Open
Description
The following CRIT and HIGH CVEs are present in catalog component, mostly golang but all fixable by upgrading these deps.
| Registry | Repository | Tag | CVE ID | Type | Severity | Packages | Package Version | CVSS | Fix Status |
|---|---|---|---|---|---|---|---|---|---|
| quay.io | operatorhubio/catalog | latest | CVE-2022-41723 | go | high | golang.org/x/net/http2/hpack | v0.0.0-20220407224826-aac1ed45d8e3 | 7.50 | fixed in 0.7.0 |
| quay.io | operatorhubio/catalog | latest | CVE-2023-45287 | go | high | crypto/tls | 1.17.9 | 7.50 | fixed in 1.20.0 |
| quay.io | operatorhubio/catalog | latest | CVE-2022-27664 | go | high | golang.org/x/net/http2 | v0.0.0-20220407224826-aac1ed45d8e3 | 7.50 | fixed in 0.0.0-20220906165146-f3363e06e74c |
| quay.io | operatorhubio/catalog | latest | CVE-2022-41723 | go | high | golang.org/x/net/http2 | v0.0.0-20220407224826-aac1ed45d8e3 | 7.50 | fixed in 0.7.0 |
| quay.io | operatorhubio/catalog | latest | CVE-2023-39325 | go | high | golang.org/x/net/http2 | v0.0.0-20220407224826-aac1ed45d8e3 | 7.50 | fixed in 0.17.0 |
| quay.io | operatorhubio/catalog | latest | CVE-2023-44487 | go | high | golang.org/x/net | v0.0.0-20220407224826-aac1ed45d8e3 | 5.30 | fixed in 0.17.0 |
| quay.io | operatorhubio/catalog | latest | CVE-2023-44487 | go | high | google.golang.org/grpc | v1.45.0 | 5.30 | fixed in 1.58.3, 1.57.1, 1.56.3 |
| quay.io | operatorhubio/catalog | latest | CVE-2024-24790 | go | critical | net/netip | 1.22.2 | 9.80 | fixed in 1.21.11, 1.22.4 |