You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No current eta, but probably within the week. fwiw, this library only uses this library for kubeconfig file loading. If you have malicious JSONPath in your kubeconfig, you have far worse problems than this RCE.
Also, unless your kubeconfig contains a jsonpath value you're not impacted by this CVE.
@brendandburns thanks for the update/ETA, and for the added info.
FWIW, I am not concerned about the actual vulnerability, as I'd gathered that it's not truly exploitable. Rather it's about making the vulnerability scanners happy (remind me, do we work for them, or they for us?).
But good to know about how it impacts this library - thanks again!
Describe the bug
The jsonpath-plus dependency contains a critical CVE, even after upgrading to
10.0.0
: CVE-2024-21534The library has been fixed as of version 10.0.7 or higher.
There's an open dependabot PR for resolution.
** Client Version **
0.22.1
Environment (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: