You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our cluster image scanner (using Trivy as the scanner) reports a few vulnerabilities with CRITICAL/HIGH severity that should be fixed by bumping dependencies. Related issue #258
D:~ $ docker pull quay.io/prometheusmsteams/prometheus-msteams
Using default tag: latest
latest: Pulling from prometheusmsteams/prometheus-msteams
Digest: sha256:e0b48ec9734c199decc7b9e35870a88bb88a6e6358069ed487b7e6f5875fe6c1
Status: Image is up to date for quay.io/prometheusmsteams/prometheus-msteams:latest
quay.io/prometheusmsteams/prometheus-msteams:latest
D:~ $ trivy image --security-checks vuln quay.io/prometheusmsteams/prometheus-msteams
2022-11-03T18:32:25.609+0100 INFO Vulnerability scanning is enabled
2022-11-03T18:32:25.624+0100 INFO Number of language-specific files: 1
2022-11-03T18:32:25.624+0100 INFO Detecting gobinary vulnerabilities...
promteams (gobinary)
Total: 12 (UNKNOWN: 6, LOW: 0, MEDIUM: 1, HIGH: 4, CRITICAL: 1)
┌─────────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/Masterminds/goutils │ CVE-2021-4238 │ UNKNOWN │ v1.1.0 │ 1.1.1 │ Randomly-generated alphanumeric strings contain │
│ │ │ │ │ │ significantly less entropy │
│ │ │ │ │ │ than expected. │
│ │ │ │ │ │ │
│ │ │ │ │ │ The RandomAlphaNumeric and CryptoRandomAlphaNumeric │
│ │ │ │ │ │ functions... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-4238 │
│ ├─────────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ GHSA-xg2h-wx96-xgxr │ │ │ │ RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as │
│ │ │ │ │ │ random as they should be │
│ │ │ │ │ │ https://github.com/advisories/GHSA-xg2h-wx96-xgxr │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/labstack/echo/v4 │ CVE-2022-40083 │ CRITICAL │ v4.6.1 │ 4.9.0 │ URL Redirection to Untrusted Site ('Open Redirect') │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40083 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────────────────────────────────────────────────┤
│ │ GHSA-crxj-hrmp-4rwf │ UNKNOWN │ │ │ Labstack Echo contains an open redirect vulnerability via │
│ │ │ │ │ │ the Static Handler component.... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-crxj-hrmp-4rwf │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698 │ HIGH │ v1.4.0 │ 1.11.1 │ prometheus/client_golang: Denial of service using │
│ │ │ │ │ │ InstrumentHandlerCounter │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21698 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────────────────────────────────────────────────┤
│ │ GHSA-cg3q-j54f-5p7p │ UNKNOWN │ │ │ The Prometheus client_golang HTTP server is vulnerable to a │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-cg3q-j54f-5p7p │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2022-27191 │ HIGH │ v0.0.0-20211215153901-e495a2d5b3d3 │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27191 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────────────────────────────────────────────────┤
│ │ GHSA-8c26-wmh5-6g9v │ UNKNOWN │ │ │ Attackers can cause a crash in SSH servers when the server │
│ │ │ │ │ │ has... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-8c26-wmh5-6g9v │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ v0.0.0-20211216030914-fe4d6282115f │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ v0.0.0-20211216021012-1d35b9e2eb4e │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│ │ │ │ │ │ takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
│ ├─────────────────────┼──────────┤ │ ├─────────────────────────────────────────────────────────────┤
│ │ GHSA-69ch-w2m2-3vjp │ UNKNOWN │ │ │ An attacker may cause a denial of service by crafting an │
│ │ │ │ │ │ Accept-Language... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-69ch-w2m2-3vjp │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘
D:~ $
The text was updated successfully, but these errors were encountered:
Describe the bug
Our cluster image scanner (using Trivy as the scanner) reports a few vulnerabilities with CRITICAL/HIGH severity that should be fixed by bumping dependencies. Related issue #258
The text was updated successfully, but these errors were encountered: