search

confluentinc / kafka-images

Confluent Docker images for Apache Kafka
Apache License 2.0
19 stars 136 forks source link

Improve security by providing updated images more regularly #90

Open reneleonhardt opened 3 years ago

reneleonhardt commented 3 years ago

cp-kafka:6.2.0 is 12 days young but already shows many missing system updates. It would be good to provide updated images with the same tag more regularly, only for updating dependencies without waiting for your new patch release with functional changes to finish.

Floating tags for major and minor releases would be convenient for users to follow the latest stable versions, they would correlate to Confluent Platform versions like 6.1.x and 6.2.x:

Suggestions to improve Dockerfile: https://github.com/goodwithtech/dockle

$ dockle confluentinc/cp-kafka:6.2.0
FATAL   - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
    * Use COPY : /bin/sh -c #(nop) ADD --chown=appuser:appusermulti:29db10218faffff4a0743a284dd051fbaff46ddc205e96a76b7da6942fc3870c in /usr/share/java/cp-base-new/
    * Use COPY : /bin/sh -c #(nop) ADD --chown=appuser:appuserdir:cd0454fa5f2975d97f5409e30db2e97d97ec47aac0a1c45c6aa82a70ea296ab5 in /usr/share/doc/cp-base-new/
INFO    - CIS-DI-0005: Enable Content trust for Docker
    * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
    * not found HEALTHCHECK statement
INFO    - CIS-DI-0008: Confirm safety of setuid/setgid files
    * setuid file: urwxr-xr-x usr/sbin/pam_timestamp_check
    * setuid file: urwxr-xr-x usr/sbin/unix_chkpwd
    * setuid file: urwxr-xr-x usr/bin/ksu
    * setuid file: urwxr-xr-x usr/bin/mount
    * setuid file: urwxr-xr-x usr/bin/gpasswd
    * setgid file: grwx--x--x usr/libexec/utempter/utempter
    * setuid file: urwxr-x--- usr/libexec/dbus-1/dbus-daemon-launch-helper
    * setgid file: grwxr-xr-x usr/bin/write
    * setuid file: urwxr-xr-x usr/bin/newgrp
    * setuid file: urwxr-xr-x usr/bin/chage
    * setuid file: urwxr-xr-x usr/bin/su
    * setuid file: urwxr-xr-x usr/bin/umount

You're using Zulu OpenJDK 11, if possible consider upgrading to the latest stable Jetty 11.0.5 or 10.0.5. Security findings: https://github.com/aquasecurity/trivy

$ trivy image confluentinc/cp-kafka:6.2.0
2021-06-20T15:26:24.758+0200    INFO    Need to update DB
2021-06-20T15:26:24.759+0200    INFO    Downloading DB...
2021-06-20T15:27:03.864+0200    INFO    Detected OS: redhat
2021-06-20T15:27:03.864+0200    INFO    Detecting RHEL/CentOS vulnerabilities...
2021-06-20T15:27:03.867+0200    INFO    Number of PL dependency files: 140
2021-06-20T15:27:03.867+0200    INFO    Detecting jar vulnerabilities...

confluentinc/cp-kafka:6.2.0 (redhat 8.4)
========================================
Total: 119 (UNKNOWN: 0, LOW: 60, MEDIUM: 54, HIGH: 2, CRITICAL: 3)

+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY |          INSTALLED VERSION           |  FIXED VERSION  |                  TITLE                  |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| bzip2-libs             | CVE-2019-12900   | LOW      | 1.0.6-26.el8                         |                 | bzip2: out-of-bounds write              |
|                        |                  |          |                                      |                 | in function BZ2_decompress              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-12900   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| coreutils-single       | CVE-2017-18018   | MEDIUM   | 8.30-8.el8                           |                 | coreutils: race condition               |
|                        |                  |          |                                      |                 | vulnerability in chown and chgrp        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2017-18018   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| curl                   | CVE-2021-22876   |          | 7.61.1-18.el8                        |                 | curl: Leak of authentication            |
|                        |                  |          |                                      |                 | credentials in URL                      |
|                        |                  |          |                                      |                 | via automatic Referer                   |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-22898   | LOW      |                                      |                 | curl: TELNET stack                      |
|                        |                  |          |                                      |                 | contents disclosure                     |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-22898   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| dbus                   | CVE-2020-35512   |          | 1:1.12.8-12.el8_4.2                  |                 | dbus: users with the same numeric UID   |
|                        |                  |          |                                      |                 | could lead to use-after-free and...     |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-35512   |
+------------------------+                  +          +                                      +-----------------+                                         +
| dbus-common            |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+                  +          +                                      +-----------------+                                         +
| dbus-daemon            |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+                  +          +                                      +-----------------+                                         +
| dbus-libs              |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+                  +          +                                      +-----------------+                                         +
| dbus-tools             |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| file-libs              | CVE-2019-18218   | MEDIUM   | 5.33-16.el8_3.1                      |                 | file: heap-based buffer overflow        |
|                        |                  |          |                                      |                 | in cdf_read_property_info in cdf.c      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-18218   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-8905    | LOW      |                                      |                 | file: stack-based buffer over-read      |
|                        |                  |          |                                      |                 | in do_core_note in readelf.c            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-8905    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-8906    |          |                                      |                 | file: out-of-bounds read in             |
|                        |                  |          |                                      |                 | do_core_note in readelf.c               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-8906    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| glib2                  | CVE-2021-27219   | HIGH     | 2.56.4-9.el8                         | 2.56.4-10.el8_4 | glib: integer overflow in               |
|                        |                  |          |                                      |                 | g_bytes_new function on                 |
|                        |                  |          |                                      |                 | 64-bit platforms due to an...           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-27219   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-27218   | MEDIUM   |                                      |                 | glib: integer overflow in               |
|                        |                  |          |                                      |                 | g_byte_array_new_take function          |
|                        |                  |          |                                      |                 | when called with a buffer of...         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-27218   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-16428   | LOW      |                                      |                 | glib2: NULL pointer dereference in      |
|                        |                  |          |                                      |                 | g_markup_parse_context_end_parse()      |
|                        |                  |          |                                      |                 | function in gmarkup.c                   |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-16428   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-16429   |          |                                      |                 | glib2: Out-of-bounds read in            |
|                        |                  |          |                                      |                 | g_markup_parse_context_parse()          |
|                        |                  |          |                                      |                 | in gmarkup.c                            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-16429   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-28153   |          |                                      |                 | glib: g_file_replace() with             |
|                        |                  |          |                                      |                 | G_FILE_CREATE_REPLACE_DESTINATION       |
|                        |                  |          |                                      |                 | creates empty target                    |
|                        |                  |          |                                      |                 | for dangling symlink                    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-28153   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| glibc                  | CVE-2019-1010022 | CRITICAL | 2.28-151.el8                         |                 | glibc: stack guard protection bypass    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-27645   | LOW      |                                      |                 | glibc: Use-after-free in                |
|                        |                  |          |                                      |                 | addgetnetgrentX function                |
|                        |                  |          |                                      |                 | in netgroupcache.c                      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-33574   |          |                                      |                 | glibc: mq_notify does                   |
|                        |                  |          |                                      |                 | not handle separately                   |
|                        |                  |          |                                      |                 | allocated thread attributes             |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-33574   |
+------------------------+------------------+----------+                                      +-----------------+-----------------------------------------+
| glibc-common           | CVE-2019-1010022 | CRITICAL |                                      |                 | glibc: stack guard protection bypass    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-27645   | LOW      |                                      |                 | glibc: Use-after-free in                |
|                        |                  |          |                                      |                 | addgetnetgrentX function                |
