Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest postgres image tag postgres:17.2-alpine3.20 is having a lot of high CVEs #1295

Closed
AbhishekRatnawat opened this issue Dec 3, 2024 · 1 comment
Closed

Latest postgres image tag postgres:17.2-alpine3.20 is having a lot of high CVEs #1295

AbhishekRatnawat opened this issue Dec 3, 2024 · 1 comment

Comments

@AbhishekRatnawat
Copy link

Any plan to fix these CVEs coming from gosu package?

$ docker scout cves postgres:17.2-alpine3.20                                                                                                                                                                                                 
    i New version 1.15.1 available (installed version is 1.5.0) at https://github.com/docker/scout-cli
    ✓ SBOM of image already cached, 66 packages indexed
    ✗ Detected 1 vulnerable package with 56 vulnerabilities


## Overview

                    │           Analyzed Image
────────────────────┼─────────────────────────────────────
  Target            │  postgres:17.2-alpine3.20
    digest          │  03844845c1d8
    platform        │ linux/arm64/v8
    vulnerabilities │    3C    35H    16M     1L     1?
    size            │ 111 MB
    packages        │ 66


## Packages and Vulnerabilities

   3C    35H    16M     1L     1?  stdlib 1.18.2
pkg:golang/[email protected]

    ✗ CRITICAL CVE-2024-24790
      https://scout.docker.com/v/CVE-2024-24790
      Affected range : <1.21.11
      Fixed version  : 1.21.11

    ✗ CRITICAL CVE-2023-24540
      https://scout.docker.com/v/CVE-2023-24540
      Affected range : <1.19.9
      Fixed version  : 1.19.9

    ✗ CRITICAL CVE-2023-24538
      https://scout.docker.com/v/CVE-2023-24538
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ HIGH CVE-2023-29403
      https://scout.docker.com/v/CVE-2023-29403
      Affected range : <1.19.10
      Fixed version  : 1.19.10

    ✗ HIGH CVE-2022-30580
      https://scout.docker.com/v/CVE-2022-30580
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    ✗ HIGH CVE-2024-34158
      https://scout.docker.com/v/CVE-2024-34158
      Affected range : <1.22.7
      Fixed version  : 1.22.7

    ✗ HIGH CVE-2024-34156
      https://scout.docker.com/v/CVE-2024-34156
      Affected range : <1.22.7
      Fixed version  : 1.22.7

    ✗ HIGH CVE-2024-24791
      https://scout.docker.com/v/CVE-2024-24791
      Affected range : <1.21.12
      Fixed version  : 1.21.12

    ✗ HIGH CVE-2024-24784
      https://scout.docker.com/v/CVE-2024-24784
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ HIGH CVE-2023-45288
      https://scout.docker.com/v/CVE-2023-45288
      Affected range : <1.21.9
      Fixed version  : 1.21.9

    ✗ HIGH CVE-2023-45287
      https://scout.docker.com/v/CVE-2023-45287
      Affected range : <1.20.0
      Fixed version  : 1.20.0

    ✗ HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ HIGH CVE-2023-44487
      https://scout.docker.com/v/CVE-2023-44487
      Affected range : <1.20.10
      Fixed version  : 1.20.10

    ✗ HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325
      Affected range : <1.20.10
      Fixed version  : 1.20.10

    ✗ HIGH CVE-2023-24537
      https://scout.docker.com/v/CVE-2023-24537
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ HIGH CVE-2023-24536
      https://scout.docker.com/v/CVE-2023-24536
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ HIGH CVE-2023-24534
      https://scout.docker.com/v/CVE-2023-24534
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    ✗ HIGH CVE-2022-41725
      https://scout.docker.com/v/CVE-2022-41725
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    ✗ HIGH CVE-2022-41724
      https://scout.docker.com/v/CVE-2022-41724
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    ✗ HIGH CVE-2022-41723
      https://scout.docker.com/v/CVE-2022-41723
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    ✗ HIGH CVE-2022-41722
      https://scout.docker.com/v/CVE-2022-41722
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    ✗ HIGH CVE-2022-41720
      https://scout.docker.com/v/CVE-2022-41720
      Affected range : <1.18.9
      Fixed version  : 1.18.9

    ✗ HIGH CVE-2022-41716
      https://scout.docker.com/v/CVE-2022-41716
      Affected range : <1.18.8
      Fixed version  : 1.18.8

    ✗ HIGH CVE-2022-41715
      https://scout.docker.com/v/CVE-2022-41715
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    ✗ HIGH CVE-2022-32189
      https://scout.docker.com/v/CVE-2022-32189
      Affected range : >=1.18.0-0
                     : <1.18.5
      Fixed version  : 1.18.5

