node_exporter icon indicating copy to clipboard operation
node_exporter copied to clipboard
verified publisher icon prometheus

Please cut a new release to address CVEs affecting the IsLoopback function used in node_exporter

Open PelagicGames opened this issue 1 year ago • 0 comments

Host operating system: output of uname -a

n/a

node_exporter version: output of node_exporter --version

1.8.2

node_exporter command line flags

n/a

node_exporter log output

n/a

Are you running node_exporter in Docker?

Yes

What did you do that produced an error?

trivy scan highlights CVEs, with at least one impacting node_exporter:

  • CVE-2024-24790
    • This affects IsLoopback, which is used in https://github.com/prometheus/node_exporter/blob/master/collector/ntp.go#L66C45-L66C67 and https://github.com/prometheus/node_exporter/blob/master/collector/netdev_common.go#L167C2-L167C77
  • CVE-2024-34155
  • CVE-2024-34156
  • CVE-2024-34158

What did you expect to see?

Clean scan

What did you see instead?

CVEs that have been resolved in master on HEAD, but not in latest release

PelagicGames avatar Oct 14 '24 08:10 PelagicGames