ui
ui copied to clipboard
temporalio
Address many security vulnerabilities in the latest Temporal UI release 2.26.1
Describe the bug A clear and concise description of what the bug is.
A quick scan by security vulnerability scanner results in 17 CVEs for the latest temporal UI image published on Docker hub temporalio/ui:2.26.1:
3 High CVEs:
- CVE-2023-5363
- CVE-2019-0190
- CVE-2023-44487
12 medium CVEs:
- CVE-2023-6129
- CVE-2023-46218
- CVE-2024-0727
- CVE-2023-6992
- CVE-2023-42366
- CVE-2023-42365
- CVE-2023-42364
- CVE-2023-42363
- CVE-2023-5678
- CVE-2023-46219
- CVE-2024-28180
- CVE-2023-45288
2 low CVEs:
- CVE-2024-2511
- CVE-2023-6237
Scan Results:
Scan results for: image temporalio/ui:2.26.1 sha256:a5462f3261819dc0576369bfe9201854e6cee6a8caf97d3bd355f531312c1c86
Vulnerabilities
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-5363 | high | 7.50 | openssl | 3.1.3-r0 | fixed in 3.1.4-r0 | > 5 months | < 1 hour | Issue summary: A bug has been identified in the |
| | | | | | > 5 months ago | | | processing of key and initialisation vector (IV) |
| | | | | | | | | lengths. This can lead to potential truncation or |
| | | | | | | | | ov... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2019-0190 | high | 7.50 | openssl | 3.1.3-r0 | | > 5 years | < 1 hour | A bug exists in the way mod_ssl handled client |
| | | | | | | | | renegotiations. A remote attacker could send a |
| | | | | | | | | carefully crafted request that would cause mod_ssl |
| | | | | | | | | to en... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487 | high | 5.30 | golang.org/x/net | v0.10.0 | fixed in 0.17.0 | > 6 months | < 1 hour | The HTTP/2 protocol allows a denial of service |
| | | | | | > 6 months ago | | | (server resource consumption) because request |
| | | | | | | | | cancellation can reset many streams quickly, as |
| | | | | | | | | exploited... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6129 | medium | 6.50 | openssl | 3.1.3-r0 | fixed in 3.1.4-r3 | > 3 months | < 1 hour | Issue summary: The POLY1305 MAC (message |
| | | | | | > 3 months ago | | | authentication code) implementation contains |
| | | | | | | | | a bug that might corrupt the internal state of |
| | | | | | | | | applications runn... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-46218 | medium | 6.50 | curl | 8.4.0-r0 | fixed in 8.5.0-r0 | > 4 months | < 1 hour | This flaw allows a malicious HTTP server to set |
| | | | | | > 4 months ago | | | \"super cookies\" in curl that are then passed |
| | | | | | | | | back to more origins than what is otherwise |
| | | | | | | | | allowed or ... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-0727 | medium | 5.50 | openssl | 3.1.3-r0 | fixed in 3.1.4-r5 | 83 days | < 1 hour | Issue summary: Processing a maliciously formatted |
| | | | | | 84 days ago | | | PKCS12 file may lead OpenSSL to crash leading |
| | | | | | | | | to a potential Denial of Service attack Impact |
| | | | | | | | | summar... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 3 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 | | > 4 months | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-5678 | medium | 5.30 | openssl | 3.1.3-r0 | fixed in 3.1.4-r1 | > 5 months | < 1 hour | Issue summary: Generating excessively long X9.42 |
| | | | | | > 5 months ago | | | DH keys or checking excessively long X9.42 DH keys |
| | | | | | | | | or parameters may be very slow. Impact summary: |
| | | | | | | | | A... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-46219 | medium | 5.30 | curl | 8.4.0-r0 | fixed in 8.5.0-r0 | > 4 months | < 1 hour | When saving HSTS data to an excessively long file |
| | | | | | > 4 months ago | | | name, curl could end up removing all contents, |
| | | | | | | | | making subsequent requests using that file unaware |
| | | | | | | | | of... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180 | moderate | 0.00 | gopkg.in/square/go-jose.v2 | v2.6.0 | fixed in | 41 days | < 1 hour | Package jose aims to provide an implementation |
| | | | | | 34 days ago | | | of the Javascript Object Signing and Encryption |
| | | | | | | | | set of standards. An attacker could send a JWE |
| | | | | | | | | containi... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.22.0 | fixed in 0.23.0 | 14 days | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | 14 days ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.3-r0 | fixed in 3.1.4-r6 | n/a | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | 9 days ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6237 | low | 0.00 | openssl | 3.1.3-r0 | fixed in 3.1.4-r4 | > 3 months | < 1 hour | Excessive time spent checking invalid RSA public |
| | | | | | > 3 months ago | | | keys |
+----------------+----------+------+----------------------------+-----------+-------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image temporalio/ui:2.26.1: total - 17, critical - 0, high - 3, medium - 12, low - 2
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
Compliance found for image temporalio/ui:2.26.1: total - 1, critical - 0, high - 1, medium - 0, low - 0
Compliance threshold check results: PASS
To Reproduce Steps to reproduce the behavior:
- Pull the latest image
temporalio/ui:2.26.1from Dockerhub - Scan the image with any vulnerability scanner
Expected behavior A clear and concise description of what you expected to happen.
There is no CVE found in the temporalio/ui image.
