critical vulnerability in docker image #134

aaysha6 · 2024-08-14T09:47:37Z

aaysha6
Aug 14, 2024

Docker images hyness/spring-cloud-config-server has one critical vulnerability on stdlib 1.20.14 packge which gets flagged when we used to run container from this image , any plans to work on it or do you suggest any alternative.
Thanks !!

hyness · 2024-08-17T20:20:28Z

hyness
Aug 17, 2024
Maintainer

Hello @aaysha6 , thanks for reaching out with this information! This is the first I'm hearing of this. This image uses buildpacks in large part to avoid such vulnerabilities. If possible, would you mind sharing this report and/or which image version you are referring to? I would absolutely like to address this if possible, just need more information.

Thanks!

1 reply

aaysha6 Aug 19, 2024
Author

Hi
So i have deployed hyness/spring-cloud-config-server with latest tag and when i deploy this image as serverless container ( cloud run ) in GCP it throws an critical Security vulnerability for this image.

what i can see from docker scout that there is vulnerability in stdlib package (critical).

hyness · 2024-08-19T15:14:31Z

hyness
Aug 19, 2024
Maintainer

Hello @aaysha6 , thanks for providing the requested details! It appears the reported vulnerability is coming from this issue in the ca-certifcates buildpack. The good news is it should not be exploitable. 1.20.14 is a version of go which this image does not use, as the code is written in Kotlin and uses java libraries. I have created #135 to see if I can address this and possibly integrate some image scanning into builds using something open source like trivy.

However, trying out that tool revealed some vulnerabilities in some Spring libraries which make up the foundation of this image. I don't write that code, I just provide a little glue code to make this image easier to configure and package it into an image. As far as I can see, no code that I contribute is reported as vulnerable. Unfortunately, I'm not sure any open source project is immune from all vulnerabilities, see the report below.

2024-08-19T14:48:21Z	INFO	[db] Need to update DB
2024-08-19T14:48:21Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
51.60 MiB / 51.60 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 21.85 MiB p/s 2.6s
2024-08-19T14:48:24Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T14:48:24Z	INFO	[secret] Secret scanning is enabled
2024-08-19T14:48:24Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:48:24Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:48:26Z	INFO	Java DB Repository	repository=ghcr.io/aquasecurity/trivy-java-db:1
2024-08-19T14:48:26Z	INFO	Downloading the Java DB...
2024-08-19T14:48:26Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-08-19T14:48:26Z	WARN	Recommend using Trivy to generate SBOMs
2024-08-19T14:48:26Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-08-19T14:48:26Z	WARN	Recommend using Trivy to generate SBOMs
635.99 MiB / 635.99 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 25.95 MiB p/s 25s
2024-08-19T14:48:52Z	INFO	The Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache.
2024-08-19T14:48:52Z	INFO	Detected OS	family="ubuntu" version="22.04"
2024-08-19T14:48:52Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="22.04" pkg_num=8
2024-08-19T14:48:52Z	INFO	Number of language-specific files	num=6
2024-08-19T14:48:52Z	INFO	[gobinary] Detecting vulnerabilities...
2024-08-19T14:48:52Z	INFO	[jar] Detecting vulnerabilities...
2024-08-19T14:48:52Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability#severity-selection for details.

ghcr.io/hyness/spring-cloud-config-server (ubuntu 22.04)

