K-Phoen/dark

Vulnerabilities

camaeel opened this issue · 1 comments

camaeel commented

Trivy scanner shows there are 2 vulnerabilities with possible fix in the latest docker image (kphoen/dark:v0.5.7).

How to reproduce:

  1. Install trivy (https://github.com/aquasecurity/trivy)
  2. Scan: trivy kphoen/dark:v0.5.7

Output:

kphoen/dark:v0.5.7 (alpine 3.14.1)
==================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | HIGH     | 1.1.1k-r0         | 1.1.1l-r0     | openssl: SM2 Decryption              |
|              |                  |          |                   |               | Buffer Overflow                      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711 |
+              +------------------+----------+                   +               +--------------------------------------+
|              | CVE-2021-3712    | MEDIUM   |                   |               | openssl: Read buffer overruns        |
|              |                  |          |                   |               | processing ASN.1 strings             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+                   +               +--------------------------------------+
| libssl1.1    | CVE-2021-3711    | HIGH     |                   |               | openssl: SM2 Decryption              |
|              |                  |          |                   |               | Buffer Overflow                      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711 |
+              +------------------+----------+                   +               +--------------------------------------+
|              | CVE-2021-3712    | MEDIUM   |                   |               | openssl: Read buffer overruns        |
|              |                  |          |                   |               | processing ASN.1 strings             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
K-Phoen commented

You can update to 0.5.8:

➜ trivy kphoen/dark:v0.5.8      
2021-09-12T14:24:18.895+0200    INFO    Detected OS: alpine
2021-09-12T14:24:18.895+0200    INFO    Detecting Alpine vulnerabilities...
2021-09-12T14:24:18.895+0200    INFO    Number of language-specific files: 0

kphoen/dark:v0.5.8 (alpine 3.14.2)
==================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)