|                        |                  |          |                                      |                 | in netgroupcache.c                      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-33574   |          |                                      |                 | glibc: mq_notify does                   |
|                        |                  |          |                                      |                 | not handle separately                   |
|                        |                  |          |                                      |                 | allocated thread attributes             |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-33574   |
+------------------------+------------------+----------+                                      +-----------------+-----------------------------------------+
| glibc-minimal-langpack | CVE-2019-1010022 | CRITICAL |                                      |                 | glibc: stack guard protection bypass    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-27645   | LOW      |                                      |                 | glibc: Use-after-free in                |
|                        |                  |          |                                      |                 | addgetnetgrentX function                |
|                        |                  |          |                                      |                 | in netgroupcache.c                      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-27645   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-33574   |          |                                      |                 | glibc: mq_notify does                   |
|                        |                  |          |                                      |                 | not handle separately                   |
|                        |                  |          |                                      |                 | allocated thread attributes             |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-33574   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| gnutls                 | CVE-2021-20231   | MEDIUM   | 3.6.14-8.el8_3                       |                 | gnutls: Use after free in               |
|                        |                  |          |                                      |                 | client key_share extension              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20231   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-20232   |          |                                      |                 | gnutls: Use after free                  |
|                        |                  |          |                                      |                 | in client_send_params in                |
|                        |                  |          |                                      |                 | lib/ext/pre_shared_key.c                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20232   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| json-c                 | CVE-2020-12762   |          | 0.13.1-0.4.el8                       |                 | json-c: integer overflow                |
|                        |                  |          |                                      |                 | and out-of-bounds write                 |
|                        |                  |          |                                      |                 | via a large JSON file                   |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-12762   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| libarchive             | CVE-2020-21674   |          | 3.3.3-1.el8                          |                 | libarchive: heap-based                  |
|                        |                  |          |                                      |                 | buffer overflow in                      |
|                        |                  |          |                                      |                 | archive_string_append_from_wcs          |
|                        |                  |          |                                      |                 | function in archive_string.c            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-21674   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2017-14166   | LOW      |                                      |                 | libarchive: Heap-based buffer           |
|                        |                  |          |                                      |                 | over-read in the atol8 function         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2017-14166   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2017-14501   |          |                                      |                 | libarchive: Out-of-bounds               |
|                        |                  |          |                                      |                 | read in parse_file_info                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2017-14501   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-1000879 |          |                                      |                 | libarchive: NULL pointer dereference in |
|                        |                  |          |                                      |                 | ACL parser resulting in a denial of...  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-1000879 |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-1000880 |          |                                      |                 | libarchive: Improper input              |
|                        |                  |          |                                      |                 | validation in WARC parser               |
|                        |                  |          |                                      |                 | resulting in a denial of...             |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-1000880 |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libcurl                | CVE-2021-22876   | MEDIUM   | 7.61.1-18.el8                        |                 | curl: Leak of authentication            |
|                        |                  |          |                                      |                 | credentials in URL                      |
|                        |                  |          |                                      |                 | via automatic Referer                   |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-22898   | LOW      |                                      |                 | curl: TELNET stack                      |
|                        |                  |          |                                      |                 | contents disclosure                     |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-22898   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libdnf                 | CVE-2021-3445    | MEDIUM   | 0.55.0-7.el8                         |                 | libdnf: libdnf does its                 |
|                        |                  |          |                                      |                 | own signature verification,             |
|                        |                  |          |                                      |                 | but this can be tricked...              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3445    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| libgcc                 | CVE-2018-20673   |          | 8.4.1-1.el8                          |                 | libiberty: Integer overflow in          |
|                        |                  |          |                                      |                 | demangle_template() function            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-20657   | LOW      |                                      |                 | libiberty: Memory leak in               |
|                        |                  |          |                                      |                 | demangle_template function              |
|                        |                  |          |                                      |                 | resulting in a denial of service...     |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20657   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-14250   |          |                                      |                 | binutils: integer overflow in           |
|                        |                  |          |                                      |                 | simple-object-elf.c leads to            |
|                        |                  |          |                                      |                 | a heap-based buffer overflow            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-14250   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libgcrypt              | CVE-2019-12904   | MEDIUM   | 1.8.5-4.el8                          |                 | Libgcrypt: physical addresses           |
|                        |                  |          |                                      |                 | being available to other processes      |
