You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am looking to ship gemini into a cluster, but in scanning the image the following CVEs were flagged:
ECR scan discovered security vulnerabilities affecting package(s) in quay/fairwinds/gemini container image. See details below.
CVE-ID: CVE-2023-5363
Vulnerable Package: openssl
Severity: HIGH
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r0 | Alpine:v3.18 - 3.1.4-r0 | Alpine:v3.19 - 3.1.4-r0
CVE-ID: CVE-2023-5678
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1w-r1 | Alpine:v3.16 - 1.1.1w-r1 | Alpine:v3.17 - 3.0.12-r1 | Alpine:v3.18 - 3.1.4-r1
CVE-ID: CVE-2023-3446
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1u-r2 | Alpine:v3.15 - 3.0.9-r2 | Alpine:v3.16 - 1.1.1u-r2 | Alpine:v3.16 - 3.0.9-r2 | Alpine:v3.17 - 3.0.9-r3 | Alpine:v3.18 - 3.1.1-r3 | Alpine:v3.19 - 3.1.1-r3
CVE-ID: CVE-2024-0727
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r4 | Alpine:v3.18 - 3.1.4-r5 | Alpine:v3.19 - 3.1.4-r5
CVE-ID: CVE-2023-3817
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1v-r0 | Alpine:v3.15 - 3.0.11-r0 | Alpine:v3.16 - 1.1.1v-r0 | Alpine:v3.16 - 3.0.11-r0 | Alpine:v3.17 - 3.0.10-r0 | Alpine:v3.18 - 3.1.2-r0 | Alpine:v3.19 - 3.1.2-r0
CVE-ID: CVE-2023-2975
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 3.0.9-r1 | Alpine:v3.16 - 3.0.9-r1 | Alpine:v3.17 - 3.0.9-r2 | Alpine:v3.18 - 3.1.1-r2 | Alpine:v3.19 - 3.1.1-r2
CVE-ID: CVE-2023-6129
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129 for more details
Info: Upgrade to at least version(s): Alpine:v3.17 - 3.0.12-r2 | Alpine:v3.18 - 3.1.4-r3 | Alpine:v3.19 - 3.1.4-r3
CVE-ID: CVE-2023-2650
Vulnerable Package: openssl
Severity: MEDIUM
URI: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650 for more details
Info: Upgrade to at least version(s): Alpine:v3.15 - 1.1.1u-r0 | Alpine:v3.15 - 3.0.9-r0 | Alpine:v3.16 - 1.1.1u-r0 | Alpine:v3.16 - 3.0.9-r0 | Alpine:v3.17 - 3.0.9-r0 | Alpine:v3.18 - 3.1.1-r0 | Alpine:v3.19 - 3.1.1-r0
What did you expect to happen?
I would like to see these CVEs resolved, or at least a resolution to the highest severity vulnerabilities that have been flagged.
How can we reproduce this?
Although the list may vary, any image scanning tool with provide a similar list of CVEs. The simplest way being a scout scan using docker:
▶ docker scout cves quay.io/fairwinds/gemini:2.0
i New version 1.7.0 available (installed version is 1.5.0) at https://github.com/docker/scout-cli
✓ SBOM of image already cached, 66 packages indexed
✗ Detected 4 vulnerable packages with a total of 47 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼─────────────────────────────────────
Target │ quay.io/fairwinds/gemini:2.0
digest │ f5a22ff274f2
platform │ linux/arm64
vulnerabilities │ 2C 20H 19M 0L 8?
