vulnerabilities detected in Nginx controller Version 1.9.3

[v-snaveena]

What scanner and version reported the CVE.
Internal Scanning Tool

What CVE was reported in the scanner findings.

NAME	INSTALLED	FIXED-IN TYPE	VULNERABILITY	SEVERITY
nginx	1.21.6	binary	CVE-2023-44487	High
nginx	1.21.6	binary	CVE-2022-41742	High
nginx	1.21.6	binary	CVE-2022-41741	High
zlib	1.2.13-r1	apk	CVE-2023-45853	Critical
golang.org/x/net	v0.16.0 0.17.0	go-module	GHSA-qppj-fm5r-hxr3	Medium
golang.org/x/net	v0.16.0 0.17.0	go-module	GHSA-4374-p667-p6c8	Medium

What versions of the controller did you test with.
1.9.3

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rikatz]

/close
Http/2 is patched.

Please also post results based on accessible open source vulnerability scanners, we don't account internal tools as we don't have how to check, confirm the issue and confirm the fix without an accessible tool

[k8s-ci-robot]

@rikatz: Closing this issue.

In response to this:

/close
Http/2 is patched.

Please also post results based on accessible open source vulnerability scanners, we don't account internal tools as we don't have how to check, confirm the issue and confirm the fix without an accessible tool

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Neustradamus]

Linked to:

• Please release 1.3.1 to fix CVE-2023-45853 (9.8 CRITICAL) madler/zlib#868

[rikatz]

registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98 (alpine 3.18.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

---

grype registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
✔ Vulnerability DB [updated]
✔ Parsed image sha256:53
✔ Cataloged packages [134 pack
✔ Scanned for vulnerabilities [3 vulner
├── by severity: 0 critical, 3 high, 0 me
└── by status: 0 fixed, 3 not-fixed, 0
[0000] ERROR Failed to parse known_hosts:
[0034] WARN some package(s) are missing CPE
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
nginx 1.21.6 binary CVE-2023-44487 High
nginx 1.21.6 binary CVE-2022-41742 High
nginx 1.21.6 binary CVE-2022-41741 High

As I've said, we are targetting the NGINX update but today we have to stick with Openresty GA version