docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk (#59)
* Add E2E test infrastructure for kube-vip plugin Scaffolded via e2e-scaffold.sh (proactive improvement). - playwright.config.ts, e2e/auth.setup.ts, e2e/kube-vip.spec.ts - scripts/deploy-e2e-headlamp.sh, scripts/teardown-e2e-headlamp.sh - .github/workflows/e2e.yaml uses reusable workflow - @playwright/test ^1.58.2 devDep - PRI-641 Co-Authored-By: Paperclip <noreply@paperclip.ing> * Fix E2E workflow: use pnpm-capable reusable workflow branch The reusable plugin-e2e.yaml@main lacks pnpm support. Switching to the PR branch that has pnpm detector, Corepack setup, and pnpm commands. Will revert to @main once PR #141 merges. - PRI-619 E2E fix Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs(security): document GHSA-848j-6mx2-7j84 elliptic as accepted risk * fix(e2e): reference @main workflow after .github merge Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #59.
This commit is contained in:
privilegedescalation-engineer[bot]
committed by
GitHub
GitHub
parent
b4e6cb9367
commit
1c5e50ce8c
+25
@@ -22,3 +22,28 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
||||
|
||||
## Known Low-Severity Vulnerabilities
|
||||
|
||||
### GHSA-848j-6mx2-7j84 (elliptic)
|
||||
|
||||
**Severity:** High (but not exploitable in this plugin's context)
|
||||
|
||||
**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
|
||||
|
||||
**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
|
||||
- Use of `elliptic` curve operations on untrusted input, AND
|
||||
- Ability for an attacker to influence the `elliptic` curve key generation input
|
||||
|
||||
Neither condition is met in this plugin's runtime context.
|
||||
|
||||
**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
|
||||
|
||||
**Risk acceptance rationale:**
|
||||
1. Plugin has no write operations against the cluster
|
||||
2. All data flows through Headlamp's API proxy with standard RBAC enforcement
|
||||
3. The vulnerable dependency is only in the development/build toolchain, not runtime
|
||||
4. No untrusted input can reach `elliptic` curve operations through this plugin
|
||||
|
||||
**Review date:** 2026-05-05
|
||||
**Reviewed by:** Hugh Hackman (VP Engineering Operations)
|
||||
|
||||
Reference in New Issue
Block a user