|                        |                  |          |                                      |                 | leads to a flush-and-reload...          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-12904   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-33560   |          |                                      |                 | libgcrypt: mishandles ElGamal           |
|                        |                  |          |                                      |                 | encryption because it lacks             |
|                        |                  |          |                                      |                 | exponent blinding to address a...       |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-33560   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libsolv                | CVE-2021-3200    | LOW      | 0.7.16-2.el8                         |                 | libsolv: heap-based buffer overflow     |
|                        |                  |          |                                      |                 | in testcase_read() in src/testcase.c    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3200    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| libssh                 | CVE-2020-16135   |          | 0.9.4-2.el8                          |                 | libssh: NULL pointer                    |
|                        |                  |          |                                      |                 | dereference in sftpserver.c             |
|                        |                  |          |                                      |                 | if ssh_buffer_new returns NULL          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-16135   |
+------------------------+                  +          +                                      +-----------------+                                         +
| libssh-config          |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libstdc++              | CVE-2018-20673   | MEDIUM   | 8.4.1-1.el8                          |                 | libiberty: Integer overflow in          |
|                        |                  |          |                                      |                 | demangle_template() function            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-20657   | LOW      |                                      |                 | libiberty: Memory leak in               |
|                        |                  |          |                                      |                 | demangle_template function              |
|                        |                  |          |                                      |                 | resulting in a denial of service...     |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20657   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-14250   |          |                                      |                 | binutils: integer overflow in           |
|                        |                  |          |                                      |                 | simple-object-elf.c leads to            |
|                        |                  |          |                                      |                 | a heap-based buffer overflow            |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-14250   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| libtasn1               | CVE-2018-1000654 |          | 4.13-3.el8                           |                 | libtasn1: Infinite loop in              |
|                        |                  |          |                                      |                 | _asn1_expand_object_id(ptree)           |
|                        |                  |          |                                      |                 | leads to memory exhaustion              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libxml2                | CVE-2021-3516    | MEDIUM   | 2.9.7-9.el8                          |                 | libxml2: Use-after-free in              |
|                        |                  |          |                                      |                 | xmlEncodeEntitiesInternal()             |
|                        |                  |          |                                      |                 | in entities.c                           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3516    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3517    |          |                                      |                 | libxml2: Heap-based buffer overflow     |
|                        |                  |          |                                      |                 | in xmlEncodeEntitiesInternal()          |
|                        |                  |          |                                      |                 | in entities.c                           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3517    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3518    |          |                                      |                 | libxml2: Use-after-free in              |
|                        |                  |          |                                      |                 | xmlXIncludeDoProcess() in xinclude.c    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3518    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3537    |          |                                      |                 | libxml2: NULL pointer dereference       |
|                        |                  |          |                                      |                 | when post-validating mixed              |
|                        |                  |          |                                      |                 | content parsed in recovery mode...      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3537    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3541    |          |                                      |                 | libxml2: Exponential entity             |
|                        |                  |          |                                      |                 | expansion attack bypasses all           |
|                        |                  |          |                                      |                 | existing protection mechanisms          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3541    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| libzstd                | CVE-2021-24032   | LOW      | 1.4.4-1.el8                          |                 | zstd: Race condition                    |
|                        |                  |          |                                      |                 | allows attacker to access               |
|                        |                  |          |                                      |                 | world-readable destination file         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-24032   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| lua-libs               | CVE-2020-15945   | MEDIUM   | 5.3.4-11.el8                         |                 | lua: segmentation fault                 |
|                        |                  |          |                                      |                 | in changedline in ldebug.c              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-15945   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2020-24370   | LOW      |                                      |                 | lua: segmentation fault in getlocal     |
|                        |                  |          |                                      |                 | and setlocal functions in ldebug.c      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-24370   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| lz4-libs               | CVE-2019-17543   | MEDIUM   | 1.8.3-2.el8                          |                 | lz4: heap-based buffer                  |
|                        |                  |          |                                      |                 | overflow in LZ4_write32                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-17543   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3520    |          |                                      |                 | lz4: memory corruption                  |
|                        |                  |          |                                      |                 | due to an integer overflow              |
|                        |                  |          |                                      |                 | bug caused by memmove...                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3520    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| ncurses-base           | CVE-2019-17594   |          | 6.1-7.20180224.el8                   |                 | ncurses: heap-based buffer              |
|                        |                  |          |                                      |                 | overflow in the _nc_find_entry          |
|                        |                  |          |                                      |                 | function in tinfo/comp_hash.c           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-17595   |          |                                      |                 | ncurses: heap-based buffer              |
|                        |                  |          |                                      |                 | overflow in the fmt_entry               |
|                        |                  |          |                                      |                 | function in tinfo/comp_hash.c           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-19211   | LOW      |                                      |                 | ncurses: Null pointer                   |
|                        |                  |          |                                      |                 | dereference at function                 |
|                        |                  |          |                                      |                 | _nc_parse_entry in parse_entry.c        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-19211   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-19217   |          |                                      |                 | ncurses: Null pointer dereference       |
|                        |                  |          |                                      |                 | at function _nc_name_match              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-19217   |
+------------------------+------------------+----------+                                      +-----------------+-----------------------------------------+
| ncurses-libs           | CVE-2019-17594   | MEDIUM   |                                      |                 | ncurses: heap-based buffer              |
|                        |                  |          |                                      |                 | overflow in the _nc_find_entry          |
|                        |                  |          |                                      |                 | function in tinfo/comp_hash.c           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-17595   |          |                                      |                 | ncurses: heap-based buffer              |
|                        |                  |          |                                      |                 | overflow in the fmt_entry               |
|                        |                  |          |                                      |                 | function in tinfo/comp_hash.c           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-19211   | LOW      |                                      |                 | ncurses: Null pointer                   |
|                        |                  |          |                                      |                 | dereference at function                 |
|                        |                  |          |                                      |                 | _nc_parse_entry in parse_entry.c        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-19211   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2018-19217   |          |                                      |                 | ncurses: Null pointer dereference       |
|                        |                  |          |                                      |                 | at function _nc_name_match              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-19217   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| nettle                 | CVE-2021-3580    | MEDIUM   | 3.4.1-4.el8_3                        |                 | nettle: Remote crash                    |
|                        |                  |          |                                      |                 | in RSA decryption via                   |
|                        |                  |          |                                      |                 | manipulated ciphertext                  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3580    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| openssl                | CVE-2021-23840   |          | 1:1.1.1g-15.el8_3                    |                 | openssl: integer                        |
|                        |                  |          |                                      |                 | overflow in CipherUpdate                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-23840   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-23841   |          |                                      |                 | openssl: NULL pointer dereference       |
|                        |                  |          |                                      |                 | in X509_issuer_and_serial_hash()        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-23841   |
+------------------------+------------------+          +                                      +-----------------+-----------------------------------------+
| openssl-libs           | CVE-2021-23840   |          |                                      |                 | openssl: integer                        |
|                        |                  |          |                                      |                 | overflow in CipherUpdate                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-23840   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-23841   |          |                                      |                 | openssl: NULL pointer dereference       |
|                        |                  |          |                                      |                 | in X509_issuer_and_serial_hash()        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-23841   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| pcre                   | CVE-2019-20838   | LOW      | 8.42-4.el8                           |                 | pcre: buffer over-read in               |
|                        |                  |          |                                      |                 | JIT when UTF is disabled                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-20838   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2020-14155   |          |                                      |                 | pcre: integer overflow in libpcre       |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-14155   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| platform-python        | CVE-2021-3426    | MEDIUM   | 3.6.8-37.el8                         |                 | python: information                     |
|                        |                  |          |                                      |                 | disclosure via pydoc                    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3426    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9674    | LOW      |                                      |                 | python: Nested zip file (Zip bomb)      |
|                        |                  |          |                                      |                 | vulnerability in Lib/zipfile.py         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9674    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| platform-python-pip    | CVE-2018-20225   |          | 9.0.3-19.el8                         |                 | python-pip: when --extra-index-url      |
|                        |                  |          |                                      |                 | option is used and package              |
|                        |                  |          |                                      |                 | does not already exist...               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20225   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3572    |          |                                      |                 | python-pip: pip incorrectly handled     |
|                        |                  |          |                                      |                 | unicode separators in git references    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3572    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| procps-ng              | CVE-2018-1121    |          | 3.3.15-6.el8                         |                 | procps-ng, procps: process              |
|                        |                  |          |                                      |                 | hiding through race                     |
|                        |                  |          |                                      |                 | condition enumerating /proc             |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-1121    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| python3-hawkey         | CVE-2021-3445    | MEDIUM   | 0.55.0-7.el8                         |                 | libdnf: libdnf does its                 |
|                        |                  |          |                                      |                 | own signature verification,             |
