GHSA-7h65-4p22-39j6: github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
A critical vulnerability was reported in the versions of golang that Crossplane depends on. Details of the golang vulnerability are included below. Crossplane does not directly use the vulnerable functions from the net/netip package, but the version of golang libraries, runtime, and build tools have still been updated as part of this security advisory nonetheless.
Critical Vulnerabilities
Vulnerability: CVE-2024-24790, golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Description: The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Affected versions: 1.17.1,1.16.2,1.15.5
See screenshot for more details
Fixed versions: 1.17.2,1.16.3,1.15.6
Release notes:
- https://github.com/crossplane/crossplane/releases/tag/v1.17.2
- https://github.com/crossplane/crossplane/releases/tag/v1.16.3
- https://github.com/crossplane/crossplane/releases/tag/v1.15.6
References
Code Behaviors & Features
Detect and mitigate GHSA-7h65-4p22-39j6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →