Skip to content

chore: update dependencies to address CVEs#116

Merged
martin-helmich merged 5 commits intomittwald:masterfrom
sidpalas:sp/update-dependencies
Dec 5, 2025
Merged

chore: update dependencies to address CVEs#116
martin-helmich merged 5 commits intomittwald:masterfrom
sidpalas:sp/update-dependencies

Conversation

@sidpalas
Copy link
Contributor

@sidpalas sidpalas commented Dec 4, 2025
edited
Loading

I noticed there were some Critical CVEs in the latest image so I updated the offending packages.

I validated that I was able to build/run the operator in a KinD cluster and generate a secret from a StringSecret custom resource.

The test workflow ran successfully on my fork here: https://github.com/sidpalas/kubernetes-secret-generator/actions/runs/19941648553

LMK if there is additional testing that should be done!

Notes:

Before:

➜  kubernetes-secret-generator git:(sp/update-dependencies) ✗ docker scout cves quay.io/mittwald/kubernetes-secret-generator:latest
    i New version 1.18.4 available (installed version is 1.18.1) at https://github.com/docker/scout-cli
    ✓ Image stored for indexing
    ✓ Indexed 84 packages
    ✗ Detected 5 vulnerable packages with a total of 29 vulnerabilities


## Overview

                    │                    Analyzed Image                      
────────────────────┼────────────────────────────────────────────────────────
  Target            │  quay.io/mittwald/kubernetes-secret-generator:latest   
    digest          │  523afa116bd3                                          
    platform        │ linux/amd64                                            
    vulnerabilities │    2C     9H    18M     0L                             
    size            │ 21 MB                                                  
    packages        │ 84                                                     


## Packages and Vulnerabilities

   1C     5H    13M     0L  stdlib 1.23.1
pkg:golang/stdlib@1.23.1

    ✗ CRITICAL CVE-2025-22871
      https://scout.docker.com/v/CVE-2025-22871
      Affected range : <1.23.8  
      Fixed version  : 1.23.8   
    
    ✗ HIGH CVE-2025-61729
      https://scout.docker.com/v/CVE-2025-61729
      Affected range : <1.24.11  
      Fixed version  : 1.24.11   
    
    ✗ HIGH CVE-2025-61725
      https://scout.docker.com/v/CVE-2025-61725
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ HIGH CVE-2025-61723
      https://scout.docker.com/v/CVE-2025-61723
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ HIGH CVE-2025-58188
      https://scout.docker.com/v/CVE-2025-58188
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ HIGH CVE-2025-58187
      https://scout.docker.com/v/CVE-2025-58187
      Affected range : <1.24.9  
      Fixed version  : 1.24.9   
    
    ✗ MEDIUM CVE-2025-4673
      https://scout.docker.com/v/CVE-2025-4673
      Affected range : <1.23.10  
      Fixed version  : 1.23.10   
    
    ✗ MEDIUM CVE-2025-61727
      https://scout.docker.com/v/CVE-2025-61727
      Affected range : <1.24.11  
      Fixed version  : 1.24.11   
    
    ✗ MEDIUM CVE-2025-47906
      https://scout.docker.com/v/CVE-2025-47906
      Affected range : <1.23.12  
      Fixed version  : 1.23.12   
    
    ✗ MEDIUM CVE-2024-45341
      https://scout.docker.com/v/CVE-2024-45341
      Affected range : >=1.23.0-0  
                     : <1.23.5     
      Fixed version  : 1.23.5      
    
    ✗ MEDIUM CVE-2024-45336
      https://scout.docker.com/v/CVE-2024-45336
      Affected range : >=1.23.0-0  
                     : <1.23.5     
      Fixed version  : 1.23.5      
    
    ✗ MEDIUM CVE-2025-0913
      https://scout.docker.com/v/CVE-2025-0913
      Affected range : <1.23.10  
      Fixed version  : 1.23.10   
    
    ✗ MEDIUM CVE-2025-61724
      https://scout.docker.com/v/CVE-2025-61724
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-58189
      https://scout.docker.com/v/CVE-2025-58189
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-58186
      https://scout.docker.com/v/CVE-2025-58186
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-58185
      https://scout.docker.com/v/CVE-2025-58185
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-47912
      https://scout.docker.com/v/CVE-2025-47912
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-58183
      https://scout.docker.com/v/CVE-2025-58183
      Affected range : <1.24.8  
      Fixed version  : 1.24.8   
    