|                        |                  |          |                                      |                 | but this can be tricked...              |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3445    |
+------------------------+                  +          +                                      +-----------------+                                         +
| python3-libdnf         |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| python3-libs           | CVE-2021-3426    |          | 3.6.8-37.el8                         |                 | python: information                     |
|                        |                  |          |                                      |                 | disclosure via pydoc                    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3426    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9674    | LOW      |                                      |                 | python: Nested zip file (Zip bomb)      |
|                        |                  |          |                                      |                 | vulnerability in Lib/zipfile.py         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9674    |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| python3-pip            | CVE-2018-20225   |          | 9.0.3-19.el8                         |                 | python-pip: when --extra-index-url      |
|                        |                  |          |                                      |                 | option is used and package              |
|                        |                  |          |                                      |                 | does not already exist...               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20225   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3572    |          |                                      |                 | python-pip: pip incorrectly handled     |
|                        |                  |          |                                      |                 | unicode separators in git references    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3572    |
+------------------------+------------------+          +                                      +-----------------+-----------------------------------------+
| python3-pip-wheel      | CVE-2018-20225   |          |                                      |                 | python-pip: when --extra-index-url      |
|                        |                  |          |                                      |                 | option is used and package              |
|                        |                  |          |                                      |                 | does not already exist...               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20225   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3572    |          |                                      |                 | python-pip: pip incorrectly handled     |
|                        |                  |          |                                      |                 | unicode separators in git references    |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3572    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| python3-rpm            | CVE-2021-20271   | MEDIUM   | 4.14.3-13.el8                        |                 | rpm: Signature checks bypass            |
|                        |                  |          |                                      |                 | via corrupted rpm package               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3421    |          |                                      |                 | rpm: unsigned signature header          |
|                        |                  |          |                                      |                 | leads to string injection               |
|                        |                  |          |                                      |                 | into an rpm database...                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-20266   | LOW      |                                      |                 | rpm: missing length                     |
|                        |                  |          |                                      |                 | checks in hdrblobInit()                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20266   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| python3-unbound        | CVE-2019-25033   | MEDIUM   | 1.7.3-15.el8                         |                 | unbound: integer overflow               |
|                        |                  |          |                                      |                 | in the regional allocator               |
|                        |                  |          |                                      |                 | via the ALIGN_UP macro                  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-25033   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-16866   | LOW      |                                      |                 | unbound: uninitialized memory           |
|                        |                  |          |                                      |                 | accesses leads to crash via             |
|                        |                  |          |                                      |                 | a crafted NOTIFY query...               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-16866   |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| python36               | CVE-2018-20406   |          | 3.6.8-2.module+el8.1.0+3334+5cb623d7 |                 | python: Integer overflow                |
|                        |                  |          |                                      |                 | in Modules/_pickle.c allows             |
|                        |                  |          |                                      |                 | for memory exhaustion if                |
|                        |                  |          |                                      |                 | serializing gigabytes...                |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20406   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9674    |          |                                      |                 | python: Nested zip file (Zip bomb)      |
|                        |                  |          |                                      |                 | vulnerability in Lib/zipfile.py         |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9674    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| rpm                    | CVE-2021-20271   | MEDIUM   | 4.14.3-13.el8                        |                 | rpm: Signature checks bypass            |
|                        |                  |          |                                      |                 | via corrupted rpm package               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3421    |          |                                      |                 | rpm: unsigned signature header          |
|                        |                  |          |                                      |                 | leads to string injection               |
|                        |                  |          |                                      |                 | into an rpm database...                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-20266   | LOW      |                                      |                 | rpm: missing length                     |
|                        |                  |          |                                      |                 | checks in hdrblobInit()                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20266   |
+------------------------+------------------+----------+                                      +-----------------+-----------------------------------------+
| rpm-build-libs         | CVE-2021-20271   | MEDIUM   |                                      |                 | rpm: Signature checks bypass            |
|                        |                  |          |                                      |                 | via corrupted rpm package               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3421    |          |                                      |                 | rpm: unsigned signature header          |
|                        |                  |          |                                      |                 | leads to string injection               |
|                        |                  |          |                                      |                 | into an rpm database...                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-20266   | LOW      |                                      |                 | rpm: missing length                     |
|                        |                  |          |                                      |                 | checks in hdrblobInit()                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20266   |
+------------------------+------------------+----------+                                      +-----------------+-----------------------------------------+
