spilo
spilo copied to clipboard
Security Vulnerabilities: Both 15 and 16 Images have critical and high Vulnerabilities
Hi Team
Recent docker image of Spilo having critical and high Vulnerabilities
-
ghcr.io/zalando/spilo-15:3.2-p1
-
ghcr.io/zalando/spilo-16:3.2-p2
CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION NAMESPACE STATUS INTRODUCED IN LAYER FILE PATH
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-37920 Critical certifi 2020.6.20 2023.07.22 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/certifi-2020.6.20.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-4807 High cryptography 3.4.8 41.0.4 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-43804 High urllib3 1.26.5 1.26.17 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/urllib3-1.26.5.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2018-1000047 High ply 3.11 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/ply-3.11.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-39325 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-44487 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-6596 High google.golang.org/grpc v1.31.0 1.58.3 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2020-26160 High github.com/dgrijalva/jwt-go v3.2.0+incompatible go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2022-32149 High golang.org/x/text v0.3.7 0.3.8 go VULNERABLE COPY /builddeps/wal-g usr/local/bin/wal-g
/usr/local/bin/ # buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-50782 High cryptography 3.4.8 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2023-49083 High cryptography 3.4.8 41.0.6 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/cryptography-3.4.8.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
-------------------+----------+-----------------------------+--------------------------+-------------+--------------+------------+-----------------------------------------------------------------------+---------------------------------------------------------------------
CVE-2022-29217 High pyjwt 2.3.0 2.4.0 python VULNERABLE RUN |10 DEMO=false usr/lib/python3/dist-packages/PyJWT-2.3.0.egg-info/PKG-INFO
ADDITIONAL_LOCALES=
PGVERSION=16 TIMESCALEDB=2.3.1
2.11.2 2.14.2
TIMESCALEDB_APACHE_ONLY=true
TIMESCALEDB_TOOLKIT=true
COMPRESS=false
PGOLDVERSIONS=11 12 13
14 15 WITH_PERL=false
DEB_PG_SUPPORTED_VERSIONS=11
12 13 14 15 16 bash
/builddeps/patroni_wale.sh #
buildkit
Do we know when it can be addressed or provide any workaorund on overcoming this Vulnerabilities. since with this Vulnerabilities looks like easy to break the postgres DB
How do you reach the conclusion that from any of those CVEs it is easy to break the Postgres database cluster run via Spilo container?