Whether any images has been fixed for CVE-2023-24998

Question

Whether any images has been fixed for CVE-2023-24998

timmy126 opened this issue 2 years ago · 4 comments

Answer 1 · 2023-02-23T17:38:33.000Z

I'm confused -- which tomcat image includes a version of Apache Commons FileUpload that's vulnerable to CVE-2023-24998?

Answer 2 · 2023-02-23T19:14:52.000Z

Ah, https://www.mail-archive.com/announce@tomcat.apache.org/msg00565.html -- so we've already published the fixed versions:

Users of the affected versions should apply one of the following mitigations:

Upgrade to Apache Tomcat 11.0.0-M3 or later when released

Upgrade to Apache Tomcat 10.1.5 or later

Upgrade to Apache Tomcat 9.0.71 or later

Upgrade to Apache Tomcat 8.5.85 or later

Note 11.0.0-M2 was not released

Answer 3 · 2023-02-24T02:22:07.000Z

Ah, https://www.mail-archive.com/announce@tomcat.apache.org/msg00565.html -- so we've already published the fixed versions:

Users of the affected versions should apply one of the following mitigations:

Upgrade to Apache Tomcat 11.0.0-M3 or later when released

Upgrade to Apache Tomcat 10.1.5 or later

Upgrade to Apache Tomcat 9.0.71 or later

Upgrade to Apache Tomcat 8.5.85 or later

Note 11.0.0-M2 was not released

I'm confused -- which tomcat image includes a version of Apache Commons FileUpload that's vulnerable to CVE-2023-24998?

@tianon My image tomcat original version 9.0.71,today I used snyk scan again,CVE-2023-24998 has fixed. Thanks tianon.

Answer 4 · 2023-02-24T19:54:24.000Z

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for more information about security scanners in general.