tasking-manager icon indicating copy to clipboard operation
tasking-manager copied to clipboard

Published 20 hours ago verified publisher icon hotosm

[BUG] docker images not building due to gevent CVE

Open dakotabenjamin opened this issue 6 months ago • 0 comments

Describe the bug Docker image builds fail due to being blocked by a CVE:

 ghcr.io/hotosm/tasking-manager/backend:develop (debian 12.6)
============================================================
Total: 0 (CRITICAL: 0)


Python (python-pkg)
===================
Total: 1 (CRITICAL: 1)

┌───────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gevent (METADATA) │ CVE-2023-41419 │ CRITICAL │ fixed  │ 22.10.2           │ 23.9.0        │ python-gevent: privilege escalation via a crafted script to │
│                   │                │          │        │                   │               │ the WSGIServer component                                    │
│                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-41419                  │
└───────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

solution: Update Gevent to (at minimum) fixed version shown above.

Expected behavior Docker images should build successfully in the CI Workflow.

Setting to High priority because builds are blocked, and the severity of the CVE is critical.

dakotabenjamin avatar Aug 06 '24 15:08 dakotabenjamin