search

operator-framework / operator-lifecycle-manager

A management framework for extending Kubernetes with Operators
https://olm.operatorframework.io
Apache License 2.0
1.72k stars 545 forks source link

Aquascan reporting critical vulnerability for CVE-2024-41110 #3418

Closed kvijai82 closed 2 weeks ago

kvijai82 commented 2 weeks ago

Bug Report

What did you do? Ran aquascan against quay.io/operator-framework/olm:v0.28.0 and it flagged the image as being vulnerable to a critical CVE, CVE-2024-41110. Can the image please be updated to remediate this CVE?

cve sev epss package type version fixedIn arch path
CVE-2024-41110 critical (aqua) 0.045% github.com/docker/docker go (aqua) 25.0.5+incompatible (aqua) 27.1.1 (aqua) amd64 /bin/olm:/bin/cpb:/bin/catalog (aqua)

cve sev epss package type version fixedIn arch path CVE-2024-41110 critical (aqua) 0.045% github.com/docker/docker go (aqua) 25.0.5+incompatible (aqua) 27.1.1 (aqua) amd64 /bin/olm:/bin/cpb:/bin/catalog (aqua)

What did you expect to see? Critical CVEs should be remediated.

What did you see instead? Under which circumstances? Critical CVE was flagged by Aquascan.

Environment

v0.28.0 / quay.io/operator-framework/olm@sha256:40d0363f4aa684319cd721c2fcf3321785380fdc74de8ef821317cd25a10782a

N/A

m1kola commented 2 weeks ago

I just published v0.29.0 which uses fixed github.com/docker/docker v27.1.1+incompatible.

Please update to the latest release.