Closed
Description
Describe the Bug
alpine based images use
libcrypto3 version 3.3.1-r0
libssl3 version 3.3.1-r0
that are reported to be susceptible to CVE-2024-5535
Steps to Reproduce
use Anchore grype tool to scan sdk, runtime-deps built image and You get something like this
$ grype mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Vulnerability DB [no update available]
✔ Loaded image mcr.microsoft.com/dotnet/sdk:8.0-alpine
✔ Parsed image sha256:b11cdb741756c274313c967bbbdd97f1a6912b7162cfa2fd6865f04f460b6337
✔ Cataloged packages [3817 packages]
✔ Scanned for vulnerabilities [9 vulnerability matches]
├── by severity: 2 critical, 1 high, 2 medium, 1 low, 0 negligible (3 unknown)
└── by status: 4 fixed, 5 not-fixed, 0 ignored
[0010] WARN cataloger failed cataloger=sbom-cataloger error=sbom format not recognized location=/usr/share/powershell/.store/powershell.linux.alpine/7.4.3/powershell.linux.alpine/7.4.3/too
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
curl 8.5.0-r0 apk CVE-2024-2398 High
curl 8.5.0-r0 apk CVE-2024-0853 Medium
curl 8.5.0-r0 apk CVE-2024-2004 Low
curl 8.5.0-r0 apk CVE-2024-2466 Unknown
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libcrypto3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-5535 Critical
libssl3 3.1.5-r0 3.1.6-r0 apk CVE-2024-4741 Unknown
nghttp2-libs 1.58.0-r0 apk CVE-2024-28182 Medium
Other Information
Github automated scanning cought this for me. Also docker.com lists alpine as being affected here
Output of docker version
Output of docker info
Metadata
Metadata
Assignees
Type
Projects
Status
Done