-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: 100.5.1
-
Component/s: None
-
None
I created an issue for this in SECURITY (see SECURITY-777) but now I think maybe I should have created it here in TOOLS. Several of our Kubernetes Operator containers rely on database-tools, and its presence is flagging several security vulnerabilities - one deemed critical and several others deemed high - caused by the version of go being used (1.16.7) and golang.org/x/crypto. The database tools version I'm seeing is mongodb-database-tools-rhel80-x86_64-100.5.1. Containers without the package do not produce the vulnerabilities. The list of CVEs is:
CVE-2020-29652
CVE-2022-23806
CVE-2021-39293
CVE-2021-29923
CVE-2021-41771
CVE-2021-41772
CVE-2021-44716
CVE-2022-23806
CVE-2021-38297
Attaching a spreadsheet with additional details. I need to know if these are legitimate findings and if so understand our plan/timeline/LoE to address the situation.