Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.1.1 has several vulnerability issues #291

Closed
2 tasks done
albertschwarzkopf opened this issue Apr 29, 2022 · 0 comments · Fixed by #295
Closed
2 tasks done

v1.1.1 has several vulnerability issues #291

albertschwarzkopf opened this issue Apr 29, 2022 · 0 comments · Fixed by #295
Assignees
@sudermanjr
Labels
triage This bug needs triage

Comments

@albertschwarzkopf
Copy link

What happened?

Hi,

trivy scanner has detected the following CVEs:

╰─ trivy image quay.io/reactiveops/rbac-manager:v1.1.1
2022-04-29T16:20:52.892+0200	INFO	Detected OS: alpine
2022-04-29T16:20:52.893+0200	INFO	Detecting Alpine vulnerabilities...
2022-04-29T16:20:52.893+0200	INFO	Number of language-specific files: 1
2022-04-29T16:20:52.893+0200	INFO	Detecting gobinary vulnerabilities...

quay.io/reactiveops/rbac-manager:v1.1.1 (alpine 3.15.0)
=======================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 2)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox      | CVE-2022-28391   | CRITICAL | 1.34.1-r3         | 1.34.1-r5     | BusyBox through 1.35.0 allows remote  |
|              |                  |          |                   |               | attackers to execute arbitrary co ... |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2022-0778    | HIGH     | 1.1.1l-r7         | 1.1.1n-r0     | openssl: Infinite loop in             |
|              |                  |          |                   |               | BN_mod_sqrt() reachable               |
|              |                  |          |                   |               | when parsing certificates             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778  |
+--------------+                  +          +-------------------+---------------+                                       +
| libretls     |                  |          | 3.3.4-r2          | 3.3.4-r3      |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+                  +          +-------------------+---------------+                                       +
| libssl1.1    |                  |          | 1.1.1l-r7         | 1.1.1n-r0     |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
|              |                  |          |                   |               |                                       |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2022-28391   | CRITICAL | 1.34.1-r3         | 1.34.1-r5     | BusyBox through 1.35.0 allows remote  |
|              |                  |          |                   |               | attackers to execute arbitrary co ... |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-28391 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| zlib         | CVE-2018-25032   | HIGH     | 1.2.11-r3         | 1.2.12-r0     | zlib: A flaw found in                 |
|              |                  |          |                   |               | zlib when compressing (not            |
|              |                  |          |                   |               | decompressing) certain inputs...      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-25032 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

rbac-manager (gobinary)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION           |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2022-27191   | HIGH     | v0.0.0-20220214200702-86341886e292 | 0.0.0-20220315160706-3147a52a75dd | golang: crash in a                    |
|                     |                  |          |                                    |                                   | golang.org/x/crypto/ssh server        |
|                     |                  |          |                                    |                                   | -->avd.aquasec.com/nvd/cve-2022-27191 |
+---------------------+------------------+----------+------------------------------------+-----------------------------------+---------------------------------------+

Could you fix them please?

What did you expect to happen?

Image without Critical and High CVEs

How can we reproduce this?

trivy image quay.io/reactiveops/rbac-manager:v1.1.1

Version

1.1.1

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response
@albertschwarzkopf albertschwarzkopf added bug Something isn't working triage This bug needs triage labels Apr 29, 2022
@sudermanjr sudermanjr removed the bug Something isn't working label May 10, 2022
@sudermanjr sudermanjr self-assigned this May 10, 2022
@sudermanjr sudermanjr mentioned this issue May 16, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sudermanjr sudermanjr

Labels
triage This bug needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update dependencies FairwindsOps/rbac-manager
2 participants
@sudermanjr @albertschwarzkopf