    ✗ HIGH CVE-2022-30635
      https://scout.docker.com/v/CVE-2022-30635
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-30634
      https://scout.docker.com/v/CVE-2022-30634
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    ✗ HIGH CVE-2022-30633
      https://scout.docker.com/v/CVE-2022-30633
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-30632
      https://scout.docker.com/v/CVE-2022-30632
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-30631
      https://scout.docker.com/v/CVE-2022-30631
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-30630
      https://scout.docker.com/v/CVE-2022-30630
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-29804
      https://scout.docker.com/v/CVE-2022-29804
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    ✗ HIGH CVE-2022-2880
      https://scout.docker.com/v/CVE-2022-2880
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    ✗ HIGH CVE-2022-2879
      https://scout.docker.com/v/CVE-2022-2879
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    ✗ HIGH CVE-2022-28131
      https://scout.docker.com/v/CVE-2022-28131
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ HIGH CVE-2022-27664
      https://scout.docker.com/v/CVE-2022-27664
      Affected range : <1.18.6
      Fixed version  : 1.18.6

    ✗ HIGH CVE-2023-29400
      https://scout.docker.com/v/CVE-2023-29400
      Affected range : <1.19.9
      Fixed version  : 1.19.9

    ✗ HIGH CVE-2023-24539
      https://scout.docker.com/v/CVE-2023-24539
      Affected range : <1.19.9
      Fixed version  : 1.19.9

    ✗ MEDIUM CVE-2023-45290
      https://scout.docker.com/v/CVE-2023-45290
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ MEDIUM CVE-2023-29406
      https://scout.docker.com/v/CVE-2023-29406
      Affected range : <1.19.11
      Fixed version  : 1.19.11

    ✗ MEDIUM CVE-2022-32148
      https://scout.docker.com/v/CVE-2022-32148
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ MEDIUM CVE-2022-1705
      https://scout.docker.com/v/CVE-2022-1705
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ MEDIUM CVE-2023-39319
      https://scout.docker.com/v/CVE-2023-39319
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2023-39318
      https://scout.docker.com/v/CVE-2023-39318
      Affected range : <1.20.8
      Fixed version  : 1.20.8

    ✗ MEDIUM CVE-2024-24783
      https://scout.docker.com/v/CVE-2024-24783
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ MEDIUM CVE-2024-24789
      https://scout.docker.com/v/CVE-2024-24789
      Affected range : <1.21.11
      Fixed version  : 1.21.11

    ✗ MEDIUM CVE-2022-1962
      https://scout.docker.com/v/CVE-2022-1962
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    ✗ MEDIUM CVE-2023-45284
      https://scout.docker.com/v/CVE-2023-45284
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    ✗ MEDIUM CVE-2023-39326
      https://scout.docker.com/v/CVE-2023-39326
      Affected range : <1.20.12
      Fixed version  : 1.20.12

    ✗ MEDIUM CVE-2023-29409
      https://scout.docker.com/v/CVE-2023-29409
      Affected range : <1.19.12
      Fixed version  : 1.19.12

    ✗ MEDIUM CVE-2023-24532
      https://scout.docker.com/v/CVE-2023-24532
      Affected range : <1.19.7
      Fixed version  : 1.19.7

    ✗ MEDIUM CVE-2022-41717
      https://scout.docker.com/v/CVE-2022-41717
      Affected range : <1.18.9
      Fixed version  : 1.18.9

    ✗ MEDIUM CVE-2024-34155
      https://scout.docker.com/v/CVE-2024-34155
      Affected range : <1.22.7
      Fixed version  : 1.22.7

    ✗ MEDIUM CVE-2023-45289
      https://scout.docker.com/v/CVE-2023-45289
      Affected range : <1.21.8
      Fixed version  : 1.21.8

    ✗ LOW CVE-2022-30629
      https://scout.docker.com/v/CVE-2022-30629
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    ✗ UNSPECIFIED CVE-2024-24785
      https://scout.docker.com/v/CVE-2024-24785
      Affected range : <1.21.8
      Fixed version  : 1.21.8



56 vulnerabilities found in 1 package
  UNSPECIFIED  1
  LOW          1
  MEDIUM       16
  HIGH         35
  CRITICAL     3


What's Next?
  View base image update recommendations → docker scout recommendations postgres:17.2-alpine3.20
@yosifkit
Copy link
Member

yosifkit commented Dec 3, 2024

#1292 (comment):

Duplicate of #1271

See especially #1271 (comment), https://github.com/tianon/gosu/blob/4233b796eeb3ba76c8597a46d89eab1f116188e2/SECURITY.md, and https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

To be explicitly clear, there are no "vulnerabilities" in gosu -- there are a collection of naive "security scanners" which posit that there could be, based on the version numbers of libraries the actual built binary does not even include. The purpose of the Go-upstream maintained govulncheck tool is to provide these tools (and end users) with the accurate information about which CVEs which could apply actually apply (which for gosu it currently as of my re-testing just now only reports GO-2023-1840, and per https://github.com/tianon/gosu/blob/052c5c2b186b84c4d9a41ed4f327490ef8d746fe/govulncheck-with-excludes.sh#L9-L13 this is already mitigated in gosu itself so is a true false positive as gosu is not "vulnerable" to it).

Duplicate of #1271 Duplicate of #1292

@yosifkit yosifkit closed this as completed Dec 3, 2024
@tianon tianon mentioned this issue Dec 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yosifkit @AbhishekRatnawat