Skip to content

x/vulndb: potential Go vuln in sigs.k8s.io/aws-load-balancer-controller: GHSA-rjfv-pjvx-mjgv #3212

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Oct 24, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in sigs.k8s.io/aws-load-balancer-controller: GHSA-rjfv-pjvx-mjgv #3212

GoVulnBot opened this issue Oct 24, 2024 · 1 comment
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-rjfv-pjvx-mjgv references a vulnerability in the following Go modules:

Module
sigs.k8s.io/aws-load-balancer-controller

Description:

Summary 

The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] alb.ingress.kubernetes.io/wafv2-acl-arn or alb.ingress.kubernetes.io/waf-acl-id was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted ve...

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: sigs.k8s.io/aws-load-balancer-controller
      non_go_versions:
        - introduced: 2.0.0
        - fixed: 2.8.2
      vulnerable_at: 1.1.9
summary: |-
    AWS Load Balancer Controller automatically detaches externally associated web
    ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller
ghsas:
    - GHSA-rjfv-pjvx-mjgv
references:
    - advisory: https://github.com/advisories/GHSA-rjfv-pjvx-mjgv
    - advisory: https://github.com/kubernetes-sigs/aws-load-balancer-controller/security/advisories/GHSA-rjfv-pjvx-mjgv
    - web: https://aws.amazon.com/security/vulnerability-reporting
    - web: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2%C2%A0
    - web: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#waf-addons
    - web: https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/#addons
source:
    id: GHSA-rjfv-pjvx-mjgv
    created: 2024-10-24T20:01:22.148788687Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports

@tatianab tatianab self-assigned this Oct 28, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot