Security Vulnerability: Kubernetes component: kubelet <= 1.29.12, 1.30.x <= 1.30.8, 1.31.x <= 1.31.4, 1.32.0 - Remote Command Injection Vulnerability - 1.29.13, 1.30.9, 1.31.5, 1.32.1

[shwethadec01]

what happened
found vulnerable version for kubelet component in registry.k8s.io/sig-storage/csi-node-driver-registrar container (including latest version)

Expectation
please update the vulnerable pkg to latest patched version

CVE
CVE-2024-9042

[BenTheElder]

Your scanner is confused. This repo doesn't have the kubelet binary it is importing k8s.io/kubelet which has a different versioning scheme, and a very recent version equivilant to 1.33.0 is being used

node-driver-registrar/go.mod

Line 83 in 8bd83d1

replace k8s.io/kubelet => k8s.io/kubelet v0.33.0

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale