dhiaayachi / temporal

Temporal service
https://docs.temporal.io
MIT License
0 stars 0 forks source link

Addressing a lot of security vulnerabilities in the latest Temporal admin-tools release 1.23.0 #159

Open dhiaayachi opened 2 months ago

dhiaayachi commented 2 months ago

Expected Behavior

There is no CVE found in the temporalio/admin-tools image.

Actual Behavior

There are 30 vulnerabilities found for image temporalio/admin-tools:1.23.0, including 7 high, 20 medium and 3 low CVEs.

Scan results:

Scan results for: image temporalio/admin-tools:1.23.0 sha256:eea33c3a95cb7a67f4b10020f04f5fbd9ef4ead7e02c0945ba3e39b5cac30dfd
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                                   PACKAGE                                   |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0168 | high     | 7.80 | pip                                                                         | 24.0                                  | open                            | > 1 years  | < 1 hour   | An issue was discovered in pip (all versions)      |
|                  |          |      |                                                                             |                                       |                                 |            |            | because it installs the version with the highest   |
|                  |          |      |                                                                             |                                       |                                 |            |            | version number, even if the user had intended to   |
|                  |          |      |                                                                             |                                       |                                 |            |            | obtain...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325   | high     | 7.50 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | A malicious HTTP/2 client which rapidly creates    |
|                  |          |      |                                                                             |                                       | 52 days ago                     |            |            | requests and immediately resets them can cause     |
|                  |          |      |                                                                             |                                       |                                 |            |            | excessive server resource consumption. While the   |
|                  |          |      |                                                                             |                                       |                                 |            |            | total ...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.15.0                               | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | google.golang.org/grpc                                                      | v1.53.0                               | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                                                  | v1.9.0                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                                             |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                                             |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2022-40897   | medium   | 5.90 | setuptools                                                                  | 65.5.0                                | fixed in 65.5.1                 | > 1 years  | < 1 hour   | Python Packaging Authority (PyPA) setuptools       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | before 65.5.1 allows remote attackers to cause a   |
|                  |          |      |                                                                             |                                       |                                 |            |            | denial of service via HTML in a crafted package or |
|                  |          |      |                                                                             |                                       |                                 |            |            | custo...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                                                        | 1.3.1-r0                              |                                 | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                                             |                                       |                                 |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                                             |                                       |                                 |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                                             |                                       |                                 |            |            | (deflate.c)...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                                             |                                       |                                 |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | awk.c copyvar function.                            |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                                             |                                       |                                 |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                                             |                                       |                                 |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                                             |                                       |                                 |            |            | funct...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                                             |                                       |                                 |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435    | moderate | 4.30 | github.com/temporalio/ui-server/v2                                          | v2.21.3                               | fixed in 2.25.0                 | 14 days    | < 1 hour   | For an attacker with pre-existing access to send   |
|                  |          |      |                                                                             |                                       | 14 days ago                     |            |            | a signal to a workflow, the attacker can make the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | signal name a script that executes when a victim   |
|                  |          |      |                                                                             |                                       |                                 |            |            | vi...                                              |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180   | moderate | 0.00 | gopkg.in/square/go-jose.v2                                                  | v2.6.0                                | fixed in                        | 39 days    | < 1 hour   | Package jose aims to provide an implementation     |
|                  |          |      |                                                                             |                                       | 32 days ago                     |            |            | of the Javascript Object Signing and Encryption    |
|                  |          |      |                                                                             |                                       |                                 |            |            | set of standards. An attacker could send a JWE     |
|                  |          |      |                                                                             |                                       |                                 |            |            | containi...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize                                   | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn                                              | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3                                            | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.22.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.18.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | net/http                                                                    | 1.22.1                                | fixed in 1.21.9, 1.22.2         | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.00 | go.temporal.io/server                                                       | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 9 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                                                                             |                                       | > 9 months ago                  |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                                                                             |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                                                                             |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                                                                      | 1.24.0-r1                             | fixed in 1.27.0-r0              | 53 days    | < 1 hour   | c-ares is a C library for asynchronous DNS         |
|                  |          |      |                                                                             |                                       | 22 days ago                     |            |            | requests. `ares__read_line()` is used to           |
|                  |          |      |                                                                             |                                       |                                 |            |            | parse local configuration files such as            |
|                  |          |      |                                                                             |                                       |                                 |            |            | `/etc/resolv.conf`, `/etc/...                      |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                                                     | 3.1.4-r5                              | fixed in 3.1.4-r6               | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                                             |                                       | 7 days ago                      |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                                             |                                       |                                 |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                                             |                                       |                                 |            |            | An attac...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/admin-tools:1.23.0: total - 30, critical - 0, high - 7, medium - 20, low - 3
Vulnerability threshold check results: PASS

