Security Bulletins

Kiali releases every three weeks and so generally resolves CVEs in new releases only. Golang vulnerabilities are typically resolved in a timely way, as the Go version for release builds increments fairly often. Occasionally, critical CVEs may be resolved in patch releases for supported versions. Additionally, not every CVE reported against a Kiali dependency is actually a vulnerability. For reported CVEs that are proven not to affect Kiali, see the table below:

CVE Description Notes
CVE-2022-27191 golang.org/x/crypto/ssh allows an attacker to crash a server in certain circumstances involving AddHostKey Kiali does not use the AddHostKey API; furthermore, neither Kiali nor its dependencies import this component. Thus Kiali is not susceptible to this vulnerability.
CVE-2022-1996 github.com/emicklei/go-restful Despite the package dependency Kiali is not susceptible to this vulnerability
CVE-2019-1010022 GNU Libc current is affected by: Mitigation bypass. This is a disputed CVE. According to upstream, it is not a security issue. For details, please see https://sourceware.org/bugzilla/show_bug.cgi?id=22850 and https://security-tracker.debian.org/tracker/CVE-2019-1010022

For Kiali-specific vulnerabilities there will be releases made as needed. At release time a security bulletin will be release as well. For prior bulletins see below:

Last modified November 13, 2023: blurb on security scan reporting (#716) (c54a65c)