Closed aleksandr-vin closed 2 years ago
Running trivy on the image discovered these vulns:
25-Mar-2022 13:05:30 | mdawar/rq-exporter:latest (debian 10.11) -- | -- 25-Mar-2022 13:05:30 | ======================================== 25-Mar-2022 13:05:30 | Total: 8 (CRITICAL: 8) 25-Mar-2022 13:05:30 | 25-Mar-2022 13:05:30 | +-----------+------------------+----------+-------------------+-----------------+---------------------------------------+ 25-Mar-2022 13:05:30 | \| LIBRARY \| VULNERABILITY ID \| SEVERITY \| INSTALLED VERSION \| FIXED VERSION \| TITLE \| 25-Mar-2022 13:05:30 | +-----------+------------------+----------+-------------------+-----------------+---------------------------------------+ 25-Mar-2022 13:05:30 | \| libexpat1 \| CVE-2022-22822 \| CRITICAL \| 2.2.6-2+deb10u1 \| 2.2.6-2+deb10u2 \| expat: Integer overflow in \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| addBinding in xmlparse.c \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-22822 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-22823 \| \| \| \| expat: Integer overflow in \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| build_model in xmlparse.c \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-22823 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-22824 \| \| \| \| expat: Integer overflow in \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| defineAttribute in xmlparse.c \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-22824 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-23852 \| \| \| \| expat: Integer overflow \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| in function XML_GetBuffer \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-23852 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-23990 \| \| \| \| expat: integer overflow \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| in the doProlog function \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-23990 \| 25-Mar-2022 13:05:30 | + +------------------+ + +-----------------+---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-25235 \| \| \| 2.2.6-2+deb10u3 \| expat: Malformed 2- and \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| 3-byte UTF-8 sequences can \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| lead to arbitrary code... \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-25235 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-25236 \| \| \| \| expat: Namespace-separator characters \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| in "xmlns[:prefix]" attribute \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| values can lead to arbitrary code... \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-25236 \| 25-Mar-2022 13:05:30 | + +------------------+ + + +---------------------------------------+ 25-Mar-2022 13:05:30 | \| \| CVE-2022-25315 \| \| \| \| expat: Integer overflow \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| in storeRawNames() \| 25-Mar-2022 13:05:30 | \| \| \| \| \| \| -->avd.aquasec.com/nvd/cve-2022-25315 \| 25-Mar-2022 13:05:30 | +-----------+------------------+----------+-------------------+-----------------+---------------------------------------+ 25-Mar-2022 13:05:30
Image needs rebuilding to pickup security fixes in it's base image.
Hi,
Thank you for the info, I have created a new release v1.9.3 which forced a new Docker image build.
v1.9.3
Running trivy on the image discovered these vulns:
Image needs rebuilding to pickup security fixes in it's base image.