3 high CVEs when scanning docker container on AWS

[luckyhandler]

Here's what I did

I created a docker container from the latest master

---

Here's what I got

After uploading the container to AWS and scan the container for vulnerabilities I get these:

https://security-tracker.debian.org/tracker/CVE-2021-33574 https://security-tracker.debian.org/tracker/CVE-2020-26159 https://security-tracker.debian.org/tracker/CVE-2021-29921

with high severity and 9 more medium ones

[luckyhandler]

Got even more with the latest master

https://security-tracker.debian.org/tracker/CVE-2022-22824	expat:2.2.10-2	HIGH	defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
https://security-tracker.debian.org/tracker/CVE-2022-23990	expat:2.2.10-2	HIGH	Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
https://security-tracker.debian.org/tracker/CVE-2022-22823	expat:2.2.10-2	HIGH	build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
https://security-tracker.debian.org/tracker/CVE-2022-22822	expat:2.2.10-2	HIGH	addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
https://security-tracker.debian.org/tracker/CVE-2022-23852	expat:2.2.10-2	HIGH	Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
https://security-tracker.debian.org/tracker/CVE-2022-23218	glibc:2.31-13+deb11u2	HIGH	The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
https://security-tracker.debian.org/tracker/CVE-2022-23219	glibc:2.31-13+deb11u2	HIGH	The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
https://security-tracker.debian.org/tracker/CVE-2021-33574	glibc:2.31-13+deb11u2	HIGH	The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2021-29921	python3.9:3.9.2-1 | HIGH | In  Python before 3,9,5, the ipaddress library mishandles leading zero  characters in the octets of an IP address string. This (in some  situations) allows attackers to bypass access control that is based on  IP addresses.

[MichaelsJP]

@luckyhandler Thanks for reporting. https://security-tracker.debian.org/tracker/CVE-2021-29921 should be fixed in the new Dockerfile. It's based on alpine and doesn't contain unnecessary packages.

security-tracker.debian.org/tracker/CVE-2021-33574 should be fixed with the new Dockerfile.

https://security-tracker.debian.org/tracker/CVE-2020-26159 False alarm.

[MichaelsJP]

@luckyhandler Feel free to reopen this issue if the CVEs are still present for you.