pm-tagger scan shows CVE-2024-24786, CVE-2025-22868 ,  CVE-2022-41723 , CVE-2023-44487, CVE-2023-39325 , CVE-2023-45288 
search cancel

pm-tagger scan shows CVE-2024-24786, CVE-2025-22868 ,  CVE-2022-41723 , CVE-2023-44487, CVE-2023-39325 , CVE-2023-45288 

book

Article ID: 433593

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

the following CVE affect  pm-tagger ? 

 

IMAGE_NAME                         CVE                    SEVERITY              PUBLISHEDON                          PACKAGE

/layer7api/pm-tagger:1.0.1  CVE-2024-24786        HIGH                 2024-03-05T23:15:07             google.golang.org/protobuf

/layer7api/pm-tagger:1.0.1  CVE-2025-22868        HIGH                 2025-02-26T08:14:24             golang.org/x/oauth2

/layer7api/pm-tagger:1.0.1  CVE-2022-41723        HIGH                 2023-02-28T18:15:09             golang.org/x/net

/layer7api/pm-tagger:1.0.1  CVE-2023-44487        HIGH                 2023-10-10T14:15:10             golang.org/x/net

/layer7api/pm-tagger:1.0.1  CVE-2023-39325        HIGH                 2023-10-11T22:15:09             golang.org/x/net

/layer7api/pm-tagger:1.0.1  CVE-2023-45288        HIGH                 2024-04-04T21:15:16             golang.org/x/net

Environment

CA API GATEWAY 11.1.x

Resolution

CVE

Severity

Affected Package

Installed Version (layer7api/pm-tagger:1.0.1)

Fix Version

Version Patched?

Verdict

Reason

CVE-2024-24786

HIGH

google.golang.org/protobuf

v1.28.1

v1.33.0

NO - v1.28.1 < v1.33.0

NOT VULNERABLE

protojson.Unmarshal is never called by pm-tagger. Protobuf is only a transitive dependency of k8s.io/client-go used for binary wire encoding. No attacker-controlled JSON is ever fed to the protobuf stack. Vulnerable code path is architecturally unreachable.

CVE-2025-22868

HIGH

golang.org/x/oauth2 (jws sub-package)

v0.4.0

v0.27.0

NO - v0.4.0 < v0.27.0

NOT VULNERABLE

The jws sub-package is not compiled into the binary (confirmed by exhaustive strings search). pm-tagger uses x/oauth2 only for Kubernetes in-cluster ServiceAccount token auth via k8s.io/client-go. JWS token parsing is never performed. golang.org/x/crypto external module is also absent from the module graph.

CVE-2022-41723

HIGH

golang.org/x/net

v0.5.0

v0.7.0 / Go 1.19.6

NO - v0.5.0 < v0.7.0 and Go 1.19.4 < 1.19.6

NOT VULNERABLE

This CVE requires a running HTTP/2 server to exploit (HPACK decoder on the server receive path). pm-tagger has no inbound server of any kind - no ports are bound and no net/http listener is started. The attack surface does not exist.

CVE-2023-44487

MEDIUM (CISA KEV)

golang.org/x/net

v0.5.0

v0.17.0 / Go 1.21.3

NO - v0.5.0 < v0.17.0 and Go 1.19.4 < 1.21.3

NOT VULNERABLE

HTTP/2 Rapid Reset is a server-side attack. An attacker must be able to send RST_STREAM frames to a listening HTTP/2 server. pm-tagger accepts no inbound connections whatsoever. Despite CISA KEV status this CVE has zero applicability to a pure Kubernetes API client with no server socket.

CVE-2023-39325

HIGH

golang.org/x/net

v0.5.0

v0.17.0 / Go 1.20.10

NO - v0.5.0 < v0.17.0 and Go 1.19.4 < 1.20.10

NOT VULNERABLE

Go-specific manifestation of CVE-2023-44487. Exploits the goroutine handler pool of a Go net/http HTTP/2 server. pm-tagger runs a single polling goroutine with no HTTP handler pool. No inbound HTTP/2 connections are possible.

CVE-2023-45288

HIGH

stdlib (Go runtime)

go1.19.4

Go 1.22.2 / 1.21.9

NO - go1.19.4 far below threshold

NOT VULNERABLE

HTTP/2 CONTINUATION frame flood requires sending frames to a listening HTTP/2 server. pm-tagger has no HTTP/2 server endpoint and accepts no inbound connections. No CONTINUATION frames can ever reach this application.

Powered by Wolken Software