| rpm-libs               | CVE-2021-20271   | MEDIUM   |                                      |                 | rpm: Signature checks bypass            |
|                        |                  |          |                                      |                 | via corrupted rpm package               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-3421    |          |                                      |                 | rpm: unsigned signature header          |
|                        |                  |          |                                      |                 | leads to string injection               |
|                        |                  |          |                                      |                 | into an rpm database...                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2021-20266   | LOW      |                                      |                 | rpm: missing length                     |
|                        |                  |          |                                      |                 | checks in hdrblobInit()                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20266   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| sqlite-libs            | CVE-2019-5827    | HIGH     | 3.26.0-13.el8                        |                 | chromium-browser:                       |
|                        |                  |          |                                      |                 | out-of-bounds access in SQLite          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-5827    |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-13750   | MEDIUM   |                                      |                 | sqlite: dropping of shadow tables       |
|                        |                  |          |                                      |                 | not restricted in defensive mode        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-13750   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-13751   |          |                                      |                 | sqlite: fts3: improve                   |
|                        |                  |          |                                      |                 | detection of corrupted records          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-13751   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-19603   |          |                                      |                 | sqlite: mishandles certain SELECT       |
|                        |                  |          |                                      |                 | statements with a nonexistent           |
|                        |                  |          |                                      |                 | VIEW, leading to DoS...                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-19603   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2020-13435   |          |                                      |                 | sqlite: NULL pointer dereference        |
|                        |                  |          |                                      |                 | leads to segmentation fault in          |
|                        |                  |          |                                      |                 | sqlite3ExprCodeTarget in expr.c...      |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2020-13435   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-19244   | LOW      |                                      |                 | sqlite: allows a crash                  |
|                        |                  |          |                                      |                 | if a sub-select uses both               |
|                        |                  |          |                                      |                 | DISTINCT and window...                  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-19244   |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9936    |          |                                      |                 | sqlite: heap-based buffer               |
|                        |                  |          |                                      |                 | over-read in function                   |
|                        |                  |          |                                      |                 | fts5HashEntrySort in sqlite3.c          |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9936    |
+                        +------------------+          +                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9937    |          |                                      |                 | sqlite: null-pointer                    |
|                        |                  |          |                                      |                 | dereference in function                 |
|                        |                  |          |                                      |                 | fts5ChunkIterate in sqlite3.c           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9937    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| systemd                | CVE-2018-20839   | MEDIUM   | 239-45.el8                           |                 | systemd: mishandling of the             |
|                        |                  |          |                                      |                 | current keyboard mode check             |
|                        |                  |          |                                      |                 | leading to passwords being...           |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2018-20839   |
+------------------------+                  +          +                                      +-----------------+                                         +
| systemd-libs           |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+                  +          +                                      +-----------------+                                         +
| systemd-pam            |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
|                        |                  |          |                                      |                 |                                         |
+------------------------+------------------+          +--------------------------------------+-----------------+-----------------------------------------+
| tar                    | CVE-2021-20193   |          | 2:1.30-5.el8                         |                 | tar: Memory leak in                     |
|                        |                  |          |                                      |                 | read_header() in list.c                 |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-20193   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-9923    | LOW      |                                      |                 | tar: null-pointer dereference           |
|                        |                  |          |                                      |                 | in pax_decode_header in sparse.c        |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-9923    |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| unbound-libs           | CVE-2019-25033   | MEDIUM   | 1.7.3-15.el8                         |                 | unbound: integer overflow               |
|                        |                  |          |                                      |                 | in the regional allocator               |
|                        |                  |          |                                      |                 | via the ALIGN_UP macro                  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-25033   |
+                        +------------------+----------+                                      +-----------------+-----------------------------------------+
|                        | CVE-2019-16866   | LOW      |                                      |                 | unbound: uninitialized memory           |
|                        |                  |          |                                      |                 | accesses leads to crash via             |
|                        |                  |          |                                      |                 | a crafted NOTIFY query...               |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2019-16866   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+
| wget                   | CVE-2021-31879   | MEDIUM   | 1.19.5-10.el8                        |                 | wget: authorization header              |
|                        |                  |          |                                      |                 | disclosure on redirect                  |
|                        |                  |          |                                      |                 | -->avd.aquasec.com/nvd/cve-2021-31879   |
+------------------------+------------------+----------+--------------------------------------+-----------------+-----------------------------------------+

