We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Actual Behavior
There are a lot of CVEs found from the latest Temporal image: temporalio/ui:2.34.0 Steps to Reproduce the Problem
Pull the latest image ttemporalio/ui:2.34.0 from Dockerhub Scan the image with any vulnerability scanner
Scan results for: image temporalio/ui:2.34.0 sha256:2ad33cb2765be54182c01f66ee4f634265a6daccfa99fbd78c3ae5a3628cc377 Vulnerabilities +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.1 | fixed in 1.21.11, 1.22.4 | > 7 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, | | | | | | | > 7 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 | | | | | | | | | | addresses, returning false for addresses which | | | | | | | | | | would... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-6197 | high | 7.50 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 5 months | < 1 hour | libcurl\'s ASN1 parser has this utf8asn1str() | | | | | | | > 5 months ago | | | function used for parsing an ASN.1 UTF-8 string. | | | | | | | | | | Itcan detect an invalid field and return error. | | | | | | | | | | Unfortu... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-9681 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.11.0-r0 | 71 days | < 1 hour | When curl is asked to use HSTS, the expiry time | | | | | | | 9 days ago | | | for a subdomain might overwrite a parent domain\'s | | | | | | | | | | cache entry, making it end sooner or later than | | | | | | | | | | oth... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-7264 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.9.1-r0 | > 5 months | < 1 hour | libcurl\'s ASN1 parser code has the `GTime2str()` | | | | | | | 9 days ago | | | function, used for parsing an ASN.1 Generalized | | | | | | | | | | Time field. If given an syntactically incorrect | | | | | | | | | | fiel... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-6992 | medium | 5.50 | zlib | 1.3.1-r0 | | > 1 years | < 1 hour | Cloudflare version of zlib library was found | | | | | | | | | | to be vulnerable to memory corruption issues | | | | | | | | | | affecting the deflation algorithm implementation | | | | | | | | | | (deflate.c)... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r16 | > 1 years | < 1 hour | A heap-buffer-overflow was discovered in BusyBox | | | | | | | > 8 months ago | | | v.1.36.1 in the next_token function at awk.c:1159. | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered in | | | | | | | > 8 months ago | | | BusyBox v.1.36.1 via a crafted awk pattern in the | | | | | | | | | | awk.c copyvar function. | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 | | | | | | | > 8 months ago | | | allows attackers to cause a denial of service | | | | | | | | | | via a crafted awk pattern in the awk.c evaluate | | | | | | | | | | funct... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r17 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered | | | | | | | > 8 months ago | | | in xasprintf function in xfuncs_printf.c:344 in | | | | | | | | | | BusyBox v.1.36.1. | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-0853 | medium | 5.30 | curl | 8.5.0-r0 | fixed in 8.6.0-r0 | > 11 months | < 1 hour | curl inadvertently kept the SSL session ID for | | | | | | | > 5 months ago | | | connections in its cache even when the verify | | | | | | | | | | status (*OCSP stapling*) test failed. A subsequent | | | | | | | | | | transf... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-6874 | medium | 4.30 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 5 months | < 1 hour | libcurl\'s URL API function | | | | | | | > 5 months ago | | | [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) | | | | | | | | | | offers punycode conversions, to and from IDN. Asking to | | | | | | | | | | conv... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2023-45288 | medium | 0.00 | net/http | 1.22.1 | fixed in 1.21.9, 1.22.2 | > 9 months | < 1 hour | An attacker may cause an HTTP/2 endpoint to | | | | | | | > 9 months ago | | | read arbitrary amounts of header data by sending | | | | | | | | | | an excessive number of CONTINUATION frames. | | | | | | | | | | Maintaining H... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-9143 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r1 | > 3 months | < 1 hour | Issue summary: Use of the low-level GF(2^m) | | | | | | | 88 days ago | | | elliptic curve APIs with untrusted explicit values | | | | | | | | | | for the field polynomial can lead to out-of-bounds | | | | | | | | | | memo... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-8096 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.10.0-r0 | > 4 months | < 1 hour | When curl is told to use the Certificate Status | | | | | | | 9 days ago | | | Request TLS extension, often referred to as OCSP | | | | | | | | | | stapling, to verify that the server certificate is | | | | | | | | | | va... