Whether any images has been fixed for CVE-2023-24998
timmy126 opened this issue · 4 comments
I'm confused -- which tomcat
image includes a version of Apache Commons FileUpload that's vulnerable to CVE-2023-24998?
Ah, https://www.mail-archive.com/announce@tomcat.apache.org/msg00565.html -- so we've already published the fixed versions:
Users of the affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released
Ah, https://www.mail-archive.com/announce@tomcat.apache.org/msg00565.html -- so we've already published the fixed versions:
Users of the affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released
I'm confused -- which
tomcat
image includes a version of Apache Commons FileUpload that's vulnerable to CVE-2023-24998?
@tianon My image tomcat original version 9.0.71,today I used snyk scan again,CVE-2023-24998 has fixed. Thanks tianon.
See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves for more information about security scanners in general.