    ✗ MEDIUM CVE-2025-22866
      https://scout.docker.com/v/CVE-2025-22866
      Affected range : >=1.23.0-0  
                     : <1.23.6     
      Fixed version  : 1.23.6      
    

   1C     2H     2M     0L  golang.org/x/crypto 0.24.0
pkg:golang/golang.org/x/crypto@0.24.0

    ✗ CRITICAL CVE-2024-45337 [Improper Authorization]
      https://scout.docker.com/v/CVE-2024-45337
      Affected range : <0.31.0                                       
      Fixed version  : 0.31.0                                        
      CVSS Score     : 9.1                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N  
    
    ✗ HIGH CVE-2025-47913
      https://scout.docker.com/v/CVE-2025-47913
      Affected range : <0.43.0  
      Fixed version  : 0.43.0   
    
    ✗ HIGH CVE-2025-22869
      https://scout.docker.com/v/CVE-2025-22869
      Affected range : <0.35.0  
      Fixed version  : 0.35.0   
    
    ✗ MEDIUM CVE-2025-58181 [Allocation of Resources Without Limits or Throttling]
      https://scout.docker.com/v/CVE-2025-58181
      Affected range : <0.45.0                                       
      Fixed version  : 0.45.0                                        
      CVSS Score     : 5.3                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  
    
    ✗ MEDIUM CVE-2025-47914 [Out-of-bounds Read]
      https://scout.docker.com/v/CVE-2025-47914
      Affected range : <0.45.0                                       
      Fixed version  : 0.45.0                                        
      CVSS Score     : 5.3                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  
    

   0C     1H     0M     0L  github.com/dgrijalva/jwt-go 3.2.0+incompatible
pkg:golang/github.com/dgrijalva/jwt-go@3.2.0%2Bincompatible

    ✗ HIGH CVE-2020-26160 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2020-26160
      Affected range : <=v3.2.0                                      
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
    

   0C     1H     0M     0L  golang.org/x/oauth2 0.21.0
pkg:golang/golang.org/x/oauth2@0.21.0

    ✗ HIGH CVE-2025-22868 [Improper Validation of Syntactic Correctness of Input]
      https://scout.docker.com/v/CVE-2025-22868
      Affected range : <0.27.0                                       
      Fixed version  : 0.27.0                                        
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  
    

   0C     0H     3M     0L  golang.org/x/net 0.26.0
pkg:golang/golang.org/x/net@0.26.0

    ✗ MEDIUM CVE-2025-22872 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
      https://scout.docker.com/v/CVE-2025-22872
      Affected range : <0.38.0                                                          
      Fixed version  : 0.38.0                                                           
      CVSS Score     : 5.3                                                              
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N  
    
    ✗ MEDIUM CVE-2024-45338
      https://scout.docker.com/v/CVE-2024-45338
      Affected range : <0.33.0  
      Fixed version  : 0.33.0   
    
    ✗ MEDIUM CVE-2025-22870 [Misinterpretation of Input]
      https://scout.docker.com/v/CVE-2025-22870
      Affected range : <0.36.0                                       
      Fixed version  : 0.36.0                                        
      CVSS Score     : 4.4                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L  
    


29 vulnerabilities found in 5 packages
  CRITICAL  2   
  HIGH      9   
  MEDIUM    18  
  LOW       0

After:

➜  kubernetes-secret-generator git:(sp/update-dependencies) ✗ docker scout cves docker.io/sidpalas/kubernetes-secret-generator:patched
    ✓ Image stored for indexing
    ✓ Indexed 85 packages
    ✓ Provenance obtained from attestation
    ✓ No vulnerable package detected


## Overview

                    │                     Analyzed Image                       
────────────────────┼──────────────────────────────────────────────────────────
  Target            │  sidpalas/kubernetes-secret-generator:patched            
    digest          │  5374ef932843                                            
    platform        │ linux/arm64                                              
    provenance      │ git@github.com:sidpalas/kubernetes-secret-generator.git  
                    │  d38612129348fd4c7571b2abd0c3bde163304f45                
    vulnerabilities │    0C     0H     0M     0L                               
    size            │ 22 MB                                                    
    packages        │ 85                                                       


## Packages and Vulnerabilities

  No vulnerable packages detected

martin-helmich
martin-helmich approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@martin-helmich martin-helmich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! 👍 Thanks for the contribution!

@martin-helmich martin-helmich merged commit f7e4460 into mittwald:master Dec 5, 2025
4 checks passed
This was referenced Dec 5, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-helmich martin-helmich martin-helmich approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sidpalas @martin-helmich