-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Addressing a lot of security vulnerabilities in the Cadence release v1.2.8 #5913
Comments
There are still a lot of security vulnerabilities in Cadence Scan results for: image ubercadence/server:v1.2.9 sha256:91d5b52428fe2cc5bc18e940c0b73f6a758fa38790c1b62a7f7499d41084e716
Vulnerabilities
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2016-5397 | high | 8.80 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 | > 6 years | < 1 hour | The Apache Thrift Go client library exposed the |
| | | | | | > 9 months ago | | | potential during code generation for command |
| | | | | | | | | injection due to using an external formatting |
| | | | | | | | | tool. Affec... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 4 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 4 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 4 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r5 | fixed in 1.36.1-r6 | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | 1 days ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 5 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 75 days | < 1 hour | The protojson.Unmarshal function can enter an |
| | | | | | 75 days ago | | | infinite loop when unmarshaling certain forms |
| | | | | | | | | of invalid JSON. This condition can occur when |
| | | | | | | | | unmarshalin... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | 45 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 45 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | 41 days | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 40 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+---------------------------------------------------+------------------------------------+--------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.9: total - 12, critical - 0, high - 2, medium - 9, low - 1
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.9: total - 2, critical - 0, high - 2, medium - 0, low - 0
Compliance threshold check results: PASS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
v1.2.8
Describe the bug
There are a lot of CVEs found from the latest Cadence image:
ubercadence/server:v1.2.8
To Reproduce
Is the issue reproducible?
Steps to reproduce the behavior:
ubercadence/server:v1.2.8
from DockerhubExpected behavior
A clear and concise description of what you expected to happen.
Screenshots
Scan results:
Additional context
Add any other context about the problem here, E.g. Stackstace, workflow history.
The text was updated successfully, but these errors were encountered: