ui
ui copied to clipboard
temporalio
Addressing a lot of security vulnerabilities in the temporalio/ui:2.36.0
Actual Behavior
There are a lot of CVEs found from the latest Temporal image: temporalio/ui:2.36.0 Steps to Reproduce the Problem
Pull the latest image ttemporalio/ui:2.36.0 from Dockerhub Scan the image with any vulnerability scanner
Vulnerabilities
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-24790 | critical | 9.80 | net/netip | 1.22.1 | fixed in 1.21.11, 1.22.4 | > 9 months | < 1 hour | The various Is methods (IsPrivate, IsLoopback, |
| | | | | | > 9 months ago | | | etc) did not work as expected for IPv4-mapped IPv6 |
| | | | | | | | | addresses, returning false for addresses which |
| | | | | | | | | would... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6197 | high | 7.50 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 7 months | < 1 hour | libcurl\'s ASN1 parser has this utf8asn1str() |
| | | | | | > 7 months ago | | | function used for parsing an ASN.1 UTF-8 string. |
| | | | | | | | | Itcan detect an invalid field and return error. |
| | | | | | | | | Unfortu... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9681 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.11.0-r0 | > 4 months | < 1 hour | When curl is asked to use HSTS, the expiry time |
| | | | | | 69 days ago | | | for a subdomain might overwrite a parent domain\'s |
| | | | | | | | | cache entry, making it end sooner or later than |
| | | | | | | | | oth... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-7264 | medium | 6.50 | curl | 8.5.0-r0 | fixed in 8.9.1-r0 | > 7 months | < 1 hour | libcurl\'s ASN1 parser code has the `GTime2str()` |
| | | | | | 69 days ago | | | function, used for parsing an ASN.1 Generalized |
| | | | | | | | | Time field. If given an syntactically incorrect |
| | | | | | | | | fiel... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-25629 | medium | 5.50 | c-ares | 1.24.0-r1 | fixed in 1.27.0-r0 | > 1 years | < 1 hour | c-ares is a C library for asynchronous DNS |
| | | | | | > 11 months ago | | | requests. `ares__read_line()` is used to |
| | | | | | | | | parse local configuration files such as |
| | | | | | | | | `/etc/resolv.conf`, `/etc/... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.3.1-r0 | | > 1 years | < 1 hour | Cloudflare version of zlib library was found |
| | | | | | | | | to be vulnerable to memory corruption issues |
| | | | | | | | | affecting the deflation algorithm implementation |
| | | | | | | | | (deflate.c)... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r16 | > 1 years | < 1 hour | A heap-buffer-overflow was discovered in BusyBox |
| | | | | | > 10 months ago | | | v.1.36.1 in the next_token function at awk.c:1159. |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered in |
| | | | | | > 10 months ago | | | BusyBox v.1.36.1 via a crafted awk pattern in the |
| | | | | | | | | awk.c copyvar function. |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r19 | > 1 years | < 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |
| | | | | | > 10 months ago | | | allows attackers to cause a denial of service |
| | | | | | | | | via a crafted awk pattern in the awk.c evaluate |
| | | | | | | | | funct... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1-r15 | fixed in 1.36.1-r17 | > 1 years | < 1 hour | A use-after-free vulnerability was discovered |
| | | | | | > 10 months ago | | | in xasprintf function in xfuncs_printf.c:344 in |
| | | | | | | | | BusyBox v.1.36.1. |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-0853 | medium | 5.30 | curl | 8.5.0-r0 | fixed in 8.6.0-r0 | > 1 years | < 1 hour | curl inadvertently kept the SSL session ID for |
| | | | | | > 7 months ago | | | connections in its cache even when the verify |
| | | | | | | | | status (*OCSP stapling*) test failed. A subsequent |
| | | | | | | | | transf... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2023-45288 | medium | 5.30 | net/http | 1.22.1 | fixed in 1.21.9, 1.22.2 | > 11 months | < 1 hour | An attacker may cause an HTTP/2 endpoint to |
| | | | | | > 11 months ago | | | read arbitrary amounts of header data by sending |
| | | | | | | | | an excessive number of CONTINUATION frames. |
| | | | | | | | | Maintaining H... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6874 | medium | 4.30 | curl | 8.5.0-r0 | fixed in 8.9.0-r0 | > 7 months | < 1 hour | libcurl\'s URL API function |
| | | | | | > 7 months ago | | | [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) |
| | | | | | | | | offers punycode conversions, to and from IDN. Asking to |
| | | | | | | | | conv... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2025-26519 | low | 0.00 | musl | 1.2.4_git20230717-r4 | fixed in 1.2.4_git20230717-r5 | 32 days | < 1 hour | musl libc 0.9.13 through 1.2.5 before 1.2.6 has |
| | | | | | 32 days ago | | | an out-of-bounds write vulnerability when an |
| | | | | | | | | attacker can trigger iconv conversion of untrusted |
| | | | | | | | | EUC-KR... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2025-0725 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.12.0-r0 | 40 days | < 1 hour | When libcurl is asked to perform automatic gzip |
| | | | | | 38 days ago | | | decompression of content-encoded HTTP responses |
| | | | | | | | | with the `CURLOPT_ACCEPT_ENCODING` option, **using |
| | | | | | | | | zli... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2025-0665 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.12.0-r0 | 40 days | < 1 hour | libcurl would wrongly close the same eventfd file |
| | | | | | 38 days ago | | | descriptor twice when taking down a connection |
| | | | | | | | | channel after having completed a threaded name |