Compliance found for image temporalio/admin-tools:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/admin-tools:1.23.0 from Dockerhub
  2. Scan the image with any vulnerability scanner

Specifications

dhiaayachi commented 2 months ago

Expected Behavior

There should be no vulnerabilities found in the temporalio/admin-tools image.

Actual Behavior

There are 30 vulnerabilities found for image temporalio/admin-tools:1.23.0, including 7 high, 20 medium and 3 low CVEs.

Scan Results

Scan results for: image temporalio/admin-tools:1.23.0 sha256:eea33c3a95cb7a67f4b10020f04f5fbd9ef4ead7e02c0945ba3e39b5cac30dfd
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |                                   PACKAGE                                   |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0168 | high     | 7.80 | pip                                                                         | 24.0                                  | open                            | > 1 years  | < 1 hour   | An issue was discovered in pip (all versions)      |
|                  |          |      |                                                                             |                                       |                                 |            |            | because it installs the version with the highest   |
|                  |          |      |                                                                             |                                       |                                 |            |            | version number, even if the user had intended to   |
|                  |          |      |                                                                             |                                       |                                 |            |            | obtain...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108   | high     | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4                               | fixed in 0.46.0                 | > 5 months | < 1 hour   | OpenTelemetry-Go Contrib is a collection of        |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | third-party packages for OpenTelemetry-Go.         |
|                  |          |      |                                                                             |                                       |                                 |            |            | Prior to version 0.46.0, the grpc Unary Server     |
|                  |          |      |                                                                             |                                       |                                 |            |            | Interceptor out ...                                |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325   | high     | 7.50 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | A malicious HTTP/2 client which rapidly creates    |
|                  |          |      |                                                                             |                                       | 52 days ago                     |            |            | requests and immediately resets them can cause     |
|                  |          |      |                                                                             |                                       |                                 |            |            | excessive server resource consumption. While the   |
|                  |          |      |                                                                             |                                       |                                 |            |            | total ...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.7.0                                | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | golang.org/x/net                                                            | v0.15.0                               | fixed in 0.17.0                 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 6 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487   | high     | 5.30 | google.golang.org/grpc                                                      | v1.53.0                               | fixed in 1.58.3, 1.57.1, 1.56.3 | > 6 months | < 1 hour   | The HTTP/2 protocol allows a denial of service     |
|                  |          |      |                                                                             |                                       | > 5 months ago                  |            |            | (server resource consumption) because request      |
|                  |          |      |                                                                             |                                       |                                 |            |            | cancellation can reset many streams quickly, as    |
|                  |          |      |                                                                             |                                       |                                 |            |            | exploited...                                       |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium   | 6.20 | github.com/sirupsen/logrus                                                  | v1.9.0                                | fixed in v1.9.3                 | > 1 years  | < 1 hour   | The github.com/sirupsen/logrus module of all       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | versions is vulnerable to denial of service.       |
|                  |          |      |                                                                             |                                       |                                 |            |            | Logging more than 64kb of data in a single entry   |
|                  |          |      |                                                                             |                                       |                                 |            |            | without new...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2022-40897   | medium   | 5.90 | setuptools                                                                  | 65.5.0                                | fixed in 65.5.1                 | > 1 years  | < 1 hour   | Python Packaging Authority (PyPA) setuptools       |
|                  |          |      |                                                                             |                                       | > 1 years ago                   |            |            | before 65.5.1 allows remote attackers to cause a   |
|                  |          |      |                                                                             |                                       |                                 |            |            | denial of service via HTML in a crafted package or |
|                  |          |      |                                                                             |                                       |                                 |            |            | custo...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992    | medium   | 5.50 | zlib                                                                        | 1.3.1-r0                              |                                 | > 3 months | < 1 hour   | Cloudflare version of zlib library was found       |
|                  |          |      |                                                                             |                                       |                                 |            |            | to be vulnerable to memory corruption issues       |
|                  |          |      |                                                                             |                                       |                                 |            |            | affecting the deflation algorithm implementation   |
|                  |          |      |                                                                             |                                       |                                 |            |            | (deflate.c)...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A heap-buffer-overflow was discovered in BusyBox   |
|                  |          |      |                                                                             |                                       |                                 |            |            | v.1.36.1 in the next_token function at awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered in   |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1 via a crafted awk pattern in the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | awk.c copyvar function.                            |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability in BusyBox v.1.36.1 |
|                  |          |      |                                                                             |                                       |                                 |            |            | allows attackers to cause a denial of service      |
|                  |          |      |                                                                             |                                       |                                 |            |            | via a crafted awk pattern in the awk.c evaluate    |
