Open
Description
Expected Behavior
No more CVEs found.
Actual Behavior
There are a lot of CVEs found from the latest Temporal image:
temporalio/server:1.26.2
Steps to Reproduce the Problem
Pull the latest image temporalio/server:1.26.2 from Dockerhub
Scan the image with any vulnerability scanner
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9681 | medium | 6.50 | curl | 8.9.1-r2 | fixed in 8.11.0-r0 | 71 days | < 1 hour | When curl is asked to use HSTS, the expiry time |
| | | | | | 71 days ago | | | for a subdomain might overwrite a parent domain\'s |
| | | | | | | | | cache entry, making it end sooner or later than |
| | | | | | | | | oth... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.4.2 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all |
| | | | | | > 1 years ago | | | versions is vulnerable to denial of service. |
| | | | | | | | | Logging more than 64kb of data in a single entry |
| | | | | | | | | without new... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2689 | medium | 0.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 7 months | < 1 hour | Denial of Service in Temporal Server prior to |
| | | | | | > 7 months ago | | | version 1.20.5, 1.21.6, and 1.22.7 allows an |
| | | | | | | | | authenticated user who has permissions to interact |
| | | | | | | | | with wor... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485 | low | 3.60 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0 | > 4 months | < 1 hour | Insecure defaults in open-source Temporal Server |
| | | | | | > 1 years ago | | | before version 1.20 on all platforms allows an |
| | | | | | | | | attacker to craft a task token with access to a |
| | | | | | | | | namesp... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9143 | low | 0.00 | openssl | 3.3.2-r0 | fixed in 3.3.2-r1 | > 3 months | < 1 hour | Issue summary: Use of the low-level GF(2^m) |
| | | | | | 88 days ago | | | elliptic curve APIs with untrusted explicit values |
| | | | | | | | | for the field polynomial can lead to out-of-bounds |
| | | | | | | | | memo... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8096 | low | 0.00 | curl | 8.9.1-r2 | fixed in 8.10.0-r0 | > 4 months | < 1 hour | When curl is told to use the Certificate Status |
| | | | | | > 4 months ago | | | Request TLS extension, often referred to as OCSP |
| | | | | | | | | stapling, to verify that the server certificate is |
| | | | | | | | | va... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-11053 | low | 0.00 | curl | 8.9.1-r2 | fixed in 8.11.1-r0 | 36 days | < 1 hour | When asked to both use a `.netrc` file for |
| | | | | | 35 days ago | | | credentials and to follow HTTP redirects, curl |
| | | | | | | | | could leak the password used for the first host to |
| | | | | | | | | the follo... |
+------------------+----------+------+----------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+```
Metadata
Assignees
Labels
No labels