cruizba
commented
1 year ago I've updated the images with new Docker, buildx and compose versions. Even the latest image is now Ubuntu 22.04.
Check it out.
Closed sathvikbu closed 1 year ago
cruizba
commented
1 year ago I've updated the images with new Docker, buildx and compose versions. Even the latest image is now Ubuntu 22.04.
Check it out.
cruizba
commented
1 year ago This is the result of the latest image at 11 September 2023:
2023-09-11T01:33:25.059+0200 INFO Vulnerability scanning is enabled
2023-09-11T01:33:25.059+0200 INFO Secret scanning is enabled
2023-09-11T01:33:25.059+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-11T01:33:25.059+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-11T01:33:53.861+0200 INFO Detected OS: ubuntu
2023-09-11T01:33:53.861+0200 INFO Detecting Ubuntu vulnerabilities...
2023-09-11T01:33:53.864+0200 INFO Number of language-specific files: 4
2023-09-11T01:33:53.864+0200 INFO Detecting gobinary vulnerabilities...
cruizba/ubuntu-dind (ubuntu 22.04)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/dockerd (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM │ fixed │ v0.2.3 │ 0.2.4 │ SecureJoin: on windows, paths outside of the rootfs could be │
│ │ │ │ │ │ │ inadvertently produced... │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-6xv5-86q9-7xr8 │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
It is a CVE in the docker binary of a library they use on Windows systems. I will try to keep images up to date, so this issue can be closed.
`trivy image --ignore-unfixed cruizba/ubuntu-dind 2023-09-06T22:11:53.627+0530 INFO Vulnerability scanning is enabled 2023-09-06T22:11:53.627+0530 INFO Secret scanning is enabled 2023-09-06T22:11:53.627+0530 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-09-06T22:11:53.627+0530 INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection 2023-09-06T22:11:53.650+0530 INFO Detected OS: ubuntu 2023-09-06T22:11:53.650+0530 INFO Detecting Ubuntu vulnerabilities... 2023-09-06T22:11:53.655+0530 INFO Number of language-specific files: 2 2023-09-06T22:11:53.655+0530 INFO Detecting gobinary vulnerabilities...
cruizba/ubuntu-dind (ubuntu 20.04)
Total: 23 (UNKNOWN: 0, LOW: 14, MEDIUM: 9, HIGH: 0, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────────────────┬────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ curl │ CVE-2023-28321 │ LOW │ 7.68.0-1ubuntu2.18 │ 7.68.0-1ubuntu2.19 │ IDN wildcard match may lead to Improper Cerificate │ │ │ │ │ │ │ Validation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28321 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28322 │ │ │ │ more POST-after-PUT confusion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │ ├────────────────┼────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ libcurl4 │ CVE-2023-28321 │ │ │ │ IDN wildcard match may lead to Improper Cerificate │ │ │ │ │ │ │ Validation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28321 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28322 │ │ │ │ more POST-after-PUT confusion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ libncurses6 │ CVE-2023-29491 │ MEDIUM │ 6.2-0ubuntu2 │ 6.2-0ubuntu2.1 │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ libncursesw6 │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ libtinfo6 │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ libx11-6 │ CVE-2023-3138 │ MEDIUM │ 2:1.6.9-2ubuntu1.2 │ 2:1.6.9-2ubuntu1.5 │ InitExt.c can overwrite unintended portions of the Display │ │ │ │ │ │ │ structure if the extension... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-3138 │ ├────────────────┤ │ │ │ │ │ │ libx11-data │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├────────────────┼────────────────┤ ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ ncurses-base │ CVE-2023-29491 │ │ 6.2-0ubuntu2 │ 6.2-0ubuntu2.1 │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ ncurses-bin │ CVE-2023-29491 │ MEDIUM │ │ │ Local users can trigger security-relevant memory corruption │ │ │ │ │ │ │ via malformed data │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-29491 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2021-39537 │ LOW │ │ │ heap-based buffer overflow in _nc_captoinfo() in captoinfo.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-29458 │ │ │ │ segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├────────────────┼────────────────┼──────────┼────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ openssh-client │ CVE-2023-38408 │ MEDIUM │ 1:8.2p1-4ubuntu0.7 │ 1:8.2p1-4ubuntu0.8 │ Remote code execution in ssh-agent PKCS#11 support │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-38408 │ ├────────────────┼────────────────┤ ├────────────────────┼────────────────────┼──────────────────────────────────────────────────────────────┤ │ perl-base │ CVE-2023-31484 │ │ 5.30.0-9ubuntu0.3 │ 5.30.0-9ubuntu0.4 │ CPAN.pm before 2.35 does not verify TLS certificates when │ │ │ │ │ │ │ downloading distributions over... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31484 │ └────────────────┴────────────────┴──────────┴────────────────────┴────────────────────┴──────────────────────────────────────────────────────────────┘
usr/local/bin/docker-compose (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬───────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼───────────────────────────────────────────┤ │ github.com/docker/distribution │ CVE-2023-2253 │ HIGH │ v2.8.1+incompatible │ 2.8.2-beta.1 │ DoS from malicious API request │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2253 │ └────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴───────────────────────────────────────────┘
usr/local/lib/docker/cli-plugins/docker-buildx (gobinary)
Total: 8 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 3, CRITICAL: 0)
┌──────────────────────────────────┬────────────────┬──────────┬───────────────────────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/containerd/containerd │ CVE-2023-25153 │ MEDIUM │ v1.6.16-0.20230124210447-1709cfe273d9 │ 1.5.18, 1.6.18 │ OCI image importer memory exhaustion │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25153 │ │ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-25173 │ │ │ │ Supplementary groups are not set up properly │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25173 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/docker/distribution │ CVE-2023-2253 │ HIGH │ v2.8.1+incompatible │ 2.8.2-beta.1 │ DoS from malicious API request │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2253 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/moby/buildkit │ CVE-2023-26054 │ MEDIUM │ v0.11.2 │ 0.11.4 │ Data disclosure in provenance attestation describing a build │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26054 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/opencontainers/runc │ CVE-2023-27561 │ HIGH │ v1.1.3 │ 1.1.5 │ volume mount race condition (regression of CVE-2019-19921) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-27561 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-28642 │ MEDIUM │ │ │ AppArmor can be bypassed when
/procinside the container │ │ │ │ │ │ │ is symlinked with... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28642 │ │ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-25809 │ LOW │ │ │ Rootless runc makes/sys/fs/cgroupwritable │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-25809 │ ├──────────────────────────────────┼────────────────┼──────────┼───────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2022-41723 │ HIGH │ v0.4.0 │ 0.7.0 │ avoid quadratic complexity in HPACK decoding │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │ └──────────────────────────────────┴────────────────┴──────────┴───────────────────────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘`