cadence
cadence copied to clipboard
uber
Addressing a lot of security vulnerabilities in the Cadence release v1.2.7
Version of Cadence server, and client(which language) This is very important to root cause bugs.
Server version: 1.2.7
Describe the bug There are several CVEs found in the latest release image 1.2.7
To Reproduce Is the issue reproducible?
Yes
Steps to reproduce the behavior: A clear and concise description of the reproduce steps.
Expected behavior Some vulnerabilities can be fixed by upgrading the version of affected packages as below.
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS |
|---|---|---|---|---|---|
| CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 |
| CVE-2019-0190 | high | 7.50 | openssl | 3.1.4-r1 | |
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 |
| CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | fixed in v1.9.3 |
| SEVERITY | DESCRIPTION |
|---|---|
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
| high | Private keys stored in image |
More CVEs reported for this release
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS |
|---|---|---|---|---|---|
| CVE-2016-5397 | high | 7.50 | github.com/apache/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.10.0 |
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 |
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 |