search

jonaswinkler / paperless-ng

A supercharged version of paperless: scan, index and archive all your physical documents
https://paperless-ng.readthedocs.io/en/latest/
GNU General Public License v3.0
5.37k stars 355 forks source link

[BUG] Security vulnerabilities in "official" jonaswinkler/paperless-ng Docker image #1448

Open ginkel opened 2 years ago

ginkel commented 2 years ago

Hi there,

initially, let me say "thanks" for creating and maintaining paperless-ng. As Docker is my preferred deployment method, I had a look at the jonaswinkler/paperless-ng Docker image. AFAICS, this image currently does not seem to get updated when security issues are fixed as revealed using a trivy scan:

$ trivy i --ignore-unfixed jonaswinkler/paperless-ng
2021-11-22T12:38:50.822+0100    INFO    Detected OS: debian
2021-11-22T12:38:50.823+0100    INFO    Detecting Debian vulnerabilities...
2021-11-22T12:38:50.916+0100    INFO    Number of language-specific files: 1
2021-11-22T12:38:50.917+0100    INFO    Detecting python-pkg vulnerabilities...

jonaswinkler/paperless-ng (debian 11.0)
=======================================
Total: 89 (UNKNOWN: 0, LOW: 5, MEDIUM: 46, HIGH: 29, CRITICAL: 9)

+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |     FIXED VERSION     |                     TITLE                     |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| ghostscript      | CVE-2021-3781    | CRITICAL | 9.53.3~dfsg-7     | 9.53.3~dfsg-7+deb11u1 | ghostscript: sandbox                          |
|                  |                  |          |                   |                       | escape using '%pipe%'                         |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3781          |
+------------------+------------------+          +-------------------+-----------------------+-----------------------------------------------+
| libavcodec58     | CVE-2021-38171   |          | 7:4.3.2-0+deb11u2 | 7:4.3.3-0+deb11u1     | adts_decode_extradata in                      |
|                  |                  |          |                   |                       | libavformat/adtsenc.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the init_get_bits return...                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38171         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20450   | HIGH     |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | null pointer dereference                      |
|                  |                  |          |                   |                       | passed as argument to...                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20450         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21688   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | av_freep function in libavutil/mem.c          |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21688         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38291   |          |                   |                       | FFmpeg version (git commit                    |
|                  |                  |          |                   |                       | de8e6e67e7523e48bb27ac224a0b446df05e1640)     |
|                  |                  |          |                   |                       | suffers from a an assertion failure at...     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38291         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20445   | MEDIUM   |                   |                       | FFmpeg 4.2 is affected by a Divide By         |
|                  |                  |          |                   |                       | Zero issue via libavcodec/lpc.h,...           |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20445         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20446   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aacpsy.c,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20446         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20453   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aaccoder,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20453         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21697   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | mpeg_mux_write_packet function                |
|                  |                  |          |                   |                       | in libavformat/mpegenc.c                      |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21697         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22037   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22037         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22042   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22042         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38114   |          |                   |                       | libavcodec/dnxhddec.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the return value of the...                    |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38114         |
+------------------+------------------+----------+                   +                       +-----------------------------------------------+
| libavformat58    | CVE-2021-38171   | CRITICAL |                   |                       | adts_decode_extradata in                      |
|                  |                  |          |                   |                       | libavformat/adtsenc.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the init_get_bits return...                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38171         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20450   | HIGH     |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | null pointer dereference                      |
|                  |                  |          |                   |                       | passed as argument to...                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20450         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21688   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | av_freep function in libavutil/mem.c          |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21688         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38291   |          |                   |                       | FFmpeg version (git commit                    |
|                  |                  |          |                   |                       | de8e6e67e7523e48bb27ac224a0b446df05e1640)     |
|                  |                  |          |                   |                       | suffers from a an assertion failure at...     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38291         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20445   | MEDIUM   |                   |                       | FFmpeg 4.2 is affected by a Divide By         |
|                  |                  |          |                   |                       | Zero issue via libavcodec/lpc.h,...           |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20445         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20446   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aacpsy.c,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20446         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20453   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aaccoder,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20453         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21697   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | mpeg_mux_write_packet function                |
|                  |                  |          |                   |                       | in libavformat/mpegenc.c                      |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21697         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22037   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22037         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22042   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22042         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38114   |          |                   |                       | libavcodec/dnxhddec.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the return value of the...                    |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38114         |
+------------------+------------------+----------+                   +                       +-----------------------------------------------+
| libavutil56      | CVE-2021-38171   | CRITICAL |                   |                       | adts_decode_extradata in                      |
|                  |                  |          |                   |                       | libavformat/adtsenc.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the init_get_bits return...                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38171         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20450   | HIGH     |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | null pointer dereference                      |
|                  |                  |          |                   |                       | passed as argument to...                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20450         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21688   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | av_freep function in libavutil/mem.c          |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21688         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38291   |          |                   |                       | FFmpeg version (git commit                    |
|                  |                  |          |                   |                       | de8e6e67e7523e48bb27ac224a0b446df05e1640)     |
|                  |                  |          |                   |                       | suffers from a an assertion failure at...     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38291         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20445   | MEDIUM   |                   |                       | FFmpeg 4.2 is affected by a Divide By         |
|                  |                  |          |                   |                       | Zero issue via libavcodec/lpc.h,...           |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20445         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20446   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aacpsy.c,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20446         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20453   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aaccoder,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20453         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21697   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | mpeg_mux_write_packet function                |
|                  |                  |          |                   |                       | in libavformat/mpegenc.c                      |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21697         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22037   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22037         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22042   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22042         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38114   |          |                   |                       | libavcodec/dnxhddec.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the return value of the...                    |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38114         |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libgs9           | CVE-2021-3781    | CRITICAL | 9.53.3~dfsg-7     | 9.53.3~dfsg-7+deb11u1 | ghostscript: sandbox                          |
|                  |                  |          |                   |                       | escape using '%pipe%'                         |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3781          |
+------------------+                  +          +                   +                       +                                               +
| libgs9-common    |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libgssapi-krb5-2 | CVE-2021-37750   | MEDIUM   | 1.18.3-6          | 1.18.3-6+deb11u1      | krb5: NULL pointer dereference                |
|                  |                  |          |                   |                       | in process_tgs_req() in                       |
|                  |                  |          |                   |                       | kdc/do_tgs_req.c via a FAST inner...          |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-37750         |
