Closed yarongol closed 2 months ago
There are currently 4 HIGH vulnerabilities in redoc docker image:
Repository | CVE | Package | Current Version | Fixed in version |
---|---|---|---|---|
runai/redoc | CVE-2024-28757 | libexpat | 2.5.0-r1 | 2.6.2-r0 |
runai/redoc | CVE-2023-43787 | libx11 | 1.8.4-r4 | 1.8.7-r0 |
runai/redoc | CVE-2024-25062 | libxml2 | 2.11.4-r0 | 2.11.7-r0 |
runai/redoc | CVE-2023-52425 | libexpat | 2.5.0-r1 | 2.6.0-r0 |
fixed https://github.com/Redocly/redoc/pull/2445
I am wrong. It is not related to our code. it relates to alpine.
So, is there a plan to patch the alpine version?
Following is an updated report from an image scanner. You have replied here https://github.com/Redocly/redoc/issues/2481 on CVE-2023-43787 but there are two new issues: CVE-2023-52425 and CVE-2024-25062.
Please advise if these effect the redoc product and/or help fix this. Regards
redocly/redoc (alpine 3.18.4)
Total: 3 (HIGH: 3, CRITICAL: 0)
┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r1 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52425 │ ├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libx11 │ CVE-2023-43787 │ │ │ 1.8.4-r4 │ 1.8.7-r0 │ libX11: integer overflow in XCreateImage() leading to a heap │ │ │ │ │ │ │ │ overflow │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43787 │ ├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libxml2 │ CVE-2024-25062 │ │ │ 2.11.4-r0 │ 2.11.7-r0 │ libxml2: use-after-free in XMLReader │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-25062 │ └──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