Closed codyharris-h2o-ai closed 5 months ago
@codyharris-h2o-ai most of these CVEs seem to come from base docker image (OS-level deps). Go CVEs will be addressed in https://github.com/h2oai/wave/issues/2294.
As for https://github.com/advisories/GHSA-2jv5-9r88-3w3p, Wave only forces minimum Starlette version meaning the latest (patched) one should be installable already.
Closed by https://github.com/h2oai/wave/pull/2302.
Hello! As part of our ongoing to ensure the security of our products, one or more vulnerabilties requiring redmediation have been identified.
The following vulnerabilities were scanned and found by using ECR. ECR scans are used in conjunction with Prisma scans to ensure we meet a high standard for software security. We have suggestions on tooling to help improve the remediation process, following the vulnerability table below. Note that we disregard the severity levels assigned by various tools and operate soley on CVSS to severity mapping in line with NIST guidelines.
grep: (standard input): binary file matches | CVE-2024-0567 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | gnutls28:3.7.1 | A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. Thi[...] | | CVE-2024-0743 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | nss:3.61 | An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Fi[...] | | CVE-2024-0775 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | linux:5.10.162 | A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local u[...] | | CVE-2024-0985 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | postgresql-13:13.9 | Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL fu[...] | | CVE-2024-20918 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | openjdk-11:11.0.18+10 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (compon[...] | | CVE-2024-20952 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | openjdk-11:11.0.18+10 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (compon[...] | | CVE-2024-24762 | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | starlette:0.32.0.post1 |
python-multipart
is a streaming multipart parser for Python. When using form data,python-multipart
uses a Regular Expressio[...] | | GHSA-m425-mq94-257g | high | 524466471676.dkr.ecr.us-east-1.amazonaws.com/h2oai/university:1.0.0 | google.golang.org/grpc:v1.49.0 | ### Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subseq[...] |To resolve this, we recommend the following approach:
trivy
(https://aquasecurity.github.io/trivy)trivy image --scanners vuln --severity CRITICAL,HIGH --timeout 60m [...image address...]
trivy
. The provided scans were taken using a different scanner (ECR), so the first step should be to validate thattrivy
can see them as well.trivy
enables you to scan the image without pushing them, so it should help in finding the resolution