Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/mongodb] Reporting vulnerability in mongodb bitnami container with golang libraries #66522

Open
anuragkdi opened this issue May 9, 2024 · 4 comments
Open

[bitnami/mongodb] Reporting vulnerability in mongodb bitnami container with golang libraries #66522

anuragkdi opened this issue May 9, 2024 · 4 comments
Assignees
@javsalgar
Labels
mongodb stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@anuragkdi
Copy link

anuragkdi commented May 9, 2024
edited by carrodher

Name and Version

bitnami/mongodb:7.0.9

What architecture are you using?

None

What steps will reproduce the bug?

Posting it here here as i could not report the security vulnerability as an issue due to the policy.

We are running trivy scan to find out vulnerabilities in mongodb container. Although, we see that debian does not show any issues ,but there are many CVE's reported on many golang libraries as below. Please suggest how to fix it?

trivy image --format template --template "@contrib/html.tpl" -o report.html bitnami/mongodb:7.0.9 --ignore-unfixed
mongodb_bitnami

What is the expected behavior?

$ trivy image bitnami/mongodb:7.0.9 --ignore-unfixed
2024-05-10T00:51:36+05:30       INFO    Need to update DB
2024-05-10T00:51:36+05:30       INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
46.02 MiB / 46.02 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.60 MiB p/s 7.2s
2024-05-10T00:51:51+05:30       INFO    Vulnerability scanning is enabled
2024-05-10T00:51:51+05:30       INFO    Secret scanning is enabled
2024-05-10T00:51:51+05:30       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T00:51:51+05:30       INFO    Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T00:51:54+05:30       INFO    Detected OS     family="debian" version="12.5"
2024-05-10T00:51:54+05:30       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=117
2024-05-10T00:51:54+05:30       INFO    Number of language-specific files       num=14
2024-05-10T00:51:54+05:30       INFO    [gobinary] Detecting vulnerabilities...
2024-05-10T00:51:54+05:30       WARN    Version matching error  err="version error ((devel)): malformed version: (devel)"
2024-05-10T00:51:54+05:30       INFO    [bitnami] Detecting vulnerabilities...

bitnami/mongodb:7.0.9 (debian 12.5)
===================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2024-05-10T00:51:54+05:30       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

 (gobinary)
===========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ golang.org/x/crypto (mongodb) │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0        │ ssh: Prefix truncation attack on Binary Packet Protocol │
│                               │                │          │        │                   │               │ (BPP)                                                   │
│                               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-48795              │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

opt/bitnami/common/bin/yq (gobinary)
====================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ MEDIUM   │ fixed  │ v0.22.0           │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of │
│                  │                │          │        │                   │               │ CONTINUATION frames causes DoS                     │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/bsondump (gobinary)
===========================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongodump (gobinary)
============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongoexport (gobinary)
==============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongofiles (gobinary)
=============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongoimport (gobinary)
==============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongorestore (gobinary)
===============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongostat (gobinary)
============================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

opt/bitnami/mongodb/bin/mongotop (gobinary)
===========================================
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM   │ fixed  │ v0.14.0           │ 0.17.0         │ ssh: Prefix truncation attack on Binary Packet Protocol     │
│                     │                │          │        │                   │                │ (BPP)                                                       │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-48795                  │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2023-45288 │ HIGH     │        │ 1.20.12           │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of          │
│                     │                │          │        │                   │                │ CONTINUATION frames causes DoS                              │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288                  │
│                     ├────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45289 │ MEDIUM   │        │                   │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of         │
│                     │                │          │        │                   │                │ sensitive headers and cookies on HTTP redirect...           │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45289                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-45290 │          │        │                   │                │ golang: net/http: memory exhaustion in                      │
│                     │                │          │        │                   │                │ Request.ParseMultipartForm                                  │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45290                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24783 │          │        │                   │                │ golang: crypto/x509: Verify panics on certificates with an  │
│                     │                │          │        │                   │                │ unknown public key algorithm...                             │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24783                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24784 │          │        │                   │                │ golang: net/mail: comments in display names are incorrectly │
│                     │                │          │        │                   │                │ handled                                                     │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24784                  │
│                     ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-24785 │          │        │                   │                │ golang: html/template: errors returned from MarshalJSON     │
│                     │                │          │        │                   │                │ methods may break template escaping                         │
│                     │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-24785                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

What do you see instead?

same as above

Additional information

how to remediate the CVEs for the golang libraries reported
@anuragkdi anuragkdi added the tech-issues The user has a technical issue about an application label May 9, 2024
@github-actions github-actions bot added the triage Triage is needed label May 9, 2024
@carrodher
Copy link
Member

I understand your concern regarding security vulnerabilities. While we regularly update our images with the latest system packages, certain CVEs may persist until they are patched in either the OS or the application. In this case, the affected binaries are part of the MongoDB distribution. You can learn more about our CVE policy here.

If you have any further questions, feel free to ask.

@anuragkdi
Copy link
Author

yes but the CVE's which i have listed are not Open CVE's. Seems they have been fixed in later versions like golang.org/x/crypto has been fixed in 0.17.0

So my question is can you guys update the golang libraries listed to the fixed versions for the monogdb container?

@javsalgar javsalgar changed the title Reporting vulnerability in mongodb bitnami container with golang libraries [bitnami/mongodb] Reporting vulnerability in mongodb bitnami container with golang libraries May 10, 2024
@carrodher
Copy link
Member

carrodher commented May 10, 2024
edited

Unfortunately, we don't apply patches on top of the upstream software, in this case, it is needed to wait until MongoDB developers cut a new release of MongoDB (or MongoDB Database Tools in this case which is the source of those binaries).
Once there is a new release upstream, our automated test & release pipeline will detect it and the new version will be available in the Bitnami catalog but until that moment there is nothing else we can do on our side.

In the same way, MongoDB is one of the few applications we do not compile from source due to license requirements.

If you have any questions about the application itself we highly recommend that you refer to the forums and user guides provided by the project responsible for the application so they can explain what is the release process used for this specific application.

@github-actions GitHub Actions
Copy link

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label May 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
mongodb stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javsalgar @carrodher @anuragkdi