helm-charts
helm-charts copied to clipboard
grafana
Vulnerabilities in bats and grafana image
Twislock scan report on bats image used in grafana helm chart
Scan results for: image bats/bats:v1.4.1 sha256:01eeae09a3def513e3dc0307a9023f817c6cccc9f04c50b4cb043edac04b61ca Vulnerabilities +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-3711 | critical | 9.80 | openssl | 1.1.1k-r0 | fixed in 1.1.1l-r0 | > 7 months | < 1 hour | In order to decrypt SM2 encrypted data an | | | | | | | > 7 months ago | | | application is expected to call the API function | | | | | | | | | | EVP_PKEY_decrypt(). Typically an application will | | | | | | | | | | call this... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-36159 | critical | 9.10 | apk-tools | 2.10.6-r0 | fixed in 2.10.7-r0 | > 8 months | < 1 hour | libfetch before 2021-07-26, as used in apk-tools, | | | | | | | > 8 months ago | | | xbps, and other products, mishandles numeric | | | | | | | | | | strings for the FTP and HTTP protocols. The FTP | | | | | | | | | | passive... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-39537 | high | 8.80 | ncurses | 6.2_p20200523-r0 | fixed in 6.2_p20200523-r1 | > 6 months | < 1 hour | An issue was discovered in ncurses through v6.2-1. | | | | | | | > 6 months ago | | | _nc_captoinfo in captoinfo.c has a heap-based | | | | | | | | | | buffer overflow. | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-0778 | high | 7.50 | openssl | 1.1.1k-r0 | fixed in 1.1.1n-r0 | 17 days | < 1 hour | The BN_mod_sqrt() function, which computes a | | | | | | | 17 days ago | | | modular square root, contains a bug that can | | | | | | | | | | cause it to loop forever for non-prime moduli. | | | | | | | | | | Internally th... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-25032 | high | 7.50 | zlib | 1.2.11-r3 | fixed in 1.2.12-r0 | 7 days | < 1 hour | zlib before 1.2.12 allows memory corruption when | | | | | | | 7 days ago | | | deflating (i.e., when compressing) if the input | | | | | | | | | | has many distant matches. | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-3712 | high | 7.40 | openssl | 1.1.1k-r0 | fixed in 1.1.1l-r0 | > 7 months | < 1 hour | ASN.1 strings are represented internally within | | | | | | | > 7 months ago | | | OpenSSL as an ASN1_STRING structure which contains | | | | | | | | | | a buffer holding the string data and a field | | | | | | | | | | holdin... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42386 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads to | | | | | | | > 4 months ago | | | denial of service and possibly code execution when | | | | | | | | | | processing a crafted awk pattern in the nvalloc | | | | | | | | | | ... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42385 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | evaluate... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42384 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | handle_s... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42383 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | evaluate... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42382 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | getvar_s... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42381 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | hash_ini... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42380 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads to | | | | | | | > 4 months ago | | | denial of service and possibly code execution when | | | | | | | | | | processing a crafted awk pattern in the clrvar | | | | | | | | | | f... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42379 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | next_inp... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42378 | high | 7.20 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | A use-after-free in Busybox's awk applet leads | | | | | | | > 4 months ago | | | to denial of service and possibly code execution | | | | | | | | | | when processing a crafted awk pattern in the | | | | | | | | | | getvar_i... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-4160 | medium | 5.90 | openssl | 1.1.1k-r0 | | 62 days | < 1 hour | There is a carry propagation bug in the MIPS32 and | | | | | | | | | | MIPS64 squaring procedure. Many EC algorithms are | | | | | | | | | | affected, including some of the TLS 1.3 default | | | | | | | | | | c... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-42374 | medium | 5.30 | busybox | 1.31.1-r20 | fixed in 1.31.1-r21 | > 4 months | < 1 hour | An out-of-bounds heap read in Busybox's unlzma | | | | | | | > 4 months ago | | | applet leads to information leak and denial of | | | | | | | | | | service when crafted LZMA-compressed input is | | | | | | | | | | decompres... | +----------------+----------+------+-----------+------------------+---------------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image bats/bats:v1.4.1: total - 17, critical - 2, high - 13, medium - 2, low - 0 Vulnerability threshold check results: PASS
