CVE Name | Asset Name | Vulnerability Description | Remediation | Current Version | Recommended Version | DetailedName
-- | -- | -- | -- | -- | -- | --
CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package `busybox` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-28391`, which exists in versions `< 1.32.1-r8`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-28391) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28391) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r8` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade busybox`. | apk upgrade busybox | 1.32.1-r7 | 1.32.1-r8 | busybox
CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package `libcrypto1.1` version `1.1.1l-r0` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-0778`, which exists in versions `< 1.1.1n-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-0778) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) severity: `High`). This vulnerability has a known exploit available. Source: [Packetstorm](https://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html). The vulnerability can be remediated by updating the package to version `1.1.1n-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade libcrypto1.1`. | apk upgrade libcrypto1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libcrypto1.1
End-of-Life Version of Technology | docker.io/drone/drone-runner-kube | The OS `Linux Alpine` version `3.13.7` has been End-of-Life since `2022-11-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.13.7 | 3.14.8 | Linux Alpine
End-of-Life Version of Technology | docker.io/drone/drone | The OS `Linux Alpine` version `3.11.13` has been End-of-Life since `2021-11-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.11.13 | 3.14.8 | Linux Alpine
CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package `busybox` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-30065`, which exists in versions `< 1.32.1-r9`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-30065) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-30065) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r9` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade busybox`. | apk upgrade busybox | 1.32.1-r7 | 1.32.1-r9 | busybox
CVE-2022-37434 | docker.io/drone/drone-runner-kube | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-37434`, which exists in versions `< 1.2.12-r2`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity: `Critical` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity: `Critical`). This vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)]. The vulnerability can be remediated by updating the package to version `1.2.12-r2` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.12-r2 | zlib
CVE-2022-37434 | docker.io/drone/drone | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.11.13` is vulnerable to `CVE-2022-37434`, which exists in versions `< 1.2.11-r4`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity: `Critical` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity: `Critical`). This vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)]. The vulnerability can be remediated by updating the package to version `1.2.11-r4` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.11-r4 | zlib
CVE-2018-25032 | docker.io/drone/drone-runner-kube | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2018-25032`, which exists in versions `< 1.2.12-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2018-25032) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) severity: `High`). The vulnerability can be remediated by updating the package to version `1.2.12-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.12-r0 | zlib
CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package `ssl_client` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-28391`, which exists in versions `< 1.32.1-r8`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-28391) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28391) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r8` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade ssl_client`. | apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r8 | ssl_client
End-of-Life Version of Technology | docker.io/drone/vault | The OS `Linux Alpine` version `3.6.5` has been End-of-Life since `2019-05-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.6.5 | 3.14.8 | Linux Alpine
CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package `libssl1.1` version `1.1.1l-r0` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-0778`, which exists in versions `< 1.1.1n-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-0778) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) severity: `High`). This vulnerability has a known exploit available. Source: [Packetstorm](https://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html). The vulnerability can be remediated by updating the package to version `1.1.1n-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade libssl1.1`. | apk upgrade libssl1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libssl1.1
CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package `ssl_client` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-30065`, which exists in versions `< 1.32.1-r9`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-30065) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-30065) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r9` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade ssl_client`. | apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r9 | ssl_client
There are multiple vulnerabilities within drone images (drone, drone-runniner-kube, drone-vault-extension) as mentioned below.
Is there any plan to address this in future release?
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
CVE Name | Asset Name | Vulnerability Description | Remediation | Current Version | Recommended Version | DetailedName -- | -- | -- | -- | -- | -- | -- CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package `busybox` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-28391`, which exists in versions `< 1.32.1-r8`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-28391) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28391) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r8` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade busybox`. | apk upgrade busybox | 1.32.1-r7 | 1.32.1-r8 | busybox CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package `libcrypto1.1` version `1.1.1l-r0` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-0778`, which exists in versions `< 1.1.1n-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-0778) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) severity: `High`). This vulnerability has a known exploit available. Source: [Packetstorm](https://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html). The vulnerability can be remediated by updating the package to version `1.1.1n-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade libcrypto1.1`. | apk upgrade libcrypto1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libcrypto1.1 End-of-Life Version of Technology | docker.io/drone/drone-runner-kube | The OS `Linux Alpine` version `3.13.7` has been End-of-Life since `2022-11-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.13.7 | 3.14.8 | Linux Alpine End-of-Life Version of Technology | docker.io/drone/drone | The OS `Linux Alpine` version `3.11.13` has been End-of-Life since `2021-11-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.11.13 | 3.14.8 | Linux Alpine CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package `busybox` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-30065`, which exists in versions `< 1.32.1-r9`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-30065) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-30065) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r9` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade busybox`. | apk upgrade busybox | 1.32.1-r7 | 1.32.1-r9 | busybox CVE-2022-37434 | docker.io/drone/drone-runner-kube | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-37434`, which exists in versions `< 1.2.12-r2`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity: `Critical` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity: `Critical`). This vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)]. The vulnerability can be remediated by updating the package to version `1.2.12-r2` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.12-r2 | zlib CVE-2022-37434 | docker.io/drone/drone | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.11.13` is vulnerable to `CVE-2022-37434`, which exists in versions `< 1.2.11-r4`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity: `Critical` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity: `Critical`). This vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)]. The vulnerability can be remediated by updating the package to version `1.2.11-r4` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.11-r4 | zlib CVE-2018-25032 | docker.io/drone/drone-runner-kube | The package `zlib` version `1.2.11-r3` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2018-25032`, which exists in versions `< 1.2.12-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2018-25032) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) severity: `High`). The vulnerability can be remediated by updating the package to version `1.2.12-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade zlib`. | apk upgrade zlib | 1.2.11-r3 | 1.2.12-r0 | zlib CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package `ssl_client` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-28391`, which exists in versions `< 1.32.1-r8`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-28391) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-28391) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r8` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade ssl_client`. | apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r8 | ssl_client End-of-Life Version of Technology | docker.io/drone/vault | The OS `Linux Alpine` version `3.6.5` has been End-of-Life since `2019-05-01` as indicated in [Alpine Releases](https://alpinelinux.org/releases/). End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. | | 3.6.5 | 3.14.8 | Linux Alpine CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package `libssl1.1` version `1.1.1l-r0` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-0778`, which exists in versions `< 1.1.1n-r0`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-0778) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0778) severity: `High`). This vulnerability has a known exploit available. Source: [Packetstorm](https://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html). The vulnerability can be remediated by updating the package to version `1.1.1n-r0` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade libssl1.1`. | apk upgrade libssl1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libssl1.1 CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package `ssl_client` version `1.32.1-r7` was detected in `APK package manager` on a container image running `Alpine 3.13.7` is vulnerable to `CVE-2022-30065`, which exists in versions `< 1.32.1-r9`. The vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-30065) with vendor severity: `High` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-30065) severity: `High`). The vulnerability can be remediated by updating the package to version `1.32.1-r9` or higher, by adding the following command to the Dockerfile: `RUN apk upgrade ssl_client`. | apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r9 | ssl_client