diff --git a/docs/docs-content/security-bulletins/reports/cve-2024-24790.md b/docs/docs-content/security-bulletins/reports/cve-2024-24790.md new file mode 100644 index 0000000000..e0d3bb5cf4 --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/cve-2024-24790.md @@ -0,0 +1,35 @@ +--- +sidebar_label: "CVE-2024-24790" +title: "CVE-2024-24790" +description: "Lifecycle of CVE-2024-24790" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[CVE-2024-24790](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) + +## Last Update + +08/06/2024 + +## NIST CVE Summary + +The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning +false for addresses which would return true in their traditional IPv4 forms. + +## Our Official Summary + +Waiting on the 3rd party vendor for a fix. Notes: This vulnerability is reported on the mongodb container. A ticket is +filed with the vendor to get a new image that addresses the vulnerabilities reported. + +## CVE Severity + +[9.8](hhttps://nvd.nist.gov/vuln/detail/CVE-2024-24790) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md b/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md new file mode 100644 index 0000000000..915e2df67c --- /dev/null +++ b/docs/docs-content/security-bulletins/reports/ghsa-74fp-r6jw-h4mp.md @@ -0,0 +1,37 @@ +--- +sidebar_label: "GHSA-74fp-r6jw-h4mp" +title: "GHSA-74fp-r6jw-h4mp" +description: "Lifecycle of GHSA-74fp-r6jw-h4mp" +hide_table_of_contents: true +sidebar_class_name: "hide-from-sidebar" +toc_max_heading_level: 2 +tags: ["security", "cve"] +--- + +## CVE Details + +[GHSA-m425-mq94-257g](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) + +## Last Update + +08/06/2024 + +## NIST CVE Summary + +Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing + +## Our Official Summary + +This vulnerability is reported by govulncheck because of the presence of go library, k8s.io/apimachinery (Affected +versions: \< 0.0.0-20190927203648-9ce6eca90e73). This is a false positive, because it does not affect latest kubernetes +versions as indicated here +([https://nvd.nist.gov/vuln/detail/CVE-2019-11253](https://nvd.nist.gov/vuln/detail/CVE-2019-11253)). Current K8s +version used: 1.28.11 + +## CVE Severity + +[7.5](https://github.com/advisories/ghsa-74fp-r6jw-h4mp) + +## Status + +Ongoing diff --git a/docs/docs-content/security-bulletins/reports/reports.md b/docs/docs-content/security-bulletins/reports/reports.md index 8c78c9e155..d4a12bc255 100644 --- a/docs/docs-content/security-bulletins/reports/reports.md +++ b/docs/docs-content/security-bulletins/reports/reports.md @@ -51,4 +51,6 @@ Click on the CVE ID to view the full details of the vulnerability. | [CVE-2023-44487](./cve-2023-44487.md) | 10/10/23 | 6/27/24 | Palette 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) | :mag: Ongoing | | [CVE-2022-25883](./cve-2022-25883.md) | 6/21/23 | 11/6/24 | Palette 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) | :mag: Ongoing | | [CVE-2015-8855](./cve-2015-8855.md) | 1/23/17 | 1/26/12 | Palette 4.4.11 | Third-party component: CAPI | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2015-8855) | :mag: Ongoing | +| [CVE-2024-24790](./cve-2024-24790.md) | 8/6/24 | 8/6/24 | Palette 4.4.11 | Third-party component: Go Project | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-24790) | :mag: Ongoing | +| [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp) | 8/6/24 | 8/6/24 | Palette 4.4.11 | Third-party component: GitHub | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | | [PRISMA-2022-0227](./prisma-2022-0227.md) | 9/12/23 | 9/12/23 | Palette 4.4.11 | Third-party component: vSphere-CSI | N/A | :mag: Ongoing |