Fix CVE-2024-35255 - github.com/Azure/azure-sdk-for-go/sdk/azidentity

[rgoltz]

Is your feature request related to a problem? Please describe.
The current grafana loki docker image seems to be affected by Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability. It's tested with Loki version main-4eb45cc branch main revision 4eb45cc

Describe the solution you'd like

• Upgrade azidentity to v1.6.0 or above

Details from Image-Scan

Vulnerability ID	https://nvd.nist.gov/vuln/detail/CVE-2024-35255
GitHub Advisory	GHSA-m5vv-6r4h-3vj9
CWE	https://cwe.mitre.org/data/definitions/362.html
Severity	Medium
Fix available	Yes
Installed version	v1.5.2
Fix available	v1.6.0
Package Manager	GOBINARY
File paths	usr/bin/loki

[rgoltz]

Thanks, @vlad-diachenko - It seems that PR #13835 updated the go library of azidentity to the fixed version. I've re-tested and pulled the main-tag: version 2.9.10, branch HEAD, revision 7664eda. I can not see any findings for this image-tag (main-tag from docker-hub - updated at Aug 9, 2024 at 8:33 pm) in my vulnerability image scanner.

Great! Thanks a lot 🥇. If somebody from the team can confirm, myself (or you) can close this issue as successfully resolved afterwards, CC'd @DylanGuedes

[vlad-diachenko]

Yes, it has been fixed, so, we can close this issue as well.