Closed sonpham96 closed 2 weeks ago
There are still a lot of security vulnerabilities in Cadence v1.2.9
release. Scan results:
Scan results for: image ubercadence/server:v1.2.9 sha256:91d5b52428fe2cc5bc18e940c0b73f6a758fa38790c1b62a7f7499d41084e716
Vulnerabilities
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397 | high | 8.80 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 | > 6 years | < 1 hour | The Apache Thrift Go client library exposed the |
| | | | | | > 9 months ago | | | potential during code generation for command |
| | | | | | | | | injection due to using an external formatting |
| | | | | | | | | tool. Affec... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 4 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r6 | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | 1 days ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | 45 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 45 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | 41 days | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 40 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.9: total - 12, critical - 0, high - 2, medium - 9, low - 1
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.9: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS
Version of Cadence server, and client(which language) This is very important to root cause bugs.
v1.2.8
Describe the bug There are a lot of CVEs found from the latest Cadence image:
ubercadence/server:v1.2.8
To Reproduce Is the issue reproducible?
Steps to reproduce the behavior:
ubercadence/server:v1.2.8
from DockerhubExpected behavior A clear and concise description of what you expected to happen.
Screenshots Scan results:
Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.