Compliance Issues +----------+------------------------------------------------------------------------+ | SEVERITY | DESCRIPTION | +----------+------------------------------------------------------------------------+ | high | (CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user | +----------+------------------------------------------------------------------------+
Compliance found for image bats/bats:v1.4.1: total - 1, critical - 0, high - 1, medium - 0, low - 0 Compliance threshold check results: PASS
================================================
For Grafana image
Scan results for: image grafana/grafana:8.4.2 sha256:523c8da1245d6fd64d72ea178dad0c254388a5c4c3f386a87c41457ee6706dfd Vulnerabilities +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-27191 | high | 7.50 | go | 1.17.7 | fixed in 0.0.0 | 14 days | < 1 hour | golang.org/x/crypto/ssh before | | | | | | | 14 days ago | | | 0.0.0-20220314234659-1baeb1ce4c0b in Go through | | | | | | | | | | 1.16.15 and 1.17.x through 1.17.8 allows an | | | | | | | | | | attacker to crash a server ... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-24921 | high | 7.50 | go | 1.17.7 | fixed in 1.17.8, 1.16.15 | 27 days | < 1 hour | regexp.Compile in Go before 1.16.15 and 1.17.x | | | | | | | 27 days ago | | | before 1.17.8 allows stack exhaustion via a deeply | | | | | | | | | | nested expression. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-0778 | high | 7.50 | openssl | 1.1.1l-r7 | fixed in 1.1.1n-r0 | 17 days | < 1 hour | The BN_mod_sqrt() function, which computes a | | | | | | | 17 days ago | | | modular square root, contains a bug that can | | | | | | | | | | cause it to loop forever for non-prime moduli. | | | | | | | | | | Internally th... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-0778 | high | 7.50 | libretls | 3.3.4-r2 | fixed in 3.3.4-r3 | 17 days | < 1 hour | The BN_mod_sqrt() function, which computes a | | | | | | | 17 days ago | | | modular square root, contains a bug that can | | | | | | | | | | cause it to loop forever for non-prime moduli. | | | | | | | | | | Internally th... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2022-0778 | high | 7.50 | openssl | 1.1.1m-r2 | fixed in 1.1.1n-r0 | 17 days | < 1 hour | The BN_mod_sqrt() function, which computes a | | | | | | | 17 days ago | | | modular square root, contains a bug that can | | | | | | | | | | cause it to loop forever for non-prime moduli. | | | | | | | | | | Internally th... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-25032 | high | 7.50 | zlib | 1.2.11-r3 | fixed in 1.2.12-r0 | 7 days | < 1 hour | zlib before 1.2.12 allows memory corruption when | | | | | | | 7 days ago | | | deflating (i.e., when compressing) if the input | | | | | | | | | | has many distant matches. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-37750 | medium | 6.50 | krb5 | 1.19.2-r4 | fixed in 1.19.3-r0 | > 7 months | < 1 hour | The Key Distribution Center (KDC) in MIT | | | | | | | > 7 months ago | | | Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x | | | | | | | | | | before 1.19.3 has a NULL pointer dereference in | | | | | | | | | | kdc/do_tgs_req... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-14042 | medium | 6.10 | bootstrap | 2.3.2 | fixed in 4.1.2, 3.4.0 | > 3 years | < 1 hour | In Bootstrap before 4.1.2, XSS is possible in the | | | | | | | 43 days ago | | | data-container property of tooltip. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-14040 | medium | 6.10 | bootstrap | 2.3.2 | fixed in 4.1.2, 3.4.0 | > 3 years | < 1 hour | In Bootstrap before 4.1.2, XSS is possible in the | | | | | | | 43 days ago | | | collapse data-parent attribute. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2021-4160 | medium | 5.90 | openssl | 1.1.1l-r7 | | 62 days | < 1 hour | There is a carry propagation bug in the MIPS32 and | | | | | | | | | | MIPS64 squaring procedure. Many EC algorithms are | | | | | | | | | | affected, including some of the TLS 1.3 default | | | | | | | | | | c... | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-20677 | moderate | 4.00 | bootstrap | 2.3.2 | fixed in 3.4.0 | > 3 years | < 1 hour | In Bootstrap before 3.4.0, XSS is possible in the | | | | | | | > 3 years ago | | | affix configuration target property. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-20676 | moderate | 4.00 | bootstrap | 2.3.2 | fixed in 3.4.0 | > 3 years | < 1 hour | In Bootstrap before 3.4.0, XSS is possible in the | | | | | | | > 3 years ago | | | tooltip data-viewport attribute. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+ | CVE-2018-14041 | moderate | 4.00 | bootstrap | 2.3.2 | fixed in 4.1.2, 3.4.0 | > 3 years | < 1 hour | In Bootstrap before 4.1.2, XSS is possible in the | | | | | | | > 3 years ago | | | data-target property of scrollspy. | +----------------+----------+------+-----------+-----------+--------------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image grafana/grafana:8.4.2: total - 13, critical - 0, high - 6, medium - 7, low - 0 Vulnerability threshold check results: PASS
Compliance found for image grafana/grafana:8.4.2: total - 0, critical - 0, high - 0, medium - 0, low - 0 Compliance threshold check results: PASS
