ggrossetie
commented
4 months ago com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):
https://github.com/advisories/GHSA-7g45-4rm6-3mm3 https://github.com/advisories/GHSA-5mg8-w23w-74h3
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems
We are not using FileBackedOutputStream and we are not creating temporary directory so we are not affected by this vulnerability.
golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):
https://github.com/advisories/GHSA-45x7-px36-x8w8
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel
We are not using the SSH protocol.
DavidACastagna
I will forward this to hello@kroki.io as well. But:
The latest image (at the time of this issue) has the following vulnerabilities in the kroki JAR file:
com.google.guava:guava (Recommended fix is to upgrade from 30.1-jre to 32.0.0-android):
We're also seeing the following CVE/library in the image (Might be from the base image? I can't find go anywhere in the image though. Not sure why this is showing up.):
golang.org/x/crypto (Recommended fix is to upgrade from v0.16.0 to v0.17.0):