| | | | | | | | | resolv... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2025-0167 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.12.0-r0 | 40 days | < 1 hour | When asked to use a `.netrc` file for credentials |
| | | | | | 38 days ago | | | **and** to follow HTTP redirects, curl could |
| | | | | | | | | leak the password used for the first host to the |
| | | | | | | | | follow... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-9143 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r1 | > 5 months | < 1 hour | Issue summary: Use of the low-level GF(2^m) |
| | | | | | > 4 months ago | | | elliptic curve APIs with untrusted explicit values |
| | | | | | | | | for the field polynomial can lead to out-of-bounds |
| | | | | | | | | memo... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-8096 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.10.0-r0 | > 6 months | < 1 hour | When curl is told to use the Certificate Status |
| | | | | | 69 days ago | | | Request TLS extension, often referred to as OCSP |
| | | | | | | | | stapling, to verify that the server certificate is |
| | | | | | | | | va... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-6119 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.7-r0 | > 6 months | < 1 hour | Issue summary: Applications performing certificate |
| | | | | | > 6 months ago | | | name checks (e.g., TLS clients checking server |
| | | | | | | | | certificates) may attempt to read an invalid |
| | | | | | | | | memory ... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-5535 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | > 8 months | < 1 hour | Issue summary: Calling the OpenSSL API function |
| | | | | | > 8 months ago | | | SSL_select_next_proto with an empty supported |
| | | | | | | | | client protocols buffer may cause a crash or |
| | | | | | | | | memory cont... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4741 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.6-r0 | > 4 months | < 1 hour | Issue summary: Calling the OpenSSL API function |
| | | | | | > 8 months ago | | | SSL_free_buffers may cause memory to be accessed |
| | | | | | | | | that was previously freed in some situations |
| | | | | | | | | Impact ... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-4603 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.5-r0 | > 10 months | < 1 hour | Issue summary: Checking excessively long DSA |
| | | | | | > 10 months ago | | | keys or parameters may be very slow. Impact |
| | | | | | | | | summary: Applications that use the functions |
| | | | | | | | | EVP_PKEY_param_... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | > 11 months | < 1 hour | Issue summary: Some non-default TLS server |
| | | | | | > 11 months ago | | | configurations can cause unbounded memory growth |
| | | | | | | | | when processing TLSv1.3 sessions Impact summary: |
| | | | | | | | | An attac... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2466 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 11 months | < 1 hour | libcurl did not check the server certificate of |
| | | | | | > 7 months ago | | | TLS connections done to a host specified as an IP |
| | | | | | | | | address, when built to use mbedTLS. libcurl would |
| | | | | | | | | w... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2398 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 11 months | < 1 hour | When an application tells libcurl it wants to |
| | | | | | > 7 months ago | | | allow HTTP/2 server push, and the amount of |
| | | | | | | | | received headers for the push surpasses the |
| | | | | | | | | maximum allowed ... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2379 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 11 months | < 1 hour | libcurl skips the certificate verification for |
| | | | | | > 7 months ago | | | a QUIC connection under certain conditions, |
| | | | | | | | | when built to use wolfSSL. If told to use an |
| | | | | | | | | unknown/bad ci... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-2004 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.7.1-r0 | > 11 months | < 1 hour | When a protocol selection parameter option |
| | | | | | > 7 months ago | | | disables all protocols without adding any then |
| | | | | | | | | the default set of protocols would remain in the |
| | | | | | | | | allowed set... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-13176 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.8-r0 | 56 days | < 1 hour | Issue summary: A timing side-channel which could |
| | | | | | 34 days ago | | | potentially allow recovering the private key |
| | | | | | | | | exists in the ECDSA signature computation. Impact |
| | | | | | | | | summa... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
| CVE-2024-11053 | low | 0.00 | curl | 8.5.0-r0 | fixed in 8.11.1-r0 | > 3 months | < 1 hour | When asked to both use a `.netrc` file for |
| | | | | | 69 days ago | | | credentials and to follow HTTP redirects, curl |
| | | | | | | | | could leak the password used for the first host to |
| | | | | | | | | the follo... |
+----------------+----------+------+-----------+----------------------+-------------------------------+-------------+------------+---------------------------------------------------------------+
Vulnerabilities found for image axonhub.azurecr.us/temporalio/ui:2.36.0: total - 30, critical - 1, high - 1, medium - 11, low - 17
Vulnerability threshold check results: PASS
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
Compliance found for image axonhub.azurecr.us/temporalio/ui:2.36.0: total - 1, critical - 0, high - 1, medium - 0, low - 0
We are also seeing these security vulnerabilities in temporalio/ui:2.36.0, what is the current status?
