Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/kubernetes-sigs/aws-efs-csi-driver: GHSA-4fv8-w65m-3932 #1214

Closed
GoVulnBot opened this issue Dec 30, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/kubernetes-sigs/aws-efs-csi-driver: GHSA-4fv8-w65m-3932 #1214

GoVulnBot opened this issue Dec 30, 2022 · 2 comments
Assignees
@neild
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-4fv8-w65m-3932, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/kubernetes-sigs/aws-efs-csi-driver 1.4.8 <= 1.4.7

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "1.4.8", vuln range "<= 1.4.7")
    packages:
      - package: github.com/kubernetes-sigs/aws-efs-csi-driver
description: |
    ### Impact
    A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below, and aws-efs-csi-driver versions v1.4.7 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer’s local mount points to that customer’s EFS file systems.

    Affected versions: efs-utils <= v1.34.3, aws-efs-csi-driver <= v1.4.7

    ### Patches
    The patches are included in efs-utils version v1.34.4 and newer, and in aws-efs-csi-driver v1.4.8 and newer.

    ### Workarounds
    There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4+ or aws-efs-csi-driver to v1.4.8+ to address this issue.

    ### References
    https://github.com/aws/efs-utils/commit/f3a8f88167d55caa2f78aeb72d4dc1987a9ed62d
    https://github.com/aws/efs-utils/issues/125
    https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/282
    https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/635
cves:
  - CVE-2022-46174
ghsas:
  - GHSA-4fv8-w65m-3932
@neild neild self-assigned this Jan 3, 2023
@neild neild added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jan 3, 2023
@neild
Copy link
Contributor

neild commented Jan 3, 2023

Root vulnerability in efs-utils, which appears to be Python.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/460419 mentions this issue: data/excluded: batch add GO-2022-1253, GO-2022-1251, GO-2022-1250, GO-2022-1248, GO-2022-1245, GO-2022-1243, GO-2022-1240, GO-2022-1239, GO-2022-1236, GO-2022-1235, GO-2022-1225, GO-2022-1220, GO-2022-1219, GO-2022-1218, GO-2022-1216, GO-2022-1208, GO-2022-1206, GO-2022-1204, GO-2022-1200, GO-2022-1192, GO-2022-1190, GO-2022-1189, GO-2022-1258, GO-2022-1226, GO-2022-1214, GO-2022-1210, GO-2022-1212

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@neild neild

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot