2024-07-23 13:53:44 |
Juraj Martinka |
description |
Previously reported here: https://github.com/docker-library/cassandra/issues/276#issuecomment-2222627720
Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----
docker run ubuntu:noble -it /bin/bash
# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)
# create a new image with installed gosu
docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities
1C 2H 0M 0L stdlib 1.21.3
pkg:golang/stdlib@1.21.3
6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca
/usr/sbin/gosu (evident by)
✗ CRITICAL CVE-2024-24790
https://scout.docker.com/v/CVE-2024-24790
Affected range : <1.21.11
Fixed version : 1.21.11
✗ HIGH CVE-2024-24791
https://scout.docker.com/v/CVE-2024-24791
Affected range : <1.21.12
Fixed version : 1.21.12
✗ HIGH CVE-2023-45283
https://scout.docker.com/v/CVE-2023-45283
Affected range : >=1.21.0-0
: <1.21.4
Fixed version : 1.21.4 |
Previously reported here: https://github.com/docker-library/cassandra/issues/276#issuecomment-2222627720
Using the latest official ubuntu:noble (or ubuntu:24.10 and probably others) images from dockerhub and installing gosu via `apt update && apt install gosu`.
If I create such an image, docker scout reports a few critical and high vulnerabilities.
----
docker run -it ubuntu:noble /bin/bash
# inside the container
apt update && apt install gosu
gosu --version
1.17 (go1.21.3 on linux/arm64; gc)
# create a new image with installed gosu
docker commit <container_id> ubuntu-noble-security
docker scout cves --locations --only-severity "critical,high" ubuntu-noble-security
...
✗ Detected 1 vulnerable package with 3 vulnerabilities
## Packages and Vulnerabilities
1C 2H 0M 0L stdlib 1.21.3
pkg:golang/stdlib@1.21.3
6: sha256:72d0bb40b06f68e2b1dbbd238d3aa6696de4df6793602d68417c2bac696c10ca
/usr/sbin/gosu (evident by)
✗ CRITICAL CVE-2024-24790
https://scout.docker.com/v/CVE-2024-24790
Affected range : <1.21.11
Fixed version : 1.21.11
✗ HIGH CVE-2024-24791
https://scout.docker.com/v/CVE-2024-24791
Affected range : <1.21.12
Fixed version : 1.21.12
✗ HIGH CVE-2023-45283
https://scout.docker.com/v/CVE-2023-45283
Affected range : >=1.21.0-0
: <1.21.4
Fixed version : 1.21.4 |
|