spilo Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities

Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities

Open gowthamvetriselvan opened this issue 4 months ago • 2 comments

Hi Team

Recent docker image of Spilo having critical and high Vulnerabilities

ghcr.io/zalando/spilo-15:3.2-p1

ghcr.io/zalando/spilo-16:3.2-p2

CVE ID        SEVERITY             PACKAGE                 CURRENT VERSION        FIX VERSION    NAMESPACE       STATUS                              INTRODUCED IN LAYER                                                        FILE PATH

-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-37920 Critical certifi 2020.6.20 2023.07.22 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/certifi-2020.6.20.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-4807 High cryptography 3.4.8 41.0.4 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-43804 High urllib3 1.26.5 1.26.17 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/urllib3-1.26.5.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2018-1000047 High ply 3.11 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/ply-3.11.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-39325 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-44487 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-6596 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2020-26160 High github.com/dgrijalva/jwt-go v3.2.0+incompatible go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2022-32149 High golang.org/x/text v0.3.7 0.3.8 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-50782 High cryptography 3.4.8 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2023-49083 High cryptography 3.4.8 41.0.6 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+--------------------------------------------------------------------- CVE-2022-29217 High pyjwt 2.3.0 2.4.0 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/PyJWT-2.3.0.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit

Do we know when it can be addressed or provide any workaorund on overcoming this Vulnerabilities. since with this Vulnerabilities looks like easy to break the postgres DB

Mar 07 '24 08:03 gowthamvetriselvan

How do you reach the conclusion that from any of those CVEs it is easy to break the Postgres database cluster run via Spilo container?

Mar 13 '24 09:03 Jan-M

spilo spilo copied to clipboard

Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities

spilo
spilo copied to clipboard