usr/share/java/kafka/jetty-server-9.4.40.v20210413.jar
======================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2019-10247   | MEDIUM   | 9.4.40.v20210413  |               | jetty: error path                     |
|                                |                  |          |                   |               | information disclosure                |
|                                |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-10247 |
+--------------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

You can integrate the GitHub Action into your workflows if you want: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/github-actions.md

janjwerner-confluent commented 1 year ago

Rene, Thank you for your suggestion. Confluent’s policy is to release patch release versions along with base OS upgrades on a quarterly basis. We will look into improving this upgrade cadence at a future point in time.

tpitale commented 3 months ago

@janjwerner-confluent Has there been any change on this policy? We're seeing similar vulnerabilities in glibc and others:

trivy image --scanners=vuln --vuln-type=os \
       --severity=HIGH,CRITICAL --ignore-unfixed \
       confluentinc/cp-kafka-connect:7.6.1                   
2024-05-28T14:10:28.096-0500    INFO    Vulnerability scanning is enabled
2024-05-28T14:10:28.994-0500    INFO    Detected OS: redhat
2024-05-28T14:10:28.994-0500    INFO    Detecting RHEL/CentOS vulnerabilities...

confluentinc/cp-kafka-connect:7.6.1 (redhat 8.9)

Total: 10 (HIGH: 10, CRITICAL: 0)

┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version   │                            Title                             │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc                  │ CVE-2024-2961  │ HIGH     │ fixed  │ 2.28-236.el8_9.12 │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                   │                   │ code...                                                      │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                   │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc-common           │ CVE-2024-2961  │          │        │                   │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                   │                   │ code...                                                      │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                   │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc-minimal-langpack │ CVE-2024-2961  │          │        │                   │ 2.28-251.el8_10.1 │ glibc: Out of bounds write in iconv may lead to remote       │
│                        │                │          │        │                   │                   │ code...                                                      │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-2961                    │
│                        ├────────────────┤          │        │                   ├───────────────────┼──────────────────────────────────────────────────────────────┤
│                        │ CVE-2024-33599 │          │        │                   │ 2.28-251.el8_10.2 │ glibc: stack-based buffer overflow in netgroup cache         │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-33599                   │
├────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ platform-python        │ CVE-2023-6597  │          │        │ 3.6.8-56.el8_9.3  │ 3.6.8-62.el8_10   │ python: Path traversal on tempfile.TemporaryDirectory        │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2023-6597                    │
├────────────────────────┤                │          │        │                   │                   │                                                              │
│ python3-libs           │                │          │        │                   │                   │                                                              │
│                        │                │          │        │                   │                   │                                                              │
├────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ python3-unbound        │ CVE-2024-1488  │          │        │ 1.16.2-5.el8_9.2  │ 1.16.2-5.el8_9.6  │ unbound: unrestricted reconfiguration enabled to anyone that │
│                        │                │          │        │                   │                   │ may lead to local privilege...                               │
│                        │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-1488                    │
├────────────────────────┤                │          │        │                   │                   │                                                              │
│ unbound-libs           │                │          │        │                   │                   │                                                              │
│                        │                │          │        │                   │                   │                                                              │
│                        │                │          │        │                   │                   │                                                              │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────┴──────────────────────────────────────────────────────────────┘
janjwerner-confluent commented 1 month ago

@tpitale thank you for reaching out. We are still on the quarterly cadence. New images have been released addressing the issues listed above, unfortunately, the root cause is still there.