Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[centraldashboard]: critical vulnerabilities found in the centraldashboard docker image #7098

Closed
deepk2u opened this issue Apr 14, 2023 · 0 comments · Fixed by #7102
Closed

[centraldashboard]: critical vulnerabilities found in the centraldashboard docker image #7098

deepk2u opened this issue Apr 14, 2023 · 0 comments · Fixed by #7102
Labels
kind/bug

Comments

@deepk2u
Copy link
Contributor

deepk2u commented Apr 14, 2023

/kind bug

What steps did you take and what happened:
When we scanned kubeflownotebookswg/centraldashboard:v1.7.0 image, we found following vulnerabilities

Vulnerabilities
===============
  CVE                 Package                 Version      Severity    Status                    CVSS
  ---                 -------                 -------      --------    ------                    ----
  CVE-2022-37434      zlib                    1.2.12-r0    critical    fixed in 1.2.12-r2        9.8
  CVE-2021-44906      minimist                1.2.5        critical    fixed in 1.2.6            9.8
  CVE-2020-7746       chart.js                2.8.0        critical    fixed in 2.9.4            9.8
  CVE-2023-0464       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r2        7.5
  CVE-2023-0215       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.5
  CVE-2022-4450       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.5
  CVE-2022-3517       minimatch               3.0.4        high        fixed in 3.0.5            7.5
  CVE-2022-31129      moment                  2.29.2       high        fixed in 2.29.4           7.5
  CVE-2022-25878      protobufjs              6.11.2       high        fixed in 6.11.3           7.5
  CVE-2022-24999      qs                      6.5.2        high        fixed in 6.10.3           7.5
  CVE-2022-24999      qs                      6.7.0        high        fixed in 6.10.3           7.5
  CVE-2021-3807       ansi-regex              4.1.0        high        fixed in 4.1.1            7.5
  CVE-2021-3807       ansi-regex              3.0.0        high        fixed in 4.1.1            7.5
  CVE-2021-23343      path-parse              1.0.6        high        fixed in 1.0.7            7.5
  CVE-2023-0286       openssl                 1.1.1n-r0    high        fixed in 1.1.1t-r0        7.4
  PRISMA-2022-0022    node-forge              0.10.0       high        fixed in 1.0.0            7
  CVE-2022-24772      node-forge              0.10.0       high        fixed in 1.3.0            7
  CVE-2022-24771      node-forge              0.10.0       high        fixed in 1.3.0            7
  CVE-2022-38778      decode-uri-component    0.2.0        medium      fixed in 0.2.1            6.5
  CVE-2022-0235       node-fetch              2.6.6        medium      fixed in 3.1.1, 2.6.7     6.1
  CVE-2022-4304       openssl                 1.1.1n-r0    medium      fixed in 1.1.1t-r0        5.9
  CVE-2020-28928      musl                    1.2.2-r7     medium      fixed in 1.2.2_pre2-r0    5.5
  CVE-2023-0465       openssl                 1.1.1n-r0    medium      fixed in 1.1.1t-r3        5.3
  CVE-2022-33987      got                     6.7.1        medium      fixed in 12.1.0           5.3
  CVE-2022-2097       openssl                 1.1.1n-r0    medium      fixed in 1.1.1q-r0        5.3
  CVE-2022-24773      node-forge              0.10.0       moderate    fixed in 1.3.0            4
  CVE-2022-0122       node-forge              0.10.0       moderate    fixed in 1.0.0            4
  CVE-2020-15366      ajv                     6.9.2        moderate    fixed in 6.12.3           4

Compliance
==========
  Severity    Description
  --------    -----------
  high        (CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user

What did you expect to happen:
An image should not have critical CVEs before we deploy it to any production environment.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Kubeflow version: (version number can be found at the bottom left corner of the Kubeflow dashboard): v1.7.0
  • kfctl version: (use kfctl version):
  • Kubernetes platform: (e.g. minikube)
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):
@kubeflow-bot kubeflow-bot added this to To Do in Needs Triage Apr 14, 2023
@deepk2u deepk2u mentioned this issue Apr 18, 2023
Merged
google-oss-prow bot pushed a commit that referenced this issue Jun 13, 2023
@deepk2u
centraldashboard: removed critical vulnerabilities from centraldashbo…
4ead8fb 
…ard image Fixes #7098 (#7102)
Needs Triage automation moved this from To Do to Closed Jun 13, 2023
@kubeflow-bot kubeflow-bot removed this from Closed in Needs Triage Jun 13, 2023
tzstoyanov pushed a commit to tzstoyanov/kubeflow that referenced this issue Jun 14, 2023
@deepk2u @tzstoyanov
centraldashboard: removed critical vulnerabilities from centraldashbo…
8f30a5e 
…ard image Fixes kubeflow#7098 (kubeflow#7102)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
1 participant
@deepk2u