CVE-2019-19814 found in continuumio/miniconda3:latest
casper-gh opened this issue · 2 comments
casper-gh commented
AWS ECR scanning indicates that continuumio/miniconda3:latest is vulnerable for CVE-2019-19814.
Any ideas how to resolve this?
dbast commented
Can you recheck again? A new version 4.10.3p1 with latest pointing to it was published yesterday. Thanks.
dbast commented
CVE-2019-19814 is something kernel related, which is not part of the container. The container also got updated and the trivy results show that all available fixed versions are installed, see e.g.
./trivy image --severity CRITICAL continuumio/miniconda3:latest or ./trivy image --severity CRITICAL continuumio/miniconda3:4.10.3p1
2022-01-07T11:37:44.498+0100 INFO Detected OS: debian
2022-01-07T11:37:44.498+0100 INFO Detecting Debian vulnerabilities...
2022-01-07T11:37:44.515+0100 INFO Number of language-specific files: 1
2022-01-07T11:37:44.515+0100 INFO Detecting python-pkg vulnerabilities...
continuumio/miniconda3:latest (debian 11.2)
===========================================
Total: 7 (CRITICAL: 7)
+----------------------+------------------+----------+--------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------+------------------+----------+--------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574 | CRITICAL | 2.31-13+deb11u2 | | glibc: mq_notify does |
| | | | | | not handle separately |
| | | | | | allocated thread attributes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33574 |
+----------------------+ + + +---------------+ +
| libc6 | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+----------------------+------------------+ +--------------------+---------------+---------------------------------------+
| libcurl3-gnutls | CVE-2021-22945 | | 7.74.0-1.3+deb11u1 | | curl: use-after-free and |
| | | | | | double-free in MQTT sending |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 |
+----------------------+------------------+ +--------------------+---------------+---------------------------------------+
| libpython3.9-minimal | CVE-2021-29921 | | 3.9.2-1 | | python-ipaddress: Improper input |
| | | | | | validation of octal strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-29921 |
+----------------------+ + + +---------------+ +
| libpython3.9-stdlib | | | | | |
| | | | | | |
| | | | | | |
+----------------------+ + + +---------------+ +
| python3.9 | | | | | |
| | | | | | |
| | | | | | |
+----------------------+ + + +---------------+ +
| python3.9-minimal | | | | | |
| | | | | | |
| | | | | | |
+----------------------+------------------+----------+--------------------+---------------+---------------------------------------+
Python (python-pkg)
===================
Total: 0 (CRITICAL: 0)