[Security Issue] CVE-2024-8260 in mcr.microsoft.com/oss/open-policy-agent/gatekeeper image

[shankersumit]

I would like to report a security vulnerability in the mcr.microsoft.com/oss/open-policy-agent/gatekeeper image used in AKS clusters. The image contains a high-severity vulnerability, CVE-2024-8260, in the Open Policy Agent (OPA) package.

Affected package: github.com/open-policy-agent/opa
Installed version: 0.64.1
Resource path: /manager
Fix availability: Yes, in version 0.68.0 or higher.
Severity: High (CVSS 7.3)
Platforms Affected:
This issue affects environments using AKS that rely on this image for policy enforcement with Gatekeeper.

Steps to Reproduce:
Use the image mcr.microsoft.com/oss/open-policy-agent/gatekeeper.
Scan the image for vulnerabilities.
You will find CVE-2024-8260 in the OPA package.
Suggested Solution:
Upgrade the github.com/open-policy-agent/opa package to version 0.68.0 or higher in the mcr.microsoft.com/oss/open-policy-agent/gatekeeper image.
Impact:
The vulnerability has a high severity and could potentially expose AKS clusters to security risks. Timely mitigation is important for secure operations.

Request:
Please patch the Gatekeeper image and update the associated AKS components that utilize this image to mitigate the vulnerability. Kindly provide a timeline for when the updated image will be available in the mcr.microsoft.com registry.