docker scout detected vulnerabilities #574

serverlessnomad · 2023-07-18T18:19:23Z

serverlessnomad
Jul 18, 2023

Anything we can do collectively to help address these issues? Looks like some packages need to be pivoted away from as they appear to not be well supported any longer.
Adding on to this... docker scout is showing a number of vulnerabilities. Some are with packages that have no fix and no published updates for a year. Any plans to pivot to more supported libraries/packages?

$ docker scout cves

INFO New version 0.19.0 available (installed version is 0.16.1)
✓ SBOM of image already cached, 1690 packages indexed
✗ Detected 10 vulnerable packages with a total of 17 vulnerabilities

2C 0H 0M 0L vm2 3.9.19
pkg:npm/[email protected]

✗ CRITICAL GHSA-g644-9gfx-q4q4
  https://dso.docker.com/cve/GHSA-g644-9gfx-q4q4
  Affected range : <=3.9.19                                      
  Fixed version  : not fixed                                     
  CVSS Score     : 9.8                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  

✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')]
  https://dso.docker.com/cve/CVE-2023-37466
  Affected range : <=3.9.19                                      
  Fixed version  : not fixed                                     
  CVSS Score     : 9.8                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

1C 0H 0M 0L execa 0.2.2
pkg:npm/[email protected]

✗ CRITICAL GMS-2020-2 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://dso.docker.com/cve/GMS-2020-2
  Affected range : <2.0.0                                        
  Fixed version  : 2.0.0                                         
  CVSS Score     : 9.8                                           
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0C 4H 1M 0L prismjs 1.17.1
pkg:npm/[email protected]

✗ HIGH CVE-2022-23647 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
  https://dso.docker.com/cve/CVE-2022-23647
  Affected range : >=1.14.0                                      
                 : <1.27.0                                       
  Fixed version  : 1.27.0                                        
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L  

✗ HIGH CVE-2021-32723 [Uncontrolled Resource Consumption]
  https://dso.docker.com/cve/CVE-2021-32723
  Affected range : <1.24.0                                       
  Fixed version  : 1.24.0                                        
  CVSS Score     : 7.4                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H  

✗ HIGH CVE-2020-15138 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
  https://dso.docker.com/cve/CVE-2020-15138
  Affected range : >=1.1.0                                       
                 : <1.21.0                                       
  Fixed version  : 1.21.0                                        
  CVSS Score     : 7.1                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L  

✗ HIGH CVE-2021-23341 [Uncontrolled Resource Consumption]
  https://dso.docker.com/cve/CVE-2021-23341
  Affected range : <1.23.0  
  Fixed version  : 1.23.0   

✗ MEDIUM CVE-2021-3801 [Uncontrolled Resource Consumption]
  https://dso.docker.com/cve/CVE-2021-3801
  Affected range : <1.25.0                                       
  Fixed version  : 1.25.0                                        
  CVSS Score     : 6.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0C 1H 0M 0L simple-get 3.1.1
pkg:npm/[email protected]

✗ HIGH CVE-2022-0355 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://dso.docker.com/cve/CVE-2022-0355
  Affected range : <4.0.1                                        
  Fixed version  : 4.0.1                                         
  CVSS Score     : 7.5                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0C 0H 2M 0L 1? highlight.js 9.15.10
pkg:npm/[email protected]

✗ MEDIUM CVE-2020-26237 [Modification of Assumed-Immutable Data (MAID)]
  https://dso.docker.com/cve/CVE-2020-26237
  Affected range : <9.18.2                                       
  Fixed version  : 9.18.2                                        
  CVSS Score     : 5.8                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N  

✗ MEDIUM GHSA-7wwv-vh3v-89cq [Improper Input Validation]
  https://dso.docker.com/cve/GHSA-7wwv-vh3v-89cq
  Affected range : >=9.0.0  
                 : <10.4.1  
  Fixed version  : 10.4.1   

✗ UNSPECIFIED GMS-2020-734 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
  https://dso.docker.com/cve/GMS-2020-734
  Affected range : >=9.0.0  
                 : <10.4.1  
  Fixed version  : 10.4.1

0C 0H 1M 0L libjpeg-turbo 2.1.5.1-r3
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.18

✗ MEDIUM CVE-2023-2804
  https://dso.docker.com/cve/CVE-2023-2804
  Affected range : <2.1.5.1-r4  
  Fixed version  : 2.1.5.1-r4

0C 0H 1M 0L semver 7.3.8
pkg:npm/[email protected]

✗ MEDIUM CVE-2022-25883 [Inefficient Regular Expression Complexity]
  https://dso.docker.com/cve/CVE-2022-25883
  Affected range : >=7.0.0                                       
                 : <7.5.2                                        
  Fixed version  : 5.7.2                                         
  CVSS Score     : 5.3                                           
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0C 0H 1M 0L binutils 2.40-r7
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.18

✗ MEDIUM CVE-2023-1972
  https://dso.docker.com/cve/CVE-2023-1972
  Affected range : <2.40-r10  
  Fixed version  : 2.40-r10

0C 0H 0M 0L 1? stdlib 1.20.5
pkg:golang/[email protected]

✗ UNSPECIFIED CVE-2023-29406
  https://dso.docker.com/cve/CVE-2023-29406
  Affected range : >=1.20.0-0  
                 : <1.20.6     
  Fixed version  : 1.19.11

0C 0H 0M 0L 1? openssl 3.1.1-r1
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.18

✗ UNSPECIFIED CVE-2023-2975
  https://dso.docker.com/cve/CVE-2023-2975
  Affected range : <3.1.1-r2  
  Fixed version  : 3.1.1-r2

17 vulnerabilities found in 10 packages
UNSPECIFIED 3
LOW 0
MEDIUM 6
HIGH 5
CRITICAL 3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docker scout detected vulnerabilities #574

{{title}}

Replies: 0 comments

Select a reply

docker scout detected vulnerabilities #574

serverlessnomad Jul 18, 2023

Replies: 0 comments

serverlessnomad
Jul 18, 2023