search

Redocly / redoc

📘 OpenAPI/Swagger-generated API Reference Documentation
https://redocly.github.io/redoc/
MIT License
22.89k stars 2.27k forks source link

Fixing vulnerability CVE-2023-52425 and CVE-2024-25062 #2492

Closed yarongol closed 2 months ago

yarongol commented 4 months ago

Following is an updated report from an image scanner. You have replied here https://github.com/Redocly/redoc/issues/2481 on CVE-2023-43787 but there are two new issues: CVE-2023-52425 and CVE-2024-25062.

Please advise if these effect the redoc product and/or help fix this. Regards

trivy image redocly/redoc --severity HIGH,CRITICAL --ignore-unfixed 2024-02-19T16:47:30.062+0200 INFO Need to update DB 2024-02-19T16:47:30.062+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2024-02-19T16:47:30.062+0200 INFO Downloading DB... 43.01 MiB / 43.01 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.54 MiB p/s 4.3s 2024-02-19T16:47:36.518+0200 INFO Vulnerability scanning is enabled 2024-02-19T16:47:36.518+0200 INFO Secret scanning is enabled 2024-02-19T16:47:36.518+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-02-19T16:47:36.518+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection 2024-02-19T16:47:41.278+0200 INFO Detected OS: alpine 2024-02-19T16:47:41.278+0200 INFO Detecting Alpine vulnerabilities... 2024-02-19T16:47:41.281+0200 INFO Number of language-specific files: 0

redocly/redoc (alpine 3.18.4)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r1 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52425 │ ├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libx11 │ CVE-2023-43787 │ │ │ 1.8.4-r4 │ 1.8.7-r0 │ libX11: integer overflow in XCreateImage() leading to a heap │ │ │ │ │ │ │ │ overflow │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43787 │ ├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2024-25062 │ │ │ 2.11.4-r0 │ 2.11.7-r0 │ libxml2: use-after-free in XMLReader │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-25062 │ └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

yarongol commented 2 months ago

There are currently 4 HIGH vulnerabilities in redoc docker image:

Repository CVE Package Current Version Fixed in version
runai/redoc CVE-2024-28757 libexpat 2.5.0-r1 2.6.2-r0
runai/redoc CVE-2023-43787 libx11 1.8.4-r4 1.8.7-r0
runai/redoc CVE-2024-25062 libxml2 2.11.4-r0 2.11.7-r0
runai/redoc CVE-2023-52425 libexpat 2.5.0-r1 2.6.0-r0
AlexVarchuk commented 2 months ago

fixed https://github.com/Redocly/redoc/pull/2445 I am wrong. It is not related to our code. it relates to alpine.

yarongol commented 2 months ago

So, is there a plan to patch the alpine version?