+------------------+                  +          +                   +                       +                                               +
| libk5crypto3     |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
+------------------+                  +          +                   +                       +                                               +
| libkrb5-3        |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
+------------------+                  +          +                   +                       +                                               +
| libkrb5support0  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
|                  |                  |          |                   |                       |                                               |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libpq-dev        | CVE-2021-23214   | HIGH     | 13.3-1            | 13.5-0+deb11u1        | postgresql: server                            |
|                  |                  |          |                   |                       | processes unencrypted bytes                   |
|                  |                  |          |                   |                       | from man-in-the-middle                        |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-23214         |
+                  +------------------+----------+                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-3677    | MEDIUM   |                   | 13.4-0+deb11u1        | postgresql: memory                            |
|                  |                  |          |                   |                       | disclosure in certain queries                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3677          |
+                  +------------------+----------+                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-23222   | LOW      |                   | 13.5-0+deb11u1        | postgresql: libpq                             |
|                  |                  |          |                   |                       | processes unencrypted bytes                   |
|                  |                  |          |                   |                       | from man-in-the-middle                        |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-23222         |
+------------------+------------------+----------+                   +                       +-----------------------------------------------+
| libpq5           | CVE-2021-23214   | HIGH     |                   |                       | postgresql: server                            |
|                  |                  |          |                   |                       | processes unencrypted bytes                   |
|                  |                  |          |                   |                       | from man-in-the-middle                        |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-23214         |
+                  +------------------+----------+                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-3677    | MEDIUM   |                   | 13.4-0+deb11u1        | postgresql: memory                            |
|                  |                  |          |                   |                       | disclosure in certain queries                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3677          |
+                  +------------------+----------+                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-23222   | LOW      |                   | 13.5-0+deb11u1        | postgresql: libpq                             |
|                  |                  |          |                   |                       | processes unencrypted bytes                   |
|                  |                  |          |                   |                       | from man-in-the-middle                        |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-23222         |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libssh-gcrypt-4  | CVE-2021-3634    | MEDIUM   | 0.9.5-1           | 0.9.5-1+deb11u1       | libssh: possible heap-based                   |
|                  |                  |          |                   |                       | buffer overflow when rekeying                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3634          |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libssl1.1        | CVE-2021-3711    | CRITICAL | 1.1.1k-1          | 1.1.1k-1+deb11u1      | openssl: SM2 Decryption                       |
|                  |                  |          |                   |                       | Buffer Overflow                               |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3711          |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2021-3712    | HIGH     |                   |                       | openssl: Read buffer overruns                 |
|                  |                  |          |                   |                       | processing ASN.1 strings                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3712          |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| libswresample3   | CVE-2021-38171   | CRITICAL | 7:4.3.2-0+deb11u2 | 7:4.3.3-0+deb11u1     | adts_decode_extradata in                      |
|                  |                  |          |                   |                       | libavformat/adtsenc.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the init_get_bits return...                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38171         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20450   | HIGH     |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | null pointer dereference                      |
|                  |                  |          |                   |                       | passed as argument to...                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20450         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21688   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | av_freep function in libavutil/mem.c          |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21688         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38291   |          |                   |                       | FFmpeg version (git commit                    |
|                  |                  |          |                   |                       | de8e6e67e7523e48bb27ac224a0b446df05e1640)     |
|                  |                  |          |                   |                       | suffers from a an assertion failure at...     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38291         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-20445   | MEDIUM   |                   |                       | FFmpeg 4.2 is affected by a Divide By         |
|                  |                  |          |                   |                       | Zero issue via libavcodec/lpc.h,...           |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20445         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20446   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aacpsy.c,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20446         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-20453   |          |                   |                       | FFmpeg 4.2 is affected by                     |
|                  |                  |          |                   |                       | a Divide By Zero issue via                    |
|                  |                  |          |                   |                       | libavcodec/aaccoder,...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-20453         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-21697   |          |                   |                       | A heap-use-after-free in the                  |
|                  |                  |          |                   |                       | mpeg_mux_write_packet function                |
|                  |                  |          |                   |                       | in libavformat/mpegenc.c                      |
|                  |                  |          |                   |                       | of FFmpeg 4.2 allows...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-21697         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22037   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22037         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2020-22042   |          |                   |                       | A Denial of Service vulnerability             |
|                  |                  |          |                   |                       | exists in FFmpeg 4.2 due to a...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-22042         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38114   |          |                   |                       | libavcodec/dnxhddec.c in                      |
|                  |                  |          |                   |                       | FFmpeg 4.4 does not check                     |
|                  |                  |          |                   |                       | the return value of the...                    |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38114         |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| linux-libc-dev   | CVE-2020-16119   | HIGH     | 5.10.46-4         | 5.10.46-5             | kernel: DCCP CCID structure                   |
|                  |                  |          |                   |                       | use-after-free may lead to                    |
|                  |                  |          |                   |                       | DoS or code execution...                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-16119         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-20322   |          |                   | 5.10.70-1             | kernel: new DNS Cache                         |
|                  |                  |          |                   |                       | Poisoning Attack based on ICMP                |
|                  |                  |          |                   |                       | fragment needed packets...                    |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-20322         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-35039   |          |                   |                       | kernel: allows loading                        |
|                  |                  |          |                   |                       | unsigned kernel modules                       |
|                  |                  |          |                   |                       | via init_module syscall                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-35039         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-3653    |          |                   | 5.10.46-5             | kernel: SVM nested virtualization             |
|                  |                  |          |                   |                       | issue in KVM (AVIC support)                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3653          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-3656    |          |                   |                       | kernel: SVM nested virtualization             |
|                  |                  |          |                   |                       | issue in KVM (VMLOAD/VMSAVE)                  |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3656          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-37576   |          |                   |                       | kernel: powerpc: KVM guest                    |
