rabbitmq:3.12-management image is reported to have CVE-2023-46324

docker-library / rabbitmq

Docker Official Image packaging for RabbitMQ

http://www.rabbitmq.com/

MIT License

785 stars 417 forks source link

rabbitmq:3.12-management image is reported to have CVE-2023-46324 #685

Closed Sravani-K closed 11 months ago

Sravani-K commented 11 months ago

Prisma security scan has shown CVE-2023-46324 on rabbitmq:3.12-management docker image. It is stemming from go 1.17 which is from GOSU 1.14. I cannot use the govulncheck tool as gosu 1.14 is built with unsupported Go version.

CVE-2023-46324 Please fix or provide justification if it is not an issue.

Alternately, may be rabbitmq needs to be built with latest GOSU version where there is active security advice?

LaurentGoderre commented 11 months ago

This is a false positive https://github.com/tianon/gosu/blob/master/SECURITY.md#reporting-vulnerabilities

lukebakken commented 11 months ago

Thank you for linking to that document @LaurentGoderre