cadence
cadence copied to clipboard
uber
Addressing a lot of security vulnerabilities in the Cadence release v1.2.14
Version of Cadence server, and client(which language) This is very important to root cause bugs.
- Server version:
v1.2.14
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.14
To Reproduce
Is the issue reproducible?
- Yes
Steps to reproduce the behavior:
- Pull the latest image
ubercadence/server:v1.2.14from Dockerhub - Scan the image with any vulnerability scanner
Scan results for: image ubercadence/server:v1.2.14 sha256:ccd93845dd68aa5a59eb761b28df3720b492926542a83bad9e21d6f7714344e1
Vulnerabilities
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.3 | fixed in 1.21.11, 1.22.4 | > 6 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, |
| | | | | | > 6 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 |
| | | | | | | | | addresses, returning false for addresses which |
| | | | | | | | | would... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 5 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server |
| | | | | | > 5 years ago | | | implemented in Go using TJSONProtocol or |
| | | | | | | | | TSimpleJSONProtocol may panic when feed with |
| | | | | | | | | invalid input data. |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-9681 | medium | 6.50 | curl | 8.9.1-r1 | | 29 days | < 1 hour | When curl is asked to use HSTS, the expiry time |
| | | | | | | | | for a subdomain might overwrite a parent domain\'s |
| | | | | | | | | cache entry, making it end sooner or later than |
| | | | | | | | | oth... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 11 months | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-45288 | medium | 0.00 | golang.org/x/net/http2 | v0.19.0 | fixed in 0.23.0 | > 8 months | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | > 8 months ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2024-9143 | low | 0.00 | openssl | 3.1.7-r0 | fixed in 3.1.7-r1 | 50 days | < 1 hour | Issue summary: Use of the low-level GF(2^m) |
| | | | | | 46 days ago | | | elliptic curve APIs with untrusted explicit values |
| | | | | | | | | for the field polynomial can lead to out-of-bounds |
| | | | | | | | | memo... |
+------------------+----------+------+----------------------------------------+------------------------------------+--------------------------+-------------+------------+----------------------------------------------------+
Vulnerabilities found for image ubercadence/server:v1.2.14: total - 7, critical - 1, high - 1, medium - 4, low - 1
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Compliance found for image ubercadence/server:v1.2.14: total - 2, critical - 0, high - 2, medium - 0, low - 0
Expected behavior No more CVEs found.
Screenshots
Additional context Add any other context about the problem here, E.g. Stackstace, workflow history.
latest scan has reported the new CVE for this version CVE-2024-24786 | google.golang.org/protobuf/internal/encoding/json v1.31.0