Total: 16 (UNKNOWN: 0, LOW: 9, MEDIUM: 7, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │  Status  │ Installed Version │   Fixed Version   │                            Title                             │
├─────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2024-2961  │ MEDIUM   │ fixed    │ 2.35-0ubuntu3.6   │ 2.35-0ubuntu3.7   │ glibc: Out of bounds write in iconv may lead to remote       │
│         │                │          │          │                   │                   │ code...                                                      │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│         ├────────────────┤          │          │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-33599 │          │          │                   │ 2.35-0ubuntu3.8   │ glibc: stack-based buffer overflow in netgroup cache         │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-33600 │          │          │                   │                   │ glibc: null pointer dereferences after failed netgroup cache │
│         │                │          │          │                   │                   │ insertion                                                    │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33600                   │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-33601 │          │          │                   │                   │ glibc: netgroup cache may terminate daemon on memory         │
│         │                │          │          │                   │                   │ allocation failure                                           │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33601                   │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-33602 │          │          │                   │                   │ glibc: netgroup cache assumes NSS callback uses in-buffer    │
│         │                │          │          │                   │                   │ strings                                                      │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33602                   │
│         ├────────────────┼──────────┼──────────┤                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2016-20013 │ LOW      │ affected │                   │                   │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│         │                │          │          │                   │                   │ cause a denial of...                                         │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├─────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2022-40735 │ MEDIUM   │ fixed    │ 3.0.2-0ubuntu1.15 │ 3.0.2-0ubuntu1.16 │ The Diffie-Hellman Key Agreement Protocol allows use of long │
│         │                │          │          │                   │                   │ exponents that arguably...                                   │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2022-40735                   │
│         ├────────────────┼──────────┤          │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-2511  │ LOW      │          │                   │ 3.0.2-0ubuntu1.17 │ openssl: Unbounded memory growth with session handling in    │
│         │                │          │          │                   │                   │ TLSv1.3                                                      │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2511                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-4603  │          │          │                   │                   │ openssl: Excessive time spent checking DSA keys and          │
│         │                │          │          │                   │                   │ parameters                                                   │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-4603                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-4741  │          │          │                   │                   │ openssl: Use After Free with SSL_free_buffers                │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-4741                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-5535  │          │          │                   │                   │ openssl: SSL_select_next_proto buffer overread               │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-5535                    │
├─────────┼────────────────┼──────────┤          │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl │ CVE-2022-40735 │ MEDIUM   │          │                   │ 3.0.2-0ubuntu1.16 │ The Diffie-Hellman Key Agreement Protocol allows use of long │
│         │                │          │          │                   │                   │ exponents that arguably...                                   │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2022-40735                   │
│         ├────────────────┼──────────┤          │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-2511  │ LOW      │          │                   │ 3.0.2-0ubuntu1.17 │ openssl: Unbounded memory growth with session handling in    │
│         │                │          │          │                   │                   │ TLSv1.3                                                      │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2511                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-4603  │          │          │                   │                   │ openssl: Excessive time spent checking DSA keys and          │
│         │                │          │          │                   │                   │ parameters                                                   │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-4603                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-4741  │          │          │                   │                   │ openssl: Use After Free with SSL_free_buffers                │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-4741                    │
│         ├────────────────┤          │          │                   │                   ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-5535  │          │          │                   │                   │ openssl: SSL_select_next_proto buffer overread               │
│         │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-5535                    │
└─────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────────┴──────────────────────────────────────────────────────────────┘

 (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.8            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │ MEDIUM   │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│         │                │          │        │                   │                 │ handling in net/http                                         │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘
2024-08-19T14:48:52Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 3, CRITICAL: 0)

