

schema-version: 2.0.2

package:
  name: calico

advisories:
  - id: CVE-2019-11255
    aliases:
      - GHSA-f4w6-3rh6-6q4q
    events:
      - timestamp: 2023-08-11T21:07:34Z
        type: false-positive-determination
        data:
          type: component-vulnerability-mismatch
          note: Vulnerable code is part of external-csi-driver and not included in calico

  - id: CVE-2020-13597
    aliases:
      - GHSA-pf59-j7c2-rh6x
    events:
      - timestamp: 2024-04-26T07:10:26Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico
            componentID: 5ad83767079d8c0a
            componentName: github.com/projectcalico/calico
            componentVersion: v0.0.0-20240401174130-638464f94665
            componentType: go-module
            componentLocation: /usr/bin/calico-filecheck
            scanner: grype

  - id: CVE-2020-8552
    aliases:
      - GHSA-82hx-w2r5-c2wq
    events:
      - timestamp: 2023-09-19T16:40:39Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Go vulndb has marked this code NOT_IMPORTABLE.

  - id: CVE-2022-28224
    aliases:
      - GHSA-9394-xfq9-6qrp
    events:
      - timestamp: 2024-04-26T07:10:23Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico
            componentID: 5ad83767079d8c0a
            componentName: github.com/projectcalico/calico
            componentVersion: v0.0.0-20240401174130-638464f94665
            componentType: go-module
            componentLocation: /usr/bin/calico-filecheck
            scanner: grype
      - timestamp: 2024-05-06T00:09:48Z
        type: false-positive-determination
        data:
          type: vulnerable-code-version-not-used
          note: 'This vulnerability was matched to the module "github.com/projectcalico/calico" at the following location(s): /usr/bin/calicoctl. In all cases, the installed version of the module (git commit 638464f946657417dd4900724112eb844ce5be03) corresponds to a version tag (v3.27.3) that is later than the fixed version (3.20.5).'

  - id: CVE-2023-2727
    aliases:
      - GHSA-qc2g-gmh6-95p4
    events:
      - timestamp: 2023-07-06T19:08:57Z
        type: fixed
        data:
          fixed-version: 3.26.1-r5

  - id: CVE-2023-32731
    aliases:
      - GHSA-cfgp-2977-2fmm
    events:
      - timestamp: 2023-07-06T19:08:10Z
        type: fixed
        data:
          fixed-version: 3.26.1-r5

  - id: CVE-2023-3955
    aliases:
      - GHSA-q78c-gwqw-jcmc
    events:
      - timestamp: 2023-11-02T14:08:02Z
        type: fixed
        data:
          fixed-version: 3.26.3-r5

  - id: CVE-2023-41378
    aliases:
      - GHSA-5r5h-q934-cccp
    events:
      - timestamp: 2024-04-26T07:10:21Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico
            componentID: 0c887b83763f5ef6
            componentName: github.com/projectcalico/calico
            componentVersion: v0.0.0-20240401174130-638464f94665
            componentType: go-module
            componentLocation: /usr/bin/calico-apiserver
            scanner: grype
      - timestamp: 2024-05-06T00:09:48Z
        type: false-positive-determination
        data:
          type: vulnerable-code-version-not-used
          note: 'This vulnerability was matched to the module "github.com/projectcalico/calico" at the following location(s): /usr/bin/calicoctl. In all cases, the installed version of the module (git commit 638464f946657417dd4900724112eb844ce5be03) corresponds to a version tag (v3.27.3) that is later than the fixed version (3.26.3).'

  - id: CVE-2023-44487
    aliases:
      - GHSA-m425-mq94-257g
      - GHSA-qppj-fm5r-hxr3
    events:
      - timestamp: 2023-10-30T10:57:46Z
        type: fixed
        data:
          fixed-version: 3.26.3-r4

  - id: CVE-2023-45142
    aliases:
      - GHSA-rcjv-mgp8-qvmr
    events:
      - timestamp: 2023-10-30T12:36:29Z
        type: fixed
        data:
          fixed-version: 3.26.3-r4

  - id: CVE-2023-45283
    aliases:
      - GHSA-vvjp-q62m-2vph
    events:
      - timestamp: 2023-11-07T19:23:51Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CVE-2023-45284
    aliases:
      - GHSA-rq3x-83w4-p28c
    events:
      - timestamp: 2023-11-07T19:23:53Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CVE-2023-45288
    aliases:
      - GHSA-4v7x-pqxf-cx7m
    events:
      - timestamp: 2024-04-20T12:15:40Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico-felix
            componentID: 79f1ea4bfeb6abea
            componentName: golang.org/x/net
            componentVersion: v0.19.0
            componentType: go-module
            componentLocation: /usr/bin/iptables-locker
            scanner: grype
      - timestamp: 2024-04-20T14:44:36Z
        type: fixed
        data:
          fixed-version: 3.27.3-r1

  - id: CVE-2023-45289
    aliases:
      - GHSA-32ch-6x54-q4h9
    events:
      - timestamp: 2024-03-12T07:10:13Z
        type: fixed
        data:
          fixed-version: 3.27.2-r2

  - id: CVE-2023-45290
    aliases:
      - GHSA-rr6r-cfgf-gc6h
    events:
      - timestamp: 2024-03-12T07:10:16Z
        type: fixed
        data:
          fixed-version: 3.27.2-r2

  - id: CVE-2023-48795
    aliases:
      - GHSA-45x7-px36-x8w8
    events:
      - timestamp: 2023-12-19T10:31:08Z
        type: fixed
        data:
          fixed-version: 3.27.0-r0

  - id: CVE-2023-5528
    aliases:
      - GHSA-hq6q-c2x6-hmch
    events:
      - timestamp: 2023-11-22T09:29:22Z
        type: fixed
        data:
          fixed-version: 3.26.4-r1

  - id: CVE-2024-24783
    aliases:
      - GHSA-3q2c-pvp5-3cqp
    events:
      - timestamp: 2024-03-12T07:10:17Z
        type: fixed
        data:
          fixed-version: 3.27.2-r2

  - id: CVE-2024-24784
    aliases:
      - GHSA-fgq5-q76c-gx78
    events:
      - timestamp: 2024-03-12T07:10:14Z
        type: fixed
        data:
          fixed-version: 3.27.2-r2

  - id: CVE-2024-24785
    aliases:
      - GHSA-j6m3-gc37-6r6q
    events:
      - timestamp: 2024-03-12T07:10:19Z
        type: fixed
        data:
          fixed-version: 3.27.2-r2

  - id: CVE-2024-24786
    aliases:
      - GHSA-8r3f-844c-mc37
    events:
      - timestamp: 2024-03-14T07:03:58Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico-typha-client
            componentID: 32ecb90c16c6c15a
            componentName: google.golang.org/protobuf
            componentVersion: v1.31.0
            componentType: go-module
            componentLocation: /usr/bin/typha-client
            scanner: grype
      - timestamp: 2024-03-15T18:08:16Z
        type: fixed
        data:
          fixed-version: 3.27.2-r3

  - id: CVE-2024-3177
    aliases:
      - GHSA-pxhw-596r-rwq5
    events:
      - timestamp: 2024-04-24T08:13:30Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: calico
            componentID: 1745e3712bfb78d2
            componentName: k8s.io/kubernetes
            componentVersion: v1.27.8
            componentType: go-module
            componentLocation: /bin/calico-node
            scanner: grype