SpecterOps/BloodHound

v5.7.1 of Bloodhound container image reporting high severity vulnerabilities

Closed this issue · 0 comments

IanT111 commented

Description:

When performing a snyk IAC scan against the container image we are receiving 5 high severity issues in v5.7.1

Component(s) Affected:

  • UI
  • API
  • Neo4j
  • PostgreSQL
  • Data Collector (SharpHound, AzureHound)
  • Other (tooling, documentation, etc.)

Steps to Reproduce:

  1. Run a Snyk scan on the container image:
    snyk container test specterops/bloodhound:5.7.1 --severity-threshold=high

Expected Behavior:

No high or critical vulnerabilities found

Actual Behavior:

5 High severity vulnerabilities found

Screenshots/Code Snippets/Sample Files:

Testing specterops/bloodhound:5.7.1...

Organization:      XXX
Package manager:   deb
Project name:      docker-image|specterops/bloodhound
Docker image:      specterops/bloodhound:5.7.1
Platform:          linux/amd64
Licenses:          enabled

✔ Tested 3 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing specterops/bloodhound:5.7.1...

✗ High severity vulnerability found in github.com/jackc/pgx/v5/pgproto3
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5PGPROTO3-6371510
  Introduced through: github.com/jackc/pgx/v5/pgproto3@v5.5.1
  From: github.com/jackc/pgx/v5/pgproto3@v5.5.1
  Fixed in: 5.5.4

✗ High severity vulnerability found in github.com/jackc/pgx/v5/pgconn
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5PGCONN-6371509
  Introduced through: github.com/jackc/pgx/v5/pgconn@v5.5.1
  From: github.com/jackc/pgx/v5/pgconn@v5.5.1
  Fixed in: 5.5.4

✗ High severity vulnerability found in github.com/jackc/pgx/v5/internal/sanitize
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGXV5INTERNALSANITIZE-6371505
  Introduced through: github.com/jackc/pgx/v5/internal/sanitize@v5.5.1
  From: github.com/jackc/pgx/v5/internal/sanitize@v5.5.1
  Fixed in: 5.5.4

✗ High severity vulnerability found in github.com/jackc/pgproto3/v2
  Description: SQL Injection
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMJACKCPGPROTO3V2-6371508
  Introduced through: github.com/jackc/pgproto3/v2@v2.3.2
  From: github.com/jackc/pgproto3/v2@v2.3.2
  Fixed in: 2.3.3

✗ High severity issue found in github.com/bloodhoundad/azurehound/v2/models/azure
  Description: GPL-3.0 license
  Info: https://snyk.io/vuln/snyk:lic:golang:github.com:bloodhoundad:azurehound:GPL-3.0
  Introduced through: github.com/bloodhoundad/azurehound/v2/models/azure@v2.0.1
  From: github.com/bloodhoundad/azurehound/v2/models/azure@v2.0.1

Environment Information:

BloodHound: v5.7.1

Collector: N/A

OS: N/A

Browser (if UI related): N/A

Node.js (if UI related): N/A

Go (if API related): N/A

Database (if persistence related): N/A

Docker (if using Docker): N/A

Additional Information:

N/A

Potential Solution (Optional):

N/A

Related Issues:

N/A

Contributor Checklist:

  • I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
  • I have provided clear steps to reproduce the issue.
  • I have included relevant environment information details.
  • I have attached necessary supporting documents.
  • I have checked that any JSON files I am attempting to upload to BloodHound are valid.