Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Addressing a lot of security vulnerabilities in the Temporalio/admin-tools release 1.25.2-tctl-1.18.1-cli-1.1.2 #6977

Open
LauVietVan opened this issue Dec 12, 2024 · 0 comments
Open

Addressing a lot of security vulnerabilities in the Temporalio/admin-tools release 1.25.2-tctl-1.18.1-cli-1.1.2 #6977

LauVietVan opened this issue Dec 12, 2024 · 0 comments
Labels
potential-bug

Comments

@LauVietVan
Copy link

Expected Behavior

No more CVEs found.

Actual Behavior

There are a lot of CVEs found from the latest Temporal image:
temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2

Steps to Reproduce the Problem

Pull the latest image temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2 from Dockerhub
Scan the image with any vulnerability scanner

Scan results for: image temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2 sha256:70c966b9022bd1574036d32179e07a777258d1a16e1387beaf923835d488023b
Vulnerabilities
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |           PACKAGE            |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-6345    | high     | 8.80 | setuptools                   | 65.5.0                                | fixed in 70.0.0                 | > 5 months | < 1 hour   | A vulnerability in the package_index module of     |
|                  |          |      |                              |                                       | > 4 months ago                  |            |            | pypa/setuptools versions up to 69.1.1 allows for   |
|                  |          |      |                              |                                       |                                 |            |            | remote code execution via its download functions.  |
|                  |          |      |                              |                                       |                                 |            |            | Thes...                                            |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0168 | high     | 7.80 | pip                          | 24.0                                  | open                            | > 2 years  | < 1 hour   | An issue was discovered in pip (all versions)      |
|                  |          |      |                              |                                       |                                 |            |            | because it installs the version with the highest   |
|                  |          |      |                              |                                       |                                 |            |            | version number, even if the user had intended to   |
|                  |          |      |                              |                                       |                                 |            |            | obtain...                                          |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-7348    | high     | 7.50 | postgresql16                 | 16.3-r0                               | fixed in 16.4-r0                | > 4 months | < 1 hour   | Time-of-check Time-of-use (TOCTOU) race condition  |
|                  |          |      |                              |                                       | 41 days ago                     |            |            | in pg_dump in PostgreSQL allows an object creator  |
|                  |          |      |                              |                                       |                                 |            |            | to execute arbitrary SQL functions as the user     |
|                  |          |      |                              |                                       |                                 |            |            | run...                                             |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9681    | medium   | 6.50 | curl                         | 8.9.1-r2                              | fixed in 8.11.0-r0              | 36 days    | < 1 hour   | When curl is asked to use HSTS, the expiry time    |
|                  |          |      |                              |                                       | 35 days ago                     |            |            | for a subdomain might overwrite a parent domain\'s |
|                  |          |      |                              |                                       |                                 |            |            | cache entry, making it end sooner or later than    |
|                  |          |      |                              |                                       |                                 |            |            | oth...                                             |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2022-40897   | medium   | 5.90 | setuptools                   | 65.5.0                                | fixed in 65.5.1                 | > 1 years  | < 1 hour   | Python Packaging Authority (PyPA) setuptools       |
|                  |          |      |                              |                                       | > 1 years ago                   |            |            | before 65.5.1 allows remote attackers to cause a   |
|                  |          |      |                              |                                       |                                 |            |            | denial of service via HTML in a crafted package or |
|                  |          |      |                              |                                       |                                 |            |            | custo...                                           |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2689    | medium   | 0.00 | go.temporal.io/server        | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 6 months | < 1 hour   | Denial of Service in Temporal Server prior to      |
|                  |          |      |                              |                                       | > 6 months ago                  |            |            | version 1.20.5, 1.21.6, and 1.22.7 allows an       |
|                  |          |      |                              |                                       |                                 |            |            | authenticated user who has permissions to interact |
|                  |          |      |                              |                                       |                                 |            |            | with wor...                                        |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.60 | go.temporal.io/server        | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 3 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                              |                                       | > 1 years ago                   |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                              |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                              |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9287    | low      | 0.00 | python3                      | 3.12.6-r0                             | fixed in 3.12.8-r0              | 50 days    | < 1 hour   | A vulnerability has been found in the CPython      |
|                  |          |      |                              |                                       | 5 days ago                      |            |            | `venv` module and CLI where path names provided    |
|                  |          |      |                              |                                       |                                 |            |            | when creating a virtual environment were not       |
|                  |          |      |                              |                                       |                                 |            |            | quoted prop...                                     |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9143    | low      | 0.00 | openssl                      | 3.3.2-r0                              | fixed in 3.3.2-r1               | 56 days    | < 1 hour   | Issue summary: Use of the low-level GF(2^m)        |
|                  |          |      |                              |                                       | 52 days ago                     |            |            | elliptic curve APIs with untrusted explicit values |
|                  |          |      |                              |                                       |                                 |            |            | for the field polynomial can lead to out-of-bounds |
|                  |          |      |                              |                                       |                                 |            |            | memo...                                            |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8096    | low      | 0.00 | curl                         | 8.9.1-r2                              | fixed in 8.10.0-r0              | > 3 months | < 1 hour   | When curl is told to use the Certificate Status    |
|                  |          |      |                              |                                       | > 3 months ago                  |            |            | Request TLS extension, often referred to as OCSP   |
|                  |          |      |                              |                                       |                                 |            |            | stapling, to verify that the server certificate is |
|                  |          |      |                              |                                       |                                 |            |            | va...                                              |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-51744   | low      | 0.00 | github.com/golang-jwt/jwt/v4 | v4.5.0                                | fixed in 4.5.1                  | 37 days    | < 1 hour   | golang-jwt is a Go implementation of JSON Web      |
|                  |          |      |                              |                                       | 37 days ago                     |            |            | Tokens. Unclear documentation of the error         |
|                  |          |      |                              |                                       |                                 |            |            | behavior in `ParseWithClaims` can lead to          |
|                  |          |      |                              |                                       |                                 |            |            | situation where use...                             |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-50602   | low      | 0.00 | expat                        | 2.6.3-r0                              | fixed in 2.6.4-r0               | 46 days    | < 1 hour   | An issue was discovered in libexpat before 2.6.4.  |
|                  |          |      |                              |                                       | 33 days ago                     |            |            | There is a crash within the XML_ResumeParser       |
|                  |          |      |                              |                                       |                                 |            |            | function because XML_StopParser can stop/suspend   |
|                  |          |      |                              |                                       |                                 |            |            | an uns...                                          |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-12254   | low      | 0.00 | python3                      | 3.12.6-r0                             | fixed in 3.12.8-r1              | 5 days     | < 1 hour   | Starting in Python 3.12.0, the                     |
|                  |          |      |                              |                                       | 5 days ago                      |            |            | asyncio._SelectorSocketTransport.writelines()      |
|                  |          |      |                              |                                       |                                 |            |            | method would not "pause" writing and signal to the |
|                  |          |      |                              |                                       |                                 |            |            | Protocol to drain  th...                           |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10979   | low      | 0.00 | postgresql16                 | 16.3-r0                               | fixed in 16.5-r0                | 27 days    | < 1 hour   | Incorrect control of environment variables in      |
|                  |          |      |                              |                                       | 26 days ago                     |            |            | PostgreSQL PL/Perl allows an unprivileged database |
|                  |          |      |                              |                                       |                                 |            |            | user to change sensitive process environment       |
|                  |          |      |                              |                                       |                                 |            |            | variable...                                        |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10978   | low      | 0.00 | postgresql16                 | 16.3-r0                               | fixed in 16.5-r0                | 27 days    | < 1 hour   | Incorrect privilege assignment in PostgreSQL       |
|                  |          |      |                              |                                       | 26 days ago                     |            |            | allows a less-privileged application user to view  |
|                  |          |      |                              |                                       |                                 |            |            | or change different rows from those intended.  An  |
|                  |          |      |                              |                                       |                                 |            |            | attac...                                           |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10977   | low      | 0.00 | postgresql16                 | 16.3-r0                               | fixed in 16.5-r0                | 27 days    | < 1 hour   | Client use of server error message in PostgreSQL   |
|                  |          |      |                              |                                       | 26 days ago                     |            |            | allows a server not trusted under current SSL or   |
|                  |          |      |                              |                                       |                                 |            |            | GSS settings to furnish arbitrary non-NUL bytes to |
|                  |          |      |                              |                                       |                                 |            |            | t...                                               |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10976   | low      | 0.00 | postgresql16                 | 16.3-r0                               | fixed in 16.5-r0                | 27 days    | < 1 hour   | Incomplete tracking in PostgreSQL of tables        |
|                  |          |      |                              |                                       | 26 days ago                     |            |            | with row security allows a reused query to view    |
|                  |          |      |                              |                                       |                                 |            |            | or change different rows from those intended.      |
|                  |          |      |                              |                                       |                                 |            |            | CVE-2023-24...                                     |
+------------------+----------+------+------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2: total - 17, critical - 0, high - 3, medium - 3, low - 11
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------+
| SEVERITY |         DESCRIPTION          |
+----------+------------------------------+
| high     | Private keys stored in image |
+----------+------------------------------+

Compliance found for image temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2: total - 1, critical - 0, high - 1, medium - 0, low - 0
Compliance threshold check results: PASS

Specifications

  • Version: temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.2
  • Platform:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
potential-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LauVietVan