You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
Server version: v1.2.12
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.10 To Reproduce
Is the issue reproducible?
Yes
Steps to reproduce the behavior:
Pull the latest image ubercadence/server:v1.2.12 from Dockerhub
Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.12 sha256:d2625104cbd1731ea82ea2e24419bcc207a4f1d43f33e228d30bb9c4941d55a5
Vulnerabilities
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.3 | fixed in 1.21.11, 1.22.4 | 85 days |< 1 hour | The various Is methods (IsPrivate, IsLoopback, ||||||| 85 days ago ||| etc) did not work as expected for IPv4-mapped IPv6 |||||||||| addresses, returning falsefor addresses which |||||||||| would... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 |> 4 years |< 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |||||||> 4 years ago ||| implemented in Go using TJSONProtocol or |||||||||| TSimpleJSONProtocol may panic when feed with |||||||||| invalid input data. |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 |> 1 years |< 1 hour | The github.com/sirupsen/logrus module of all |||||||> 1 years ago ||| versions is vulnerable to denial of service. |||||||||| Logging more than 64kb of data in a single entry |||||||||| without new... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 ||> 7 months |< 1 hour | Cloudflare version of zlib library was found |||||||||| to be vulnerable to memory corruption issues |||||||||| affecting the deflation algorithm implementation |||||||||| (deflate.c)... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | medium | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 |> 4 months |< 1 hour | An attacker may cause an HTTP/2 endpoint to |||||||> 4 months ago |||read arbitrary amounts of header data by sending |||||||||| an excessive number of CONTINUATION frames. |||||||||| Maintaining H... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.12: total - 5, critical - 1, high - 1, medium - 3, low - 0
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.12: total - 2, critical - 0, high - 2, medium - 0, low - 0
Expected behavior
No more CVEs found. Screenshots
Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
The text was updated successfully, but these errors were encountered:
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
v1.2.12Describe the bug
There are a lot of CVEs found from the latest Cadence image:
ubercadence/server:v1.2.10To Reproduce
Is the issue reproducible?
Steps to reproduce the behavior:
ubercadence/server:v1.2.12from DockerhubExpected behavior
No more CVEs found.
Screenshots
Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
The text was updated successfully, but these errors were encountered: