external-dns vulnerability finding

2 views
Skip to first unread message

Jesire Belleza

unread,
Aug 1, 2022, 2:54:00 AMAug 1
to kubernetes-se...@googlegroups.com
Hello,

Our twistlock scanner picked up a vulnerability finding on our external-dns container about "github.com/golang-jwt/jwt/v4 module from all versions is vulnerable to Denial of Service (DoS) due to token without ExpiresAt can cause panic." This finding has been addressed and fixed in jwt version > v4.1.0. I found the line of code referring to "github.com/golang-jwt/jwt/v4" module in this link https://github.com/kubernetes-sigs/external-dns/blob/master/go.mod#L104. I thought it would be a great idea to bring this finding up to attention. Let me know if you need any more info about it. Thanks and have a great day.

Luke Hinds

unread,
Aug 1, 2022, 6:17:46 AMAug 1
to Jesire Belleza, kubernetes-se...@googlegroups.com
Hi Jesire,

Thanks for letting us know.

As this is an indirect dependency (you don't use jwt directly within the external-jwt codebase), I don't believe this needs handling by the security response team.

The import path is as follows:


An update to jwt, would need to be performed within 'github.com/Azure/go-autorest/autorest/adal'

autorest/adal/v0.9.21 $ grep jwt go.mod
github.com/golang-jwt/jwt/v4 v4.0.0

Microsoft have a security report process listed here: https://github.com/Azure/go-autorest/blob/main/SECURITY.md

Regards,

Luke


--
You received this message because you are subscribed to the Google Groups "kubernetes-security-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-security...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-security-discuss/SJ0P221MB0818CED54B0B94F0D6915AC7899A9%40SJ0P221MB0818.NAMP221.PROD.OUTLOOK.COM.
Reply all
Reply to author
Forward
0 new messages