ui
ui copied to clipboard
temporalio
Addressing a lot of security vulnerabilities in the temporalio/ui:2.34.0
Actual Behavior
There are a lot of CVEs found from the latest Temporal image: temporalio/ui:2.34.0 Steps to Reproduce the Problem
Pull the latest image ttemporalio/ui:2.34.0 from Dockerhub Scan the image with any vulnerability scanner
Scan results for: image temporalio/ui:2.34.0 sha256:2ad33cb2765be54182c01f66ee4f634265a6daccfa99fbd78c3ae5a3628cc377
Vulnerabilities
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.1 | fixed in 1.21.11, 1.22.4 | > 7 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, |
| | | | | | > 7 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 |
| | | | | | | | | addresses, returning false for addresses which |
| | | | | | | | | would... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6197 | high | 7.50 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 5 months | < 1 hour | libcurl\'s ASN1 parser has this utf8asn1str() |
| | | | | | > 5 months ago | | | function used for parsing an ASN.1 UTF-8 string. |
| | | | | | | | | Itcan detect an invalid field and return error. |
| | | | | | | | | Unfortu... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9681 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.11.0-r0 | 71 days | < 1 hour | When curl is asked to use HSTS, the expiry time |
| | | | | | 9 days ago | | | for a subdomain might overwrite a parent domain\'s |
| | | | | | | | | cache entry, making it end sooner or later than |
| | | | | | | | | oth... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-7264 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.9.1-r0 | > 5 months | < 1 hour | libcurl\'s ASN1 parser code has the `GTime2str()` |
| | | | | | 9 days ago | | | function, used for parsing an ASN.1 Generalized |
| | | | | | | | | Time field. If given an syntactically incorrect |
| | | | | | | | | fiel... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.3.1-r0 | | > 1 years | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r16 | > 1 years | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | > 8 months ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | > 8 months ago | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | > 8 months ago | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r17 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | > 8 months ago | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-0853 | medium | 5.30 | curl | 8.5.0-r0 | fixed in 8.6.0-r0 | > 11 months | < 1 hour | curl inadvertently kept the SSL session ID for |
| | | | | | > 5 months ago | | | connections in its cache even when the verify |
| | | | | | | | | status (*OCSP stapling*) test failed. A subsequent |
| | | | | | | | | transf... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6874 | medium | 4.30 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 5 months | < 1 hour | libcurl\'s URL API function |
| | | | | | > 5 months ago | | | [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) |
| | | | | | | | | offers punycode conversions, to and from IDN. Asking to |
| | | | | | | | | conv... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-45288 | medium | 0.00 | net/http | 1.22.1 | fixed in 1.21.9, 1.22.2 | > 9 months | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | > 9 months ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9143 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r1 | > 3 months | < 1 hour | Issue summary: Use of the low-level GF(2^m) |
| | | | | | 88 days ago | | | elliptic curve APIs with untrusted explicit values |
| | | | | | | | | for the field polynomial can lead to out-of-bounds |
| | | | | | | | | memo... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-8096 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.10.0-r0 | > 4 months | < 1 hour | When curl is told to use the Certificate Status |
| | | | | | 9 days ago | | | Request TLS extension, often referred to as OCSP |
| | | | | | | | | stapling, to verify that the server certificate is |
| | | | | | | | | va... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6119 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r0 | > 4 months | < 1 hour | Issue summary: Applications performing certificate |
| | | | | | > 4 months ago | | | name checks (e.g., TLS clients checking server |
| | | | | | | | | certificates) may attempt to read an invalid |
| | | | | | | | | memory ... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-5535 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | > 6 months | < 1 hour | Issue summary: Calling the OpenSSL API function |
| | | | | | > 6 months ago | | | SSL_select_next_proto with an empty supported |
| | | | | | | | | client protocols buffer may cause a crash or |
| | | | | | | | | memory cont... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4741 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | 64 days | < 1 hour | Issue summary: Calling the OpenSSL API function |
| | | | | | > 6 months ago | | | SSL_free_buffers may cause memory to be accessed |
| | | | | | | | | that was previously freed in some situations |
| | | | | | | | | Impact ... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4603 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.5-r0 | > 8 months | < 1 hour | Issue summary: Checking excessively long DSA |
| | | | | | > 8 months ago | | | keys or parameters may be very slow. Impact |
| | | | | | | | | summary: Applications that use the functions |
| | | | | | | | | EVP_PKEY_param_... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-25629 | low | 0.00 | c-ares | 1.24.0-r1 | fixed in 1.27.0-r0 | > 10 months | < 1 hour | c-ares is a C library for asynchronous DNS |
| | | | | | > 9 months ago | | | requests. `ares__read_line()` is used to |
| | | | | | | | | parse local configuration files such as |
| | | | | | | | | `/etc/resolv.conf`, `/etc/... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | > 9 months | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | > 9 months ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2466 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | libcurl did not check the server certificate of |
| | | | | | > 5 months ago | | | TLS connections done to a host specified as an IP |
| | | | | | | | | address, when built to use mbedTLS. libcurl would |
| | | | | | | | | w... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2398 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | When an application tells libcurl it wants to |
| | | | | | > 5 months ago | | | allow HTTP/2 server push, and the amount of |
| | | | | | | | | received headers for the push surpasses the |
| | | | | | | | | maximum allowed ... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2379 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | libcurl skips the certificate verification for |
| | | | | | > 5 months ago | | | a QUIC connection under certain conditions, |
| | | | | | | | | when built to use wolfSSL. If told to use an |
| | | | | | | | | unknown/bad ci... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2004 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 9 months | < 1 hour | When a protocol selection parameter option |
| | | | | | > 5 months ago | | | disables all protocols without adding any then |
| | | | | | | | | the default set of protocols would remain in the |
| | | | | | | | | allowed set... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-11053 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.11.1-r0 | 36 days | < 1 hour | When asked to both use a `.netrc` file for |
| | | | | | 9 days ago | | | credentials and to follow HTTP redirects, curl |
| | | | | | | | | could leak the password used for the first host to |
| | | | | | | | | the follo... |
+----------------+----------+------+-----------+------------+--------------------------+-------------+------------+---------------------------------------------------------------+
Vulnerabilities found for image temporalio/ui:2.34.0: total - 25, critical - 1, high - 1, medium - 10, low - 13
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
Compliance found for image temporalio/ui:2.34.0: total - 1, critical - 0, high - 1, medium - 0, low - 0