|                  |                  |          |                   |                       | OS users can cause host                       |
|                  |                  |          |                   |                       | OS memory corruption...                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-37576         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38160   |          |                   |                       | kernel: data corruption                       |
|                  |                  |          |                   |                       | or loss can be triggered                      |
|                  |                  |          |                   |                       | by an untrusted device...                     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38160         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38166   |          |                   |                       | kernel: integer overflow                      |
|                  |                  |          |                   |                       | and out-of-bounds write                       |
|                  |                  |          |                   |                       | in kernel/bpf/hashtab.c                       |
|                  |                  |          |                   |                       | when many elements are...                     |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38166         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-38300   |          |                   | 5.10.70-1             | kernel: crafting anomalous                    |
|                  |                  |          |                   |                       | machine code may lead to                      |
|                  |                  |          |                   |                       | arbitrary Kernel code execution...            |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38300         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-40490   |          |                   | 5.10.46-5             | kernel: race condition was discovered         |
|                  |                  |          |                   |                       | in ext4_write_inline_data_end in              |
|                  |                  |          |                   |                       | fs/ext4/inline.c in the ext4...               |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-40490         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-41073   |          |                   |                       | kernel: local user                            |
|                  |                  |          |                   |                       | privilege escalation via                      |
|                  |                  |          |                   |                       | loop_rw_iter in fs/io_uring.c                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-41073         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-42008   |          |                   | 5.10.70-1             | kernel: slab out-of-bounds                    |
|                  |                  |          |                   |                       | write in decode_data() in                     |
|                  |                  |          |                   |                       | drivers/net/hamradio/6pack.c                  |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-42008         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-42252   |          |                   |                       | kernel: memory overwrite in                   |
|                  |                  |          |                   |                       | the kernel with potential                     |
|                  |                  |          |                   |                       | privileges execution                          |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-42252         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2020-26541   | MEDIUM   |                   |                       | kernel: security bypass                       |
|                  |                  |          |                   |                       | in certs/blacklist.c and                      |
|                  |                  |          |                   |                       | certs/system_keyring.c                        |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-26541         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2020-3702    |          |                   | 5.10.46-5             | kernel: ath9k: information                    |
|                  |                  |          |                   |                       | disclosure via specifically                   |
|                  |                  |          |                   |                       | timed and handcrafted traffic                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2020-3702          |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-0920    |          |                   | 5.10.70-1             | [Unknown description]                         |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-0920          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-20320   |          |                   |                       | kernel: s390 eBPF JIT                         |
|                  |                  |          |                   |                       | miscompilation issues fixes                   |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-20320         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-34866   |          |                   |                       | kernel: eBPF verification flaw                |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-34866         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-3679    |          |                   | 5.10.46-5             | kernel: DoS in rb_per_cpu_empty()             |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3679          |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-37159   |          |                   | 5.10.70-1             | kernel: use-after-free                        |
|                  |                  |          |                   |                       | in hso_free_net_device()                      |
|                  |                  |          |                   |                       | in drivers/net/usb/hso.c                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-37159         |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-3739    |          |                   | 5.10.46-5             | kernel: null-ptr-dereference                  |
|                  |                  |          |                   |                       | bug in btrfs_rm_device                        |
|                  |                  |          |                   |                       | in fs/btrfs/volumes.c                         |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3739          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-3743    |          |                   |                       | kernel: out-of-bound Read                     |
|                  |                  |          |                   |                       | in qrtr_endpoint_post                         |
|                  |                  |          |                   |                       | in net/qrtr/qrtr.c                            |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3743          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-3753    |          |                   |                       | kernel: a race                                |
|                  |                  |          |                   |                       | out-of-bound read in vt                       |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3753          |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38199   |          |                   |                       | kernel: incorrect connection-setup            |
|                  |                  |          |                   |                       | ordering allows operators of                  |
|                  |                  |          |                   |                       | remote NFSv4 servers to cause...              |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38199         |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2021-3732    | LOW      |                   |                       | kernel: overlayfs: Mounting                   |
|                  |                  |          |                   |                       | overlayfs inside an unprivileged              |
|                  |                  |          |                   |                       | user namespace can reveal files...            |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3732          |
+                  +------------------+          +                   +-----------------------+-----------------------------------------------+
|                  | CVE-2021-38204   |          |                   | 5.10.70-1             | kernel: use-after-free and panic in           |
|                  |                  |          |                   |                       | drivers/usb/host/max3421-hcd.c by             |
|                  |                  |          |                   |                       | removing a MAX-3421 USB device...             |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38204         |
+                  +------------------+          +                   +                       +-----------------------------------------------+
|                  | CVE-2021-38205   |          |                   |                       | kernel:                                       |
|                  |                  |          |                   |                       | drivers/net/ethernet/xilinx/xilinx_emaclite.c |
|                  |                  |          |                   |                       | prints the real IOMEM pointer                 |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-38205         |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+
| openssl          | CVE-2021-3711    | CRITICAL | 1.1.1k-1          | 1.1.1k-1+deb11u1      | openssl: SM2 Decryption                       |
|                  |                  |          |                   |                       | Buffer Overflow                               |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3711          |
+                  +------------------+----------+                   +                       +-----------------------------------------------+
|                  | CVE-2021-3712    | HIGH     |                   |                       | openssl: Read buffer overruns                 |
|                  |                  |          |                   |                       | processing ASN.1 strings                      |
|                  |                  |          |                   |                       | -->avd.aquasec.com/nvd/cve-2021-3712          |
+------------------+------------------+----------+-------------------+-----------------------+-----------------------------------------------+

Python (python-pkg)
===================
Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| Pillow   | CVE-2021-23437   | HIGH     | 8.3.1             | 8.3.2         | python-pillow: possible               |
|          |                  |          |                   |               | ReDoS via the getrgb function         |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23437 |
+          +------------------+----------+                   +               +---------------------------------------+
|          | pyup.io-41277    | UNKNOWN  |                   |               | Pillow 8.3.2 fixes a 6-byte           |
|          |                  |          |                   |               | out-of-bounds (OOB) read. The         |
|          |                  |          |                   |               | previous bounds check...              |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| sqlparse | CVE-2021-32839   | HIGH     | 0.4.1             | 0.4.2         | python-sqlparse: ReDoS via regular    |
|          |                  |          |                   |               | expression in StripComments filter    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-32839 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

Just re-building the image gets rid of the OS vulnerabilities, which I set up as tgbyte/paperless-ng. In the long run, however, I think it would be great if the official image came with regular security updates.

This leaves Python package vulnerabilities, the relevance of which I am not sure about (and that would probably need to be fixed by a new release that updates requirements.txt).

Thanks, Thilo

flbraun commented 2 years ago

If I'm not mistaken the official Docker image is built using GitHub Actions. The image job could be scheduled to be rebuild periodically. Would be great if the scheduled action would check if there are any pending critical updates before building and publishing a new image, to keep the noise for users to a minimum.

For Python dependencies we could use GitHub's Dependabot.

siancu commented 2 years ago

I think Dependabot is already used, I saw a few pull requests from the bot ...

flbraun commented 2 years ago

Yes, you're right. E.g. #1304 #1288.