[Security-Issue] CVE-2024-24790 in golang-1.21

[hildebrandt]

Summary

The current Docker image is based on go stdlib 1.21.9. CVE-2024-24790 has been published against the go stdlib net/netip.

Details

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

PoC

https://pkg.go.dev/vuln/GO-2024-2887. Resolved in go 1.21.11 or 1.22.4.

Impact

CRITICAL Vulnerability (Base Score: 9.8)

[tuxerrante]

Hi @MuneebAijaz,
I think the image version referred from the upstream values.yaml is currently v1.0.121 which is still exposing the Critical CVE CVE-2024-24790 should be changed to make the new patched image version more visible.

Thanks