external-dns vulnerability finding

[Jesire Belleza]

Hello,

Our twistlock scanner picked up a vulnerability finding on our external-dns container about "github.com/golang-jwt/jwt/v4 module from all versions is vulnerable to Denial of Service (DoS) due to token without ExpiresAt can cause panic." This finding has been addressed and fixed in jwt version > v4.1.0. I found the line of code referring to "github.com/golang-jwt/jwt/v4" module in this link https://github.com/kubernetes-sigs/external-dns/blob/master/go.mod#L104. I thought it would be a great idea to bring this finding up to attention. Let me know if you need any more info about it. Thanks and have a great day.

Get Outlook for iOS

[Luke Hinds]

Hi Jesire,

Thanks for letting us know.

As this is an indirect dependency (you don't use jwt directly within the external-jwt codebase), I don't believe this needs handling by the security response team.

The import path is as follows:

external-dns $ go mod why -m  github.com/golang-jwt/jwt/v4
# github.com/golang-jwt/jwt/v4
sigs.k8s.io/external-dns/provider/azure
github.com/Azure/go-autorest/autorest/adal
github.com/golang-jwt/jwt/v4

An update to jwt, would need to be performed within 'github.com/Azure/go-autorest/autorest/adal'

autorest/adal/v0.9.21 $ grep jwt go.mod
github.com/golang-jwt/jwt/v4 v4.0.0

Microsoft have a security report process listed here: https://github.com/Azure/go-autorest/blob/main/SECURITY.md

Regards,

Luke

--
You received this message because you are subscribed to the Google Groups "kubernetes-security-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-security...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-security-discuss/SJ0P221MB0818CED54B0B94F0D6915AC7899A9%40SJ0P221MB0818.NAMP221.PROD.OUTLOOK.COM.