search

yuzutech / kroki

Creates diagrams from textual descriptions!
https://kroki.io
MIT License
2.78k stars 206 forks source link

Security vulnerabilities according to the NATIONAL VULNERABILITY DATABASE (NDV) High, #1721

Open mardygalimov opened 3 months ago

mardygalimov commented 3 months ago

photo_2024-03-14_13-03-19 photo_2024-03-14_13-03-23 photo_2024-03-14_13-03-27 photo_2024-03-14_13-03-29 Good afternoon! Please consider eliminating vulnerabilities in Docker image builds: yuzutech/kroki:0.24.1 - CVE-2023-2976; yuzutech/kroki-excalidraw:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils; yuzutech/kroki-mermaid:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils; yuzutech/kroki-bpmn:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils; yuzutech/kroki-blockdiag:0.21.3 - CVE-2023-30861 Flask, CVE-2022-42898 krb5-libs, CVE-2022-1304 libcom_err, CVE-2022-4450 libcrypto1.1, CVE-2023-0215, CVE-2023-0286 libcrypto1.1, CVE-2023-0464 libcrypto1.1, CVE-2022-4450 libssl1.1, CVE-2023-0215 libssl1.1, CVE-2023-0286 libssl1.1, CVE-2023-0464 libssl1.1, CVE-2023-29491 ncurses-libs, CVE-2023-29491 ncurses-terminfo-base

Best regards, Roman Mardygalimov

ggrossetie commented 3 months ago

You shouldn't use yuzutech/kroki-blockdiag:0.21.3, it's integrated in the base image since https://github.com/yuzutech/kroki/releases/tag/v0.22.0. I believe that most of them are already fixed by: https://github.com/yuzutech/kroki/commit/2f5eb80de0266cf9e045cb82eee81d14e8da9475