advisories/apisix-ingress-controller.advisories.yaml at main · mjramirez-dev/advisories · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
schema-version: 2.0.2

package:
  name: apisix-ingress-controller

advisories:
  - id: CGA-j3w5-9495-j48j
    aliases:
      - CVE-2024-24786
      - GHSA-8r3f-844c-mc37
    events:
      - timestamp: 2025-07-02T10:51:27Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: apisix-ingress-controller
            componentID: 9a4ad4f611fb9484
            componentName: google.golang.org/protobuf
            componentVersion: v1.31.0
            componentType: go-module
            componentLocation: /usr/bin/apisix-ingress-controller
            scanner: grype
      - timestamp: 2025-07-02T11:04:00Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Govulncheck found no affected symbols in the scanned Go binaries.
      - timestamp: 2025-07-07T10:51:27Z
        type: pending-upstream-fix
        data:
          note: 'The apisix-ingress-controller cannot be rebuilt with the latest protobuf due to usage of deprecated symbols from `github.com/golang/protobuf`. Upstream needs to migrate to `google.golang.org/protobuf` and regenerate `.pb.go` files to unblock CVE fixes via dependency updates.'