Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities #982

Open
gowthamvetriselvan opened this issue Mar 7, 2024 · 1 comment
Open

Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities #982

gowthamvetriselvan opened this issue Mar 7, 2024 · 1 comment

Comments

@gowthamvetriselvan
Copy link

gowthamvetriselvan commented Mar 7, 2024
edited

Hi Team

Recent docker image of Spilo having critical and high Vulnerabilities

  • ghcr.io/zalando/spilo-15:3.2-p1

  • ghcr.io/zalando/spilo-16:3.2-p2

    CVE ID        SEVERITY             PACKAGE                 CURRENT VERSION        FIX VERSION    NAMESPACE       STATUS                              INTRODUCED IN LAYER                                                        FILE PATH

-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-37920 Critical certifi 2020.6.20 2023.07.22 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/certifi-2020.6.20.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-4807 High cryptography 3.4.8 41.0.4 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-43804 High urllib3 1.26.5 1.26.17 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/urllib3-1.26.5.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2018-1000047 High ply 3.11 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/ply-3.11.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-39325 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-44487 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-6596 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2020-26160 High github.com/dgrijalva/jwt-go v3.2.0+incompatible go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2022-32149 High golang.org/x/text v0.3.7 0.3.8 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-50782 High cryptography 3.4.8 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-49083 High cryptography 3.4.8 41.0.6 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2022-29217 High pyjwt 2.3.0 2.4.0 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/PyJWT-2.3.0.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit

Do we know when it can be addressed or provide any workaorund on overcoming this Vulnerabilities. since with this Vulnerabilities looks like easy to break the postgres DB
@Jan-M
Copy link
Member

Jan-M commented Mar 13, 2024

How do you reach the conclusion that from any of those CVEs it is easy to break the Postgres database cluster run via Spilo container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jan-M @gowthamvetriselvan