┌───────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                          Library                          │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version        │                            Title                             │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.netty:netty-codec-http                                 │ CVE-2024-29025 │ MEDIUM   │ fixed  │ 4.1.107.Final     │ 4.1.108.Final               │ netty-codec-http: Allocation of Resources Without Limits or  │
│ (netty-codec-http-4.1.107.Final.jar)                      │                │          │        │                   │                             │ Throttling                                                   │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-29025                   │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-core                 │ CVE-2024-34750 │ HIGH     │        │ 10.1.19           │ 11.0.0-M21, 10.1.25, 9.0.90 │ tomcat: Improper Handling of Exceptional Conditions          │
│ (tomcat-embed-core-10.1.19.jar)                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-34750                   │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk18on (bcprov-jdk18on-1.77.jar) │ CVE-2024-29857 │ MEDIUM   │        │ 1.77              │ 1.78                        │ org.bouncycastle: Importing an EC certificate with crafted   │
│                                                           │                │          │        │                   │                             │ F2m parameters may lead to...                                │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-29857                   │
│                                                           ├────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-30171 │          │        │                   │                             │ bc-java: BouncyCastle vulnerable to a timing variant of      │
│                                                           │                │          │        │                   │                             │ Bleichenbacher (Marvin Attack)                               │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-30171                   │
│                                                           ├────────────────┤          │        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-30172 │          │        │                   │                             │ org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519    │
│                                                           │                │          │        │                   │                             │ verification in the ScalarUtil class                         │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-30172                   │
│                                                           ├────────────────┼──────────┤        │                   │                             ├──────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2024-34447 │ LOW      │        │                   │                             │ org.bouncycastle: Use of Incorrectly-Resolved Name or        │
│                                                           │                │          │        │                   │                             │ Reference                                                    │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-34447                   │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.cloud:spring-cloud-function-context   │ CVE-2024-22271 │ HIGH     │        │ 4.1.1             │ 4.0.8, 4.1.2                │ spring-cloud-function-context: Spring Cloud Function Web DOS │
│ (spring-cloud-function-context-4.1.1.jar)                 │                │          │        │                   │                             │ Vulnerability                                                │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-22271                   │
├───────────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (spring-web-6.1.5.jar)     │ CVE-2024-22262 │          │        │ 6.1.5             │ 5.3.34, 6.0.19, 6.1.6       │ springframework: URL Parsing with Host Validation            │
│                                                           │                │          │        │                   │                             │ https://avd.aquasec.com/nvd/cve-2024-22262                   │
└───────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘

cnb/lifecycle/launcher (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.8            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │ MEDIUM   │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│         │                │          │        │                   │                 │ handling in net/http                                         │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

layers/paketo-buildpacks_bellsoft-liberica/helper/helper (gobinary)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 8, HIGH: 1, CRITICAL: 1)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.22.0           │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of           │
│                  │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-24790 │ CRITICAL │        │ 1.20.14           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│                  │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│                  ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│                  │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│                  ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│                  │                │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2023-45290 │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│                  │                │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-24783 │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│                  │                │          │        │                   │                 │ unknown public key algorithm...                              │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-24784 │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│                  │                │          │        │                   │                 │ handled                                                      │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-24785 │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│                  │                │          │        │                   │                 │ methods may break template escaping                          │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│                  ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│                  ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│                  │                │          │        │                   │                 │ handling in net/http                                         │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

layers/paketo-buildpacks_ca-certificates/helper/helper (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.14           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│         │                │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│         │                │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│         │                │          │        │                   │                 │ unknown public key algorithm...                              │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│         │                │          │        │                   │                 │ handled                                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│         │                │          │        │                   │                 │ methods may break template escaping                          │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│         │                │          │        │                   │                 │ handling in net/http                                         │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

layers/paketo-buildpacks_spring-boot/helper/helper (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.14           │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│         │                │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│         │                │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│         │                │          │        │                   │                 │ unknown public key algorithm...                              │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│         │                │          │        │                   │                 │ handled                                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│         │                │          │        │                   │                 │ methods may break template escaping                          │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24791 │          │        │                   │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│         │                │          │        │                   │                 │ handling in net/http                                         │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

2 replies

aaysha6 Aug 20, 2024
Author

Hejjj !! thanks for checking on it ...sure i understand i just wanted to be sure if something can be done on it or its okay for now to ignore that vulnerability which i guess can be done as you said it should not be exploitable. 1.20.14 is a version of go which this image does not use, as the code is written in Kotlin and uses java libraries.
Thanks again for looking into it and sharing a detailed information..appreciate the effort.

itaysk Aug 26, 2024

Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis for your packages (container images in this case) so that those vulnerabilities will be automatically suppressed for end users. You can see more info here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

critical vulnerability in docker image #134

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

critical vulnerability in docker image #134

aaysha6 Aug 14, 2024

Replies: 2 comments · 3 replies

hyness Aug 17, 2024 Maintainer

aaysha6 Aug 19, 2024 Author

hyness Aug 19, 2024 Maintainer

aaysha6 Aug 20, 2024 Author

itaysk Aug 26, 2024

aaysha6
Aug 14, 2024

Replies: 2 comments 3 replies

hyness
Aug 17, 2024
Maintainer

aaysha6 Aug 19, 2024
Author

hyness
Aug 19, 2024
Maintainer

aaysha6 Aug 20, 2024
Author