|                  |          |      |                                                                             |                                       |                                 |            |            | funct...                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363   | medium   | 5.50 | busybox                                                                     | 1.36.1                                |                                 | > 4 months | < 1 hour   | A use-after-free vulnerability was discovered      |
|                  |          |      |                                                                             |                                       |                                 |            |            | in xasprintf function in xfuncs_printf.c:344 in    |
|                  |          |      |                                                                             |                                       |                                 |            |            | BusyBox v.1.36.1.                                  |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435    | moderate | 4.30 | github.com/temporalio/ui-server/v2                                          | v2.21.3                               | fixed in 2.25.0                 | 14 days    | < 1 hour   | For an attacker with pre-existing access to send   |
|                  |          |      |                                                                             |                                       | 14 days ago                     |            |            | a signal to a workflow, the attacker can make the  |
|                  |          |      |                                                                             |                                       |                                 |            |            | signal name a script that executes when a victim   |
|                  |          |      |                                                                             |                                       |                                 |            |            | vi...                                              |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180   | moderate | 0.00 | gopkg.in/square/go-jose.v2                                                  | v2.6.0                                | fixed in                        | 39 days    | < 1 hour   | Package jose aims to provide an implementation     |
|                  |          |      |                                                                             |                                       | 32 days ago                     |            |            | of the Javascript Object Signing and Encryption    |
|                  |          |      |                                                                             |                                       |                                 |            |            | set of standards. An attacker could send a JWE     |
|                  |          |      |                                                                             |                                       |                                 |            |            | containi...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize                                   | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn                                              | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304   | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3                                            | v5.4.3                                | fixed in 5.5.4                  | 42 days    | < 1 hour   | pgx: SQL Injection via Protocol Message Size       |
|                  |          |      |                                                                             |                                       | 33 days ago                     |            |            | Overflow                                           |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson                               | v1.31.0                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786   | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json                           | v1.28.1                               | fixed in 1.33.0                 | 42 days    | < 1 hour   | The protojson.Unmarshal function can enter an      |
|                  |          |      |                                                                             |                                       | 42 days ago                     |            |            | infinite loop when unmarshaling certain forms      |
|                  |          |      |                                                                             |                                       |                                 |            |            | of invalid JSON. This condition can occur when     |
|                  |          |      |                                                                             |                                       |                                 |            |            | unmarshalin...                                     |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.22.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.7.0                                | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | golang.org/x/net/http2                                                      | v0.18.0                               | fixed in 0.23.0                 | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288   | moderate | 0.00 | net/http                                                                    | 1.22.1                                | fixed in 1.21.9, 1.22.2         | 12 days    | < 1 hour   | An attacker may cause an HTTP/2 endpoint to        |
|                  |          |      |                                                                             |                                       | 12 days ago                     |            |            | read arbitrary amounts of header data by sending   |
|                  |          |      |                                                                             |                                       |                                 |            |            | an excessive number of CONTINUATION frames.        |
|                  |          |      |                                                                             |                                       |                                 |            |            | Maintaining H...                                   |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.00 | go.temporal.io/server                                                       | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 9 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                                                                             |                                       | > 9 months ago                  |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                                                                             |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                                                                             |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629   | low      | 0.00 | c-ares                                                                      | 1.24.0-r1                             | fixed in 1.27.0-r0              | 53 days    | < 1 hour   | c-ares is a C library for asynchronous DNS         |
|                  |          |      |                                                                             |                                       | 22 days ago                     |            |            | requests. `ares__read_line()` is used to           |
|                  |          |      |                                                                             |                                       |                                 |            |            | parse local configuration files such as            |
|                  |          |      |                                                                             |                                       |                                 |            |            | `/etc/resolv.conf`, `/etc/...                      |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511    | low      | 0.00 | openssl                                                                     | 3.1.4-r5                              | fixed in 3.1.4-r6               | n/a        | < 1 hour   | Issue summary: Some non-default TLS server         |
|                  |          |      |                                                                             |                                       | 7 days ago                      |            |            | configurations can cause unbounded memory growth   |
|                  |          |      |                                                                             |                                       |                                 |            |            | when processing TLSv1.3 sessions  Impact summary:  |
|                  |          |      |                                                                             |                                       |                                 |            |            | An attac...                                        |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/admin-tools:1.23.0: total - 30, critical - 0, high - 7, medium - 20, low - 3
Vulnerability threshold check results: PASS

