search

litmuschaos / chaos-exporter

Prometheus Exporter for Litmus Chaos Metrics
Apache License 2.0
35 stars 46 forks source link

Vulnerabilities in Chaos-Exporter Docker Image #131

Closed Nageshbansal closed 1 year ago

Nageshbansal commented 1 year ago

Is this a BUG REPORT or FEATURE REQUEST?

Choose one: BUG REPORT or FEATURE REQUEST It's a BUG REPORT for chaos-exporter

What happened: I performed a Trivy scan on the chaos-exporter Docker image and discovered multiple vulnerabilities .

How to reproduce it (as minimally and precisely as possible): Perform a Trivy scan on the chaos-exporter Docker image using the latest available version.

Anything else we need to know?:

┌───────────────────────────┬─────────────────────┬──────────┬───────────────────────────────────┬─────────────────────────────────────┬────────────────────────────────────────────────────────────┐
         Library            Vulnerability   Severity        Installed Version                   Fixed Version                                     Title                           ├───────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911       │ MEDIUM   │ 1.38.59                           │                                     │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │                     │          │                                   │                                     │ SDK for golang...                                          │
│                           │                     │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2020-8911│                           ├─────────────────────┼──────────┤                                   ├─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912       │ LOW      │                                   │                                     │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │                     │          │                                   │                                     │ SDK for golang...                                          │
│                           │                     │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2020-8912├───────────────────────────┼─────────────────────┼──────────┼───────────────────────────────────┼─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/net          │ CVE-2022-41721      │ HIGH     │ 0.0.0-20220906165146-f3363e06e74c │ 0.1.1-0.20221104162952-702349b0e862 │ x/net/http2/h2c: request smuggling                         │
│                           │                     │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41721│                           ├─────────────────────┤          │                                   ├─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2022-41723      │          │                                   │ 0.7.0                               │ avoid quadratic complexity in HPACK decoding               │
│                           │                     │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41723│                           ├─────────────────────┼──────────┤                                   ├─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2022-41717      │ MEDIUM   │                                   │ 0.4.0                               │ excessive memory growth in a Go server accepting HTTP/2    │
│                           │                     │          │                                   │                                     │ requests                                                   │
│                           │                     │          │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41717│                           ├─────────────────────┼──────────┤                                   ├─────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                           │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN  │                                   │ 0.7.0                               │ Uncontrolled Resource Consumption                          │
│                           │                     │          │                                   │                                     │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h└───────────────────────────┴─────────────────────┴──────────┴───────────────────────────────────┴─────────────────────────────────────┴────────────────────────────────────────────────────────────┘