Critical Vulnerabilities detected for busybox, openssl, nats-server, and more

Question

Critical Vulnerabilities detected for busybox, openssl, nats-server, and more

pavanpoladi opened this issue 7 months ago · 0 comments

pavanpoladi commented 7 months ago

What version were you using?

busybox: 1.36.1-r0
openssl: 1.36.1-r0
nats-server: 2.9.19
nkeys: 0.4.4
protobuf: 1.30.0

What environment was the server running in?

nats: 2.10.11-alpine
natsio/nats-server-config-reloader: 0.11.0
natsio/prometheus-nats-exporter: 0.12.0

Is this defect reproducible?

Yes, it was found in multiple security scans over time.

Given the capability you are leveraging, describe your expectation?

Will updating the below docker images update the versions of busybox, openssl, nats-server, and protobuf versions to the latest versions that don't contain the vulnerabilities shown in the next section?

nats: update to 2.10.14-alpine
natsio/nats-server-config-reloader: update to 0.11.0
natsio/prometheus-nats-exporter: update to 0.14.2

Given the expectation, what is the defect you are observing?

Critical:
CVE-2022-48174

High:
CVE-47090
CVE-2023-5363
CVE-2023-6237
CVE-2024-2511
CVE-2023-46129
CVE-2024-24786