What happened:

There are a number of CVEs reported against the GoLang version (go1.13.15) that is used by Kubernetes v1.18.19 and I cannot see evidence in the issues list / release notes that the fixes have been applied or whether the GoLang version has been updated (the fixes are in go1.15.9).
I also cannot find any information about whether the fixes have been applied to v1.19.11 either.

I am not sure whether to disclose the list of CVEs here or whether to open a security report instead as they were already reported and fixed in the upstream GoLang project but that version of Go has not been used by Kubernetes (as far as I can tell).
Please advise whether the list of CVEs is required.

What you expected to happen:

The CVEs should be resolved by updating GoLang to the required minimum version.

How to reproduce it (as minimally and precisely as possible):

Non-functional issue.
We incorporate kubectl into a docker image to allow 'exec' commands to be run against pods in a cluster, the supported cluster versions start at 1.18.x. Therefore we are restricted on the version of kubectl we can use.

Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version):
  Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.19", GitCommit:"ac0cc736d0018d817c763083945e4db863168d12", GitTreeState:"clean", BuildDate:"2021-05-12T11:29:07Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

• OS (e.g: cat /etc/os-release): RHEL Linux 7.9 (UBI)