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-6119 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r0 | > 4 months | < 1 hour | Issue summary: Applications performing certificate | | | | | | | > 4 months ago | | | name checks (e.g., TLS clients checking server | | | | | | | | | | certificates) may attempt to read an invalid | | | | | | | | | | memory ... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-5535 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | > 6 months | < 1 hour | Issue summary: Calling the OpenSSL API function | | | | | | | > 6 months ago | | | SSL_select_next_proto with an empty supported | | | | | | | | | | client protocols buffer may cause a crash or | | | | | | | | | | memory cont... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-4741 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | 64 days | < 1 hour | Issue summary: Calling the OpenSSL API function | | | | | | | > 6 months ago | | | SSL_free_buffers may cause memory to be accessed | | | | | | | | | | that was previously freed in some situations | | | | | | | | | | Impact ... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-4603 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.5-r0 | > 8 months | < 1 hour | Issue summary: Checking excessively long DSA | | | | | | | > 8 months ago | | | keys or parameters may be very slow. Impact | | | | | | | | | | summary: Applications that use the functions | | | | | | | | | | EVP_PKEY_param_... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-25629 | low | 0.00 | c-ares | 1.24.0-r1 | fixed in 1.27.0-r0 | > 10 months | < 1 hour | c-ares is a C library for asynchronous DNS | | | | | | | > 9 months ago | | | requests. `ares__read_line()` is used to | | | | | | | | | | parse local configuration files such as | | | | | | | | | | `/etc/resolv.conf`, `/etc/... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | > 9 months | < 1 hour | Issue summary: Some non-default TLS server | | | | | | | > 9 months ago | | | configurations can cause unbounded memory growth | | | | | | | | | | when processing TLSv1.3 sessions Impact summary: | | | | | | | | | | An attac... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-2466 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | libcurl did not check the server certificate of | | | | | | | > 5 months ago | | | TLS connections done to a host specified as an IP | | | | | | | | | | address, when built to use mbedTLS. libcurl would | | | | | | | | | | w... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-2398 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | When an application tells libcurl it wants to | | | | | | | > 5 months ago | | | allow HTTP/2 server push, and the amount of | | | | | | | | | | received headers for the push surpasses the | | | | | | | | | | maximum allowed ... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-2379 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | libcurl skips the certificate verification for | | | | | | | > 5 months ago | | | a QUIC connection under certain conditions, | | | | | | | | | | when built to use wolfSSL. If told to use an | | | | | | | | | | unknown/bad ci... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-2004 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | When a protocol selection parameter option | | | | | | | > 5 months ago | | | disables all protocols without adding any then | | | | | | | | | | the default set of protocols would remain in the | | | | | | | | | | allowed set... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ | CVE-2024-11053 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.11.1-r0 | 36 days | < 1 hour | When asked to both use a `.netrc` file for | | | | | | | 9 days ago | | | credentials and to follow HTTP redirects, curl | | | | | | | | | | could leak the password used for the first host to | | | | | | | | | | the follo... | +----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+ Vulnerabilities found for image temporalio/ui:2.34.0: total - 25, critical - 1, high - 1, medium - 10, low - 13 Vulnerability threshold check results: PASS Compliance Issues +----------+------------------------------------------------------------------------+ | SEVERITY | DESCRIPTION | +----------+------------------------------------------------------------------------+ | high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user | +----------+------------------------------------------------------------------------+ Compliance found for image temporalio/ui:2.34.0: total - 1, critical - 0, high - 1, medium - 0, low - 0
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Actual Behavior
There are a lot of CVEs found from the latest Temporal image:
temporalio/ui:2.34.0
Steps to Reproduce the Problem
Pull the latest image ttemporalio/ui:2.34.0 from Dockerhub
Scan the image with any vulnerability scanner
The text was updated successfully, but these errors were encountered: