connect icon indicating copy to clipboard operation
connect copied to clipboard
verified publisher icon redpanda-data

CVEs observed in benthos image

Open Rajendra08 opened this issue 2 years ago • 2 comments

Benthos code is internally using influxdb1-client. https://github.com/benthosdev/benthos/blob/v4.22.0/go.mod#L61

This version of influxdb1-client has two security vulnerabilities.

https://nvd.nist.gov/vuln/detail/CVE-2022-36640 https://nvd.nist.gov/vuln/detail/CVE-2019-20933

Need to resolve these issues.

Rajendra08 avatar Oct 10 '23 14:10 Rajendra08

Hey @Rajendra08, there's no version to upgrade to for that package so we're blocked until they get fixes out, you need to raise this with them at: https://github.com/influxdata/influxdb1-client.

In the meantime it's possible to create your own build of benthos where the influxdb components aren't included, there's an example at: https://github.com/benthosdev/benthos-plugin-example/blob/master/main.go#L9

Jeffail avatar Oct 11 '23 07:10 Jeffail

Hi @Rajendra08, where did you get the link between both CVEs and the influxdb1-client? Both of them do report a vulnerability in the InfluxDB itself, but not in the client.

Please check again and close the issue, if it is the case.

danriedl avatar May 10 '24 10:05 danriedl