-
Notifications
You must be signed in to change notification settings - Fork 835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛Cloudflared is vulnerable to CVE-2024-24790 #1311
Comments
Is there any eta on this? Do you mind explaining why a critical CVE is marked as a |
Is it applicable in this case? Is a vulnerable function of stdlib being used?
Here is your answer. This is a non-serious issue and should be fixed with normal priority. |
Hi There, I'm Itay from Aqua Security, creators of popular OSS vulnerability scanner Trivy. This issue was flagged for me and I wanted to chime in to add that Trivy now allows software maintainers (you) to publish vulnerability analysis about your software (packages, libraries, container images) so that vulnerability scanners will automatically suppress those irrelevant vulnerabilities for end users. You can read more here: |
The vulnerability is fixed in Ultimately that greatly reduces trust to cloudflare products or may render it completely unusable in more rigid corporate environments. Especially since Cloudflare products are ultimately meant to improve security and are used in the most sensitive and exposed applications. |
Describe the bug
Cloudflared is vulnerable to the stdlib that is in the Golang 1.22.2 version in module net/netip. It is
9.8/10
critical as shown in the vulnerability CVE-2024-24790.To Reproduce
Steps to reproduce the behavior:
Expected behavior
No Vulns show up.
Environment and versions
Additional context
Upgrade Golang version to at least 1.22.4
The text was updated successfully, but these errors were encountered: