Security scanners may flag the following vulnerabilities on Avi Controllers:

• CVE-2023-24538: A vulnerability in the Go programming language html/template package. It involves improper handling of backticks in JavaScript contexts, which could theoretically lead to cross-site scripting (XSS).

• CVE-2023-24540: A vulnerability in the Go programming language html/template package. It involves improper handling of CSS string values, which could theoretically allow for code injection.

Scanners may identify these issues based on the presence of the kubectl binary found within the Controller filesystem.

These vulnerabilities are specific to the Go programming language and its standard library (html/template package). They are detected because the kubectl utility installed on the Controller was compiled with an affected version of Go.

However, this is a false positive regarding the exploitability of the Avi Controller for the following reasons:

1. Scope of Vulnerability: The vulnerability exists within the Go language libraries used to build kubectl, not within the specific logic of the kubectl tool itself.

2. Lack of Exposure: The kubectl binary present on the Avi Controller is not a user-accessible tool. It is an internal component that cannot be invoked or manipulated by end-users or external traffic.

3. No Attack Vector: Because the tool is not exposed to user input or external access, there is no vector to exploit the html/template package vulnerabilities.

The kubectl binary is being deprecated from future Avi releases as it is not required.

Thus, these findings will be eliminated from the security scans.

The removal of the kubectl package is scheduled for the next maintenance release of the 30.x branch, which has a target release date of December 2026

Workaround: No action is required here as there is no functional impact or security risk to Avi.