Software packages with vulnerabilities in the Docker container
yochaubs opened this issue · 5 comments
During the course of our security check, we found that the docker contains multiple software packages with known vulnerabilities.
CVSS score is 9.8 and that is critical.
Expected Behavior
postgresql dependency should be bumped to latest version 42.7.3 with no serious known vulnerability.
Current Behavior
By exploiting these vulnerabilities, a potential attacker could Gain control over the affected components. To determine the rating
According to CVSS, the most serious known vulnerability (CVE-2024-1597) used.
org.postgresql/postgresql 42.7.1 CVE-2024-1597
Context
Steps to Reproduce (for bugs)
Your Environment
Gradle version : 8.7
Can you specify which Docker container image you are referring to here?
hey, that dependencies was coming from gradle dependencies org.postgresql/postgresql 42.7.1 CVE-2024-1597
Sorry, I am still confused. The Postgresql dependency is likely a dependency you are adding to your own project either as direct or transitive dependency.
The screenshot you are point me to here uses a different base image that configured by the plugin by default. Also, any files you copy into the container image you are building with the plugin is your responsibility.
ok, thanks!