Various CVEs in Function Image

[humoflife]

Bug Report

What happened?

Found 2 medium CVEs in latest build with recently approved PR. Note, the upbound marketplace image v0.2.0 has critical and high CVEs. Use the latest after merge of https://github.com/crossplane-contrib/function-shell/pull/25. markussdocker/function-shell:v0.2.0 referenced below is a test build including the above PR fixes and updates.

## Overview

                    │                    Analyzed Image
────────────────────┼───────────────────────────────────────────────────────
  Target            │  markussdocker/function-shell:v0.2.0
    digest          │  20658af7a76c
    platform        │ linux/arm64
    provenance      │ [email protected]:crossplane-contrib/function-shell.git
                    │  dd08a3826e427cacea3b828858714b7488365ffd
    vulnerabilities │    0C     0H     2M    18L
    size            │ 613 MB
    packages        │ 137


## Packages and Vulnerabilities

   0C     0H     1M     0L  golang.org/x/net 0.20.0
pkg:golang/golang.org/x/[email protected]

    ✗ MEDIUM CVE-2023-45288 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2023-45288
      Affected range : <0.23.0
      Fixed version  : 0.23.0
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L


   0C     0H     1M     0L  google.golang.org/protobuf 1.32.0
pkg:golang/google.golang.org/[email protected]

    ✗ MEDIUM CVE-2024-24786 [Loop with Unreachable Exit Condition ('Infinite Loop')]
      https://scout.docker.com/v/CVE-2024-24786
      Affected range : <1.33.0
      Fixed version  : 1.33.0
      CVSS Score     : 6.6
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U


   0C     0H     0M     7L  glibc 2.36-9+deb12u9
pkg:deb/debian/[email protected]%2Bdeb12u9?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2019-9192
      https://scout.docker.com/v/CVE-2019-9192
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2019-1010025
      https://scout.docker.com/v/CVE-2019-1010025
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2019-1010024
      https://scout.docker.com/v/CVE-2019-1010024
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2019-1010023
      https://scout.docker.com/v/CVE-2019-1010023
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2019-1010022
      https://scout.docker.com/v/CVE-2019-1010022
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2018-20796
      https://scout.docker.com/v/CVE-2018-20796
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed

    ✗ LOW CVE-2010-4756
      https://scout.docker.com/v/CVE-2010-4756
      Affected range : >=2.36-9+deb12u9
      Fixed version  : not fixed


   0C     0H     0M     3L  krb5 1.20.1-2+deb12u2
pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2024-26461
      https://scout.docker.com/v/CVE-2024-26461
      Affected range : >=1.20.1-2+deb12u2
      Fixed version  : not fixed

    ✗ LOW CVE-2024-26458
      https://scout.docker.com/v/CVE-2024-26458
      Affected range : >=1.20.1-2+deb12u2
      Fixed version  : not fixed

    ✗ LOW CVE-2018-5709
      https://scout.docker.com/v/CVE-2018-5709
      Affected range : >=1.20.1-2+deb12u2
      Fixed version  : not fixed


   0C     0H     0M     2L  expat 2.5.0-1+deb12u1
pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2024-28757
      https://scout.docker.com/v/CVE-2024-28757
      Affected range : >=2.5.0-1+deb12u1
      Fixed version  : not fixed

    ✗ LOW CVE-2023-52426
      https://scout.docker.com/v/CVE-2023-52426
      Affected range : >=2.5.0-1+deb12u1
      Fixed version  : not fixed


   0C     0H     0M     2L  gcc-12 12.2.0-14
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2023-4039
      https://scout.docker.com/v/CVE-2023-4039
      Affected range : >=12.2.0-14
      Fixed version  : not fixed

    ✗ LOW CVE-2022-27943
      https://scout.docker.com/v/CVE-2022-27943
      Affected range : >=12.2.0-14
      Fixed version  : not fixed


   0C     0H     0M     2L  sqlite3 3.40.1-2+deb12u1
pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2023-36191
      https://scout.docker.com/v/CVE-2023-36191
      Affected range : >=3.40.1-2
      Fixed version  : not fixed

    ✗ LOW CVE-2021-45346
      https://scout.docker.com/v/CVE-2021-45346
      Affected range : >=3.40.1-2+deb12u1
      Fixed version  : not fixed


   0C     0H     0M     1L  openssl 3.0.15-1~deb12u1
pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2010-0928
      https://scout.docker.com/v/CVE-2010-0928
      Affected range : >=3.0.11-1~deb12u2
      Fixed version  : not fixed


   0C     0H     0M     1L  util-linux 2.38.1-5+deb12u2
pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2022-0563
      https://scout.docker.com/v/CVE-2022-0563
      Affected range : >=2.38.1-5+deb12u2
      Fixed version  : not fixed



20 vulnerabilities found in 9 packages
  CRITICAL  0
  HIGH      0
  MEDIUM    2
  LOW       18

How can we reproduce it?

docker scout cves xpkg.upbound.io/crossplane-contrib/function-shell:v0.2.0

What environment did it happen in?

Function version: v0.2.0