Skip to content

docs: add pending upstream fix for kubeflow-notebook-controller CVE-2023-44487 #28182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brianmcarey merged 2 commits into from
Dec 30, 2025
Merged

docs: add pending upstream fix for kubeflow-notebook-controller CVE-2023-44487 #28182

brianmcarey merged 2 commits into from
Dec 30, 2025

Conversation

@bentasker
Copy link
Member

@bentasker bentasker commented Dec 29, 2025

CVE-2023-44487 affected a wide range of software, including Go's http2 stack.

Although x/net was upgraded at the time to remediate the CVE, it appears that k8s.io/apimachinery was separately affected (see fix commit).

Unfortunately, this doesn't seem to have been communicated on to CNAs - there are no apimachinery CPE's listed on NVD. This has led to most scanners missing the detection.

Unfortunately, it's not currently possible to upgrade this dependency due to incompatibilities, upstream will need to make code changes to upgrade to at least v0.24.0.

Note: other kubeflow components have been checked for use of this version (using tag v1.10.0)

$ grep apimach components/*/go.mod
components/access-management/go.mod:	k8s.io/apimachinery v0.18.1
components/access-management/go.mod:	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20190221084156-01f179d85dbc
components/admission-webhook/go.mod:	k8s.io/apimachinery v0.28.1
components/notebook-controller/go.mod:	k8s.io/apimachinery v0.23.0
components/profile-controller/go.mod:	k8s.io/apimachinery v0.24.0
components/pvcviewer-controller/go.mod:	k8s.io/apimachinery v0.29.2
components/tensorboard-controller/go.mod:	k8s.io/apimachinery v0.23.0

@bentasker
docs: add pending upstream fix for kubeflow-notebook-controller
49f2fcd 
Signed-off-by: Ben Tasker <ben.tasker@chainguard.dev>
@bentasker
chore: fix typo
97039aa 
Signed-off-by: Ben Tasker <ben.tasker@chainguard.dev>
@bentasker bentasker requested a review from a team December 29, 2025 10:05
brianmcarey
brianmcarey approved these changes Dec 30, 2025
View reviewed changes
Copy link
Member

@brianmcarey brianmcarey left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks @bentasker

@brianmcarey brianmcarey added this pull request to the merge queue Dec 30, 2025
Merged via the queue into main with commit c15f9f2 Dec 30, 2025
6 checks passed
@brianmcarey brianmcarey deleted the btasker/kubeflow-cve-2023-44487 branch December 30, 2025 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcarey brianmcarey brianmcarey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bentasker @brianmcarey