scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

Docker scout false positive on [email protected]

Open alexsuter opened this issue 1 year ago • 2 comments

Description

Docker scout treats [email protected] as vulnerable and reports that 4.0 has fixed the issue. But the CVE fix has been backported to 3.6.10 which is described in the CVE report in docker scout itself:

https://scout.docker.com/vulnerabilities/id/CVE-2016-2141/org/axonivy

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Fixes for this issue have been backported to versions 3.6.10.Final and 3.2.16.Final.

Reproduce

Add jgroups 3.6.20 to the image and analyze it with docker scout.

Expected behavior

jgroups 3.6.20 should not be reported as vulnerable

docker version

not important

docker info

not important

Additional Info

No response

alexsuter avatar Dec 27 '23 18:12 alexsuter