Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the Cadence release v1.2.10 #6142

Closed
sonpham96 opened this issue Jun 21, 2024 · 2 comments
Closed

Addressing a lot of security vulnerabilities in the Cadence release v1.2.10 #6142

sonpham96 opened this issue Jun 21, 2024 · 2 comments
Labels
dependencies Pull requests that update a dependency file security

Comments

@sonpham96
Copy link
Contributor

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

  • Server version: v1.2.10

Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10

To Reproduce
Is the issue reproducible?

  • Yes

Steps to reproduce the behavior:

  • Pull the latest image ubercadence/server:v1.2.10 from Dockerhub
  • Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.10 sha256:84f2c2191582f7421bb0db739c643ec8a24def8ff624d5fc2d3e0b164b6d85ed
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |       STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397    | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0    | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                  |          |      |                                                   |                                    | > 10 months ago    |            |            | potential during code generation for command       |
|                  |          |      |                                                   |                                    |                    |            |            | injection due to using an external formatting      |
|                  |          |      |                                                   |                                    |                    |            |            | tool. Affec...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0    | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                                   |                                    | > 4 years ago      |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                                   |                                    |                    |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                                   |                                    |                    |            |            | invalid input data.                                |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                        | v1.9.0                             | fixed in v1.9.3    | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                   |                                    | > 1 years ago      |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                   |                                    |                    |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                   |                                    |                    |            |            | without new...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                    | > 5 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                   |                                    |                    |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                   |                                    |                    |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                   |                                    |                    |            |            | (deflate.c)...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r6 | > 6 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    | 33 days ago        |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    |                    |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    |                    |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    |                    |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0    | > 3 months | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 3 months ago     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0    | > 3 months | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 3 months ago     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0    | 77 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                   |                                    | 77 days ago        |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                   |                                    |                    |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                   |                                    |                    |            |            | Maintaining H...                                   |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-4603    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.5-r0  | 35 days    | < 1 hour   | Issue summary: Checking excessively long DSA       |
|                  |          |      |                                                   |                                    | 31 days ago        |            |            | keys or parameters may be very slow.  Impact       |
|                  |          |      |                                                   |                                    |                    |            |            | summary: Applications that use the functions       |
|                  |          |      |                                                   |                                    |                    |            |            | EVP_PKEY_param_...                                 |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6  | 73 days    | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                   |                                    | 72 days ago        |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                   |                                    |                    |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                   |                                    |                    |            |            | An attac...                                        |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.10: total - 17, critical - 0, high - 2, medium - 13, low - 2
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.10: total - 2, critical - 0, high - 2, medium - 0, low - 0

Expected behavior
No more CVEs found.

Screenshots
image

Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
@LauVietVan
Copy link

Version of Cadence server, and client(which language)
This is very important to root cause bugs.

  • Server version: v1.2.10

Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10
Steps to reproduce the behavior:

Pull the latest image ubercadence/server:v1.2.10 from Dockerhub
Scan the image with any vulnerability scanner

Scan results for: image ubercadence/server:v1.2.10 sha256:84f2c2191582f7421bb0db739c643ec8a24def8ff624d5fc2d3e0b164b6d85ed
Vulnerabilities
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                PACKAGE                 |              VERSION               |       STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397    | high     | 8.80 | github.com/apache/thrift               | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0    | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                  |          |      |                                        |                                    | > 11 months ago    |            |            | potential during code generation for command       |
|                  |          |      |                                        |                                    |                    |            |            | injection due to using an external formatting      |
|                  |          |      |                                        |                                    |                    |            |            | tool. Affec...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0    | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                        |                                    | > 4 years ago      |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                        |                                    |                    |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                        |                                    |                    |            |            | invalid input data.                                |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus             | v1.9.0                             | fixed in v1.9.3    | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                        |                                    | > 1 years ago      |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                        |                                    |                    |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                        |                                    |                    |            |            | without new...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                   | 1.2.13-r1                          |                    | > 6 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                        |                                    |                    |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                        |                                    |                    |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                        |                                    |                    |            |            | (deflate.c)...                                     |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                | 1.36.1-r5                          | fixed in 1.36.1-r6 | > 7 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                        |                                    | 58 days ago        |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 7 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                        |                                    | 33 days ago        |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                        |                                    |                    |            |            | awk.c copyvar function.                            |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 7 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                        |                                    | 33 days ago        |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                        |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                        |                                    |                    |            |            | funct...                                           |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 7 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                        |                                    | 33 days ago        |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                        |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                 | v0.19.0                            | fixed in 0.23.0    | > 3 months | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                        |                                    | > 3 months ago     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                        |                                    |                    |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                        |                                    |                    |            |            | Maintaining H...                                   |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-5535    | low      | 0.00 | openssl                                | 3.1.4-r5                           | fixed in 3.1.6-r0  | 19 days    | < 1 hour   | openssl: SSL_select_next_proto buffer overread     |
|                  |          |      |                                        |                                    | 16 days ago        |            |            |                                                    |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-4741    | low      | 0.00 | openssl                                | 3.1.4-r5                           | fixed in 3.1.6-r0  | 49 days    | < 1 hour   | openssl: Use After Free with SSL_free_buffers      |
|                  |          |      |                                        |                                    | 16 days ago        |            |            |                                                    |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-4603    | low      | 0.00 | openssl                                | 3.1.4-r5                           | fixed in 3.1.5-r0  | 60 days    | < 1 hour   | Issue summary: Checking excessively long DSA       |
|                  |          |      |                                        |                                    | 56 days ago        |            |            | keys or parameters may be very slow.  Impact       |
|                  |          |      |                                        |                                    |                    |            |            | summary: Applications that use the functions       |
|                  |          |      |                                        |                                    |                    |            |            | EVP_PKEY_param_...                                 |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                | 3.1.4-r5                           | fixed in 3.1.4-r6  | > 3 months | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                        |                                    | > 3 months ago     |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                        |                                    |                    |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                        |                                    |                    |            |            | An attac...                                        |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.10: total - 13, critical - 0, high - 2, medium - 7, low - 4
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.10: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS

Screenshots
image

QA
I'm encountering a similar issue. I see there's a tag for version v1.2.11, but it hasn't been published yet. I'm currently wondering about the timing for publishing this version.If published, will it resolve the issue?

Version of Cadence server, and client(which language) This is very important to root cause bugs.

  • Server version: v1.2.10

Describe the bug There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10

To Reproduce Is the issue reproducible?

  • Yes

Steps to reproduce the behavior:

  • Pull the latest image ubercadence/server:v1.2.10 from Dockerhub
  • Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.10 sha256:84f2c2191582f7421bb0db739c643ec8a24def8ff624d5fc2d3e0b164b6d85ed
Vulnerabilities
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                      PACKAGE                      |              VERSION               |       STATUS       | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397    | high     | 8.80 | github.com/apache/thrift                          | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0    | > 6 years  | < 1 hour   | The Apache Thrift Go client library exposed the    |
|                  |          |      |                                                   |                                    | > 10 months ago    |            |            | potential during code generation for command       |
|                  |          |      |                                                   |                                    |                    |            |            | injection due to using an external formatting      |
|                  |          |      |                                                   |                                    |                    |            |            | tool. Affec...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210    | high     | 7.50 | github.com/apache/thrift/lib/go/thrift            | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0    | > 4 years  | < 1 hour   | In Apache Thrift 0.9.3 to 0.12.0, a server         |
|                  |          |      |                                                   |                                    | > 4 years ago      |            |            | implemented in Go using TJSONProtocol or           |
|                  |          |      |                                                   |                                    |                    |            |            | TSimpleJSONProtocol may panic when feed with       |
|                  |          |      |                                                   |                                    |                    |            |            | invalid input data.                                |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                        | v1.9.0                             | fixed in v1.9.3    | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                   |                                    | > 1 years ago      |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                   |                                    |                    |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                   |                                    |                    |            |            | without new...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                              | 1.2.13-r1                          |                    | > 5 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                   |                                    |                    |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                   |                                    |                    |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                   |                                    |                    |            |            | (deflate.c)...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r6 | > 6 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    | 33 days ago        |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                   |                                    |                    |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                   |                                    |                    |            |            | awk.c copyvar function.                            |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                   |                                    |                    |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                   |                                    |                    |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                   |                                    |                    |            |            | funct...                                           |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1-r5                          | fixed in 1.36.1-r7 | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    | 8 days ago         |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                           | 1.36.1                             |                    | > 6 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                   |                                    |                    |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                   |                                    |                    |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0                            | fixed in 1.33.0    | > 3 months | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 3 months ago     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson     | v1.31.0                            | fixed in 1.33.0    | > 3 months | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                   |                                    | > 3 months ago     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                   |                                    |                    |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                   |                                    |                    |            |            | unmarshalin...                                     |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                            | v0.19.0                            | fixed in 0.23.0    | 77 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                   |                                    | 77 days ago        |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                   |                                    |                    |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                   |                                    |                    |            |            | Maintaining H...                                   |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-4603    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.5-r0  | 35 days    | < 1 hour   | Issue summary: Checking excessively long DSA       |
|                  |          |      |                                                   |                                    | 31 days ago        |            |            | keys or parameters may be very slow.  Impact       |
|                  |          |      |                                                   |                                    |                    |            |            | summary: Applications that use the functions       |
|                  |          |      |                                                   |                                    |                    |            |            | EVP_PKEY_param_...                                 |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                           | 3.1.4-r5                           | fixed in 3.1.4-r6  | 73 days    | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                   |                                    | 72 days ago        |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                   |                                    |                    |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                   |                                    |                    |            |            | An attac...                                        |
+------------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image ubercadence/server:v1.2.10: total - 17, critical - 0, high - 2, medium - 13, low - 2
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY |                              DESCRIPTION                               |
+----------+------------------------------------------------------------------------+
| high     | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high     | Private keys stored in image                                           |
+----------+------------------------------------------------------------------------+

Compliance found for image ubercadence/server:v1.2.10: total - 2, critical - 0, high - 2, medium - 0, low - 0

Expected behavior No more CVEs found.

Screenshots image

Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.

@ibarrajo ibarrajo added security dependencies Pull requests that update a dependency file labels Sep 19, 2024
@ibarrajo
Copy link
Contributor

Closing this since we are giving support to more recent releases, currently the latest one is v1.2.13.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ibarrajo @sonpham96 @LauVietVan