New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities according to the NATIONAL VULNERABILITY DATABASE (NDV) High, #1721

Open

mardygalimov opened this issue Mar 14, 2024 · 1 comment

Labels

🐋 docker 🔒 security

mardygalimov commented Mar 14, 2024 •

edited

Good afternoon!
Please consider eliminating vulnerabilities in Docker image builds:
yuzutech/kroki:0.24.1 - CVE-2023-2976;
yuzutech/kroki-excalidraw:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils;
yuzutech/kroki-mermaid:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils;
yuzutech/kroki-bpmn:0.24.1 - CVE-2023-37466 vm2, CVE-2023-37903 vm2, CVE-2022-4055 xdg-utils, CVE-2020-27748 xdg-utils;
yuzutech/kroki-blockdiag:0.21.3 - CVE-2023-30861 Flask, CVE-2022-42898 krb5-libs, CVE-2022-1304 libcom_err, CVE-2022-4450 libcrypto1.1, CVE-2023-0215, CVE-2023-0286 libcrypto1.1, CVE-2023-0464 libcrypto1.1, CVE-2022-4450 libssl1.1, CVE-2023-0215 libssl1.1, CVE-2023-0286 libssl1.1, CVE-2023-0464 libssl1.1, CVE-2023-29491 ncurses-libs, CVE-2023-29491 ncurses-terminfo-base

Best regards,
Roman Mardygalimov

Member

ggrossetie commented Mar 14, 2024

You shouldn't use yuzutech/kroki-blockdiag:0.21.3, it's integrated in the base image since https://github.com/yuzutech/kroki/releases/tag/v0.22.0. I believe that most of them are already fixed by: 2f5eb80

ggrossetie added 🐋 docker 🔒 security labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment