Bug 2223935

Summary: github.com/hashicorp/vault CVE on ocs-operator
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Gayathri Menath <gmenath>
Component: ocs-operatorAssignee: Malay Kumar parida <mparida>
Status: MODIFIED --- QA Contact: Elad <ebenahar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.10CC: mparida, muagarwa, odf-bz-bot
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gayathri Menath 2023-07-19 10:21:43 UTC 
Below listed CVEs are listed by github.com/hashicorp/vault library and as ocs-operator is using by our module, we are getting the below CVEs. Please upgrade the Rook package to newest version to avoid these CVEs
CVE-2022-40186 
CVE-2022-41316
CVE-2023-0620
CVE-2023-0665
CVE-2023-2121
CVE-2023-24999
CVE-2023-25000
Comment 3 Malay Kumar parida 2023-08-05 13:47:53 UTC 
With the update to rook package version 1.12 which will be used in ODF 4.14, we have upgraded to v1.13.4 for the hashicorp/vault package. 
Upon checking I found the version 1.13.4 free from all the CVEs mentioned above. Moving to Modified.

* Note for QE
This is just a package version upgrade, a regression run is good enough to mark it as verified.