search

hashicorp / docker-vault

Official Docker images for Vault
Mozilla Public License 2.0
500 stars 222 forks source link

Multiple CVEs found in vault 1.8.5 binary from this image #246

Open isuftin opened 2 years ago

isuftin commented 2 years ago

If I should open this over @ https://github.com/hashicorp/vault/issues pls let me know..

Using Trivy, I scanned the Vault Docker image for version 1.8.5. Here's my results:

bin/vault (gobinary)
====================
Total: 7 (UNKNOWN: 1, LOW: 0, MEDIUM: 3, HIGH: 3, CRITICAL: 0)
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |  FIXED VERSION  |                 TITLE                 |
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| github.com/gogo/protobuf       | CVE-2021-3121    | HIGH     | v1.3.1                             | v1.3.2          | gogo/protobuf:                        |
|                                |                  |          |                                    |                 | plugin/unmarshal/unmarshal.go         |
|                                |                  |          |                                    |                 | lacks certain index validation        |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2021-3121  |
+--------------------------------+------------------+          +------------------------------------+-----------------+---------------------------------------+
| github.com/hashicorp/go-slug   | CVE-2020-29529   |          | v0.4.1                             | v0.5.0          | go-slug: partial protection           |
|                                |                  |          |                                    |                 | against zip slip attacks              |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-29529 |
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| github.com/influxdata/influxdb | CVE-2018-17572   | MEDIUM   | v0.0.0-20190411212539-d24b7ba8c4c4 | 0.9.6           | influxdb: Reflected                   |
|                                |                  |          |                                    |                 | cross-site-scripting in               |
|                                |                  |          |                                    |                 | the Write Data module                 |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2018-17572 |
+--------------------------------+------------------+          +------------------------------------+-----------------+---------------------------------------+
| github.com/mholt/archiver      | CVE-2019-10743   |          | v3.1.1+incompatible                |                 | mholt/archiver: aribtrary file write  |
|                                |                  |          |                                    |                 | via unsanitized destination filepaths |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2019-10743 |
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| github.com/ulikunitz/xz        | CVE-2021-29482   | HIGH     | v0.5.7                             | v0.5.8          | ulikunitz/xz: Infinite                |
|                                |                  |          |                                    |                 | loop in readUvarint allows            |
|                                |                  |          |                                    |                 | for denial of service                 |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2021-29482 |
+                                +------------------+----------+                                    +                 +---------------------------------------+
|                                | GO-2020-0016     | UNKNOWN  |                                    |                 |                                       |
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| k8s.io/client-go               | CVE-2020-8565    | MEDIUM   | v0.18.2                            | v0.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                                |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                                |                  |          |                                    |                 | token leak in logs when...            |
|                                |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+--------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+