[BUG] multiple CVEs #823
Description
Note: Make sure to check out known issues (https://akv2k8s.io/troubleshooting/known-issues/) before submitting
Components and versions
Select which component(s) the bug relates to with [X].
[x] Controller, version: 1.7.4 (docker image tag)
[ ] Env-Injector (webhook), version: x.x.x (docker image tag)
[ ] Other
Describe the bug
Trivy Scan Report: usr/local/bin/azure-keyvault-controller (gobinary)
Total: 12 (UNKNOWN: 0, LOW: 1, MEDIUM: 8, HIGH: 3, CRITICAL: 0)
| Library | Vulnerability | Severity | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|
github.com/golang-jwt/jwt/v4 |
CVE-2025-30204 |
HIGH | v4.5.0 |
4.5.2 |
golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing |
CVE-2024-51744 |
LOW | 4.5.1 |
golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially... | ||
github.com/golang-jwt/jwt/v5 |
CVE-2025-30204 |
HIGH | v5.2.1 |
5.2.2 |
golang-jwt/jwt: jwt-go allows excessive memory allocation during header parsing |
golang.org/x/crypto |
CVE-2025-22869 |
HIGH | v0.31.0 |
0.35.0 |
golang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh |
golang.org/x/net |
CVE-2025-22870 |
MEDIUM | v0.29.0 |
0.36.0 |
golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs... |
CVE-2025-22872 |
MEDIUM | 0.38.0 |
golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in... | ||
stdlib |
CVE-2024-45336 |
MEDIUM | v1.23.1 |
1.22.11, 1.23.5, 1.24.0-rc.2 |
golang: net/http: net/http: sensitive headers incorrectly sent after cross-domain redirect |
CVE-2024-45341 |
MEDIUM | golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name... | |||
CVE-2025-0913 |
MEDIUM | 1.23.10, 1.24.4 |
Inconsistent handling of O_CREATE | ||
CVE-2025-22866 |
MEDIUM | 1.22.12, 1.23.6, 1.24.0-rc.3 |
crypto/internal/nistec: golang: Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec | ||
CVE-2025-22871 |
MEDIUM | 1.23.8, 1.24.2 |
net/http: Request smuggling due to acceptance of invalid chunked data in net/http... | ||
CVE-2025-4673 |
MEDIUM | 1.23.10, 1.24.4 |
net/http: Sensitive headers not cleared on cross-origin redirect in net/http |
To Reproduce
Steps to reproduce the behavior:
trivy image --scanners vuln spvest/azure-keyvault-controller:1.7.4 --ignore-unfixed --vuln-type library
Expected behavior
Vulnerability scan does not report these
trivy image --scanners vuln spvest/azure-keyvault-controller:x.x.x --ignore-unfixed --vuln-type library
Logs
If applicable, add logs to help explain your problem.
paste log here...
Additional context
Add any other context about the problem here.