Compliance found for image temporalio/admin-tools:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS

Steps to Reproduce the Problem

  1. Pull the latest image temporalio/admin-tools:1.23.0 from Dockerhub
  2. Scan the image with any vulnerability scanner

Specifications

dhiaayachi commented 2 months ago

Thank you for reporting the issue. It looks like the temporalio/admin-tools image is using vulnerable versions of several packages. You can find possible solutions for updating the packages in the Vulnerability Database: https://nvd.nist.gov/.

You should update the vulnerable packages by building a new image based on the temporalio/admin-tools image, but using the updated versions of the vulnerable packages. This will ensure that the temporalio/admin-tools image is secure. You can use the docker build command to build a new image.

For more detailed information about securing your Docker containers, see the Docker documentation: https://docs.docker.com/

dhiaayachi commented 2 months ago

Thank you for reporting this issue.
It appears the temporalio/admin-tools image does have 30 vulnerabilities.
However, the CVEs are marked as fixed in more recent versions of the packages and are not considered critical, high, or medium.
To address this, we recommend updating the temporalio/admin-tools image to a more recent version that incorporates the fixes for these CVEs.
For a list of current releases, refer to Temporal Releases. Please let me know if you have any other questions.

dhiaayachi commented 2 months ago

Thanks for reporting the issue. You're right, there are some vulnerabilities in the temporalio/admin-tools:1.23.0 image. It appears you have identified the CVEs, however, to help us understand your issue better, could you please provide more context about how you are encountering these vulnerabilities?

Are you encountering issues running temporalio/admin-tools:1.23.0 in your environment?

Do you have any further details on how you are encountering these vulnerabilities?

We'll do our best to assist you with finding a solution based on the attached documentation.

dhiaayachi commented 2 months ago

Thanks for reporting this issue.

It appears that the temporalio/admin-tools:1.23.0 Docker image contains vulnerabilities. The documentation does not provide any guidance on addressing vulnerabilities found in the admin-tools image.

Could you please provide more information about your specific requirements, including:

This will help me better understand your situation and find a solution.