Docker alpine eclipse-temurin base image has critical vulnerabilities

$ docker scout cves flyway/flyway:10.19.0-alpine
    i New version 1.14.0 available (installed version is 1.13.0) at https://github.com/docker/scout-cli
          v SBOM of image already cached, 263 packages indexed
    x Detected 3 vulnerable packages with a total of 12 vulnerabilities

## Overview

                    │           Analyzed Image
────────────────────┼─────────────────────────────────────
  Target            │  flyway/flyway:10.19.0-alpine
    digest          │  67943549ac83
    platform        │ linux/amd64
    vulnerabilities │    3C     1H     6M     1L     1?
    size            │ 443 MB
    packages        │ 263

## Packages and Vulnerabilities

   3C     1H     1M     0L     1?  expat 2.5.0-r1
pkg:apk/alpine/expat@2.5.0-r1?os_name=alpine&os_version=3.18

    x CRITICAL CVE-2024-45492
      https://scout.docker.com/v/CVE-2024-45492
      Affected range : <2.6.3-r0
      Fixed version  : 2.6.3-r0

    x CRITICAL CVE-2024-45491
      https://scout.docker.com/v/CVE-2024-45491
      Affected range : <2.6.3-r0
      Fixed version  : 2.6.3-r0

    x CRITICAL CVE-2024-45490
      https://scout.docker.com/v/CVE-2024-45490
      Affected range : <2.6.3-r0
      Fixed version  : 2.6.3-r0

    x HIGH CVE-2023-52425
      https://scout.docker.com/v/CVE-2023-52425
      Affected range : <2.6.0-r0
      Fixed version  : 2.6.0-r0

    x MEDIUM CVE-2023-52426
      https://scout.docker.com/v/CVE-2023-52426
      Affected range : <2.6.0-r0
      Fixed version  : 2.6.0-r0

    x UNSPECIFIED CVE-2024-28757
      https://scout.docker.com/v/CVE-2024-28757
      Affected range : <2.6.2-r0
      Fixed version  : 2.6.2-r0

   0C     0H     4M     0L  busybox 1.36.1-r5
pkg:apk/alpine/busybox@1.36.1-r5?os_name=alpine&os_version=3.18

    x MEDIUM CVE-2023-42366
      https://scout.docker.com/v/CVE-2023-42366
      Affected range : <1.36.1-r6
      Fixed version  : 1.36.1-r6

    x MEDIUM CVE-2023-42365
      https://scout.docker.com/v/CVE-2023-42365
      Affected range : <1.36.1-r7
      Fixed version  : 1.36.1-r7

    x MEDIUM CVE-2023-42364
      https://scout.docker.com/v/CVE-2023-42364
      Affected range : <1.36.1-r7
      Fixed version  : 1.36.1-r7

    x MEDIUM CVE-2023-42363
      https://scout.docker.com/v/CVE-2023-42363
      Affected range : <1.36.1-r7
      Fixed version  : 1.36.1-r7

   0C     0H     1M     1L  com.google.guava/guava 30.1.1-jre
pkg:maven/com.google.guava/guava@30.1.1-jre

    x MEDIUM CVE-2023-2976 [Creation of Temporary File in Directory with Insecure Permissions]
      https://scout.docker.com/v/CVE-2023-2976
      Affected range : >=1.0
                     : <32.0.0-android
      Fixed version  : 32.0.0
      CVSS Score     : 5.5
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    x LOW CVE-2020-8908 [Improper Handling of Alternate Encoding]
      https://scout.docker.com/v/CVE-2020-8908
      Affected range : <32.0.0-android
      Fixed version  : 32.0.0
      CVSS Score     : 3.3
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

12 vulnerabilities found in 3 packages
  UNSPECIFIED  1
  LOW          1
  MEDIUM       6
  HIGH         1
  CRITICAL     3

What's next:
    View base image update recommendations → docker scout recommendations flyway/flyway:10.19.0-alpine
The recommendation is to update to the latest 17-jre-alpine, specifically 17.0.12_7-jre-alpine
flyway / flyway-docker

Docker alpine eclipse-temurin base image has critical vulnerabilities #155
