gergelyfabian
commented
1 week ago Docker scout also doesn't know the CVE has been fixed for 9.1.1.
Closed gergelyfabian closed 1 week ago
gergelyfabian
commented
1 week ago Docker scout also doesn't know the CVE has been fixed for 9.1.1.
cdupuis
commented
1 week ago Thanks for reporting this @gergelyfabian. Apologies for any issues this is causing.
The root cause for this https://github.com/pypa/advisory-database/issues/205. The source data has now been fixed. We'll go ahead and fix our data too.
gergelyfabian
commented
1 week ago I cannot reproduce this any more (to be exact 40 minutes ago already). Maybe the source data has been propagated to docker scout?
cdupuis
commented
1 week ago Yes, you're right. About 2 hours ago we imported the corrected data.
gergelyfabian
commented
1 week ago Thank you for the clarification and the quick feedback. Closing this one :)
Pillow is said to have a critical CVE in version 10.4.0: https://scout.docker.com/vulnerabilities/id/CVE-2022-30595?s=pypa&n=pillow&t=pypi&vr=%3D10.4.0
However, the github page says the fix was backported to 9.1.1:
https://github.com/advisories/GHSA-hr8g-f6r6-mr22
Now, I suppose a higher version is also fixing the same CVE.