size │ 18 MB
packages │ 66
## Packages and Vulnerabilities
2C 18H 8M 0L 6? stdlib 1.19.1
pkg:golang/stdlib@1.19.1
✗ CRITICAL CVE-2023-24540
https://scout.docker.com/v/CVE-2023-24540
Affected range : <1.19.9
Fixed version : 1.19.9
✗ CRITICAL CVE-2023-24538
https://scout.docker.com/v/CVE-2023-24538
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-29403
https://scout.docker.com/v/CVE-2023-29403
Affected range : <1.19.10
Fixed version : 1.19.10
✗ HIGH CVE-2023-45287
https://scout.docker.com/v/CVE-2023-45287
Affected range : <1.20.0
Fixed version : 1.20.0
✗ HIGH CVE-2023-45283
https://scout.docker.com/v/CVE-2023-45283
Affected range : <1.20.11
Fixed version : 1.20.11
✗ HIGH CVE-2023-39325
https://scout.docker.com/v/CVE-2023-39325
Affected range : <1.20.10
Fixed version : 1.20.10
✗ HIGH CVE-2023-24537
https://scout.docker.com/v/CVE-2023-24537
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-24536
https://scout.docker.com/v/CVE-2023-24536
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2023-24534
https://scout.docker.com/v/CVE-2023-24534
Affected range : <1.19.8
Fixed version : 1.19.8
✗ HIGH CVE-2022-41725
https://scout.docker.com/v/CVE-2022-41725
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41724
https://scout.docker.com/v/CVE-2022-41724
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41723
https://scout.docker.com/v/CVE-2022-41723
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41722
https://scout.docker.com/v/CVE-2022-41722
Affected range : <1.19.6
Fixed version : 1.19.6
✗ HIGH CVE-2022-41720
https://scout.docker.com/v/CVE-2022-41720
Affected range : >=1.19.0-0
: <1.19.4
Fixed version : 1.19.4
✗ HIGH CVE-2022-41716
https://scout.docker.com/v/CVE-2022-41716
Affected range : >=1.19.0-0
: <1.19.3
Fixed version : 1.19.3
✗ HIGH CVE-2022-41715
https://scout.docker.com/v/CVE-2022-41715
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2022-2880
https://scout.docker.com/v/CVE-2022-2880
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2022-2879
https://scout.docker.com/v/CVE-2022-2879
Affected range : >=1.19.0-0
: <1.19.2
Fixed version : 1.19.2
✗ HIGH CVE-2023-29400
https://scout.docker.com/v/CVE-2023-29400
Affected range : <1.19.9
Fixed version : 1.19.9
✗ HIGH CVE-2023-24539
https://scout.docker.com/v/CVE-2023-24539
Affected range : <1.19.9
Fixed version : 1.19.9
✗ MEDIUM CVE-2023-29406
https://scout.docker.com/v/CVE-2023-29406
Affected range : <1.19.11
Fixed version : 1.19.11
✗ MEDIUM CVE-2023-39319
https://scout.docker.com/v/CVE-2023-39319
Affected range : <1.20.8
Fixed version : 1.20.8
✗ MEDIUM CVE-2023-39318
https://scout.docker.com/v/CVE-2023-39318
Affected range : <1.20.8
Fixed version : 1.20.8
✗ MEDIUM CVE-2023-45284
https://scout.docker.com/v/CVE-2023-45284
Affected range : <1.20.11
Fixed version : 1.20.11
✗ MEDIUM CVE-2023-39326
https://scout.docker.com/v/CVE-2023-39326
Affected range : <1.20.12
Fixed version : 1.20.12
✗ MEDIUM CVE-2023-29409
https://scout.docker.com/v/CVE-2023-29409
Affected range : <1.19.12
Fixed version : 1.19.12
✗ MEDIUM CVE-2023-24532
https://scout.docker.com/v/CVE-2023-24532
Affected range : <1.19.7
Fixed version : 1.19.7
✗ MEDIUM CVE-2022-41717
https://scout.docker.com/v/CVE-2022-41717
Affected range : >=1.19.0-0
: <1.19.4
Fixed version : 1.19.4
✗ UNSPECIFIED CVE-2024-24785
https://scout.docker.com/v/CVE-2024-24785
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24784
https://scout.docker.com/v/CVE-2024-24784
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2024-24783
https://scout.docker.com/v/CVE-2024-24783
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45290
https://scout.docker.com/v/CVE-2023-45290
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45289
https://scout.docker.com/v/CVE-2023-45289
Affected range : <1.21.8
Fixed version : 1.21.8
✗ UNSPECIFIED CVE-2023-45288
https://scout.docker.com/v/CVE-2023-45288
Affected range : <1.21.9
Fixed version : 1.21.9
0C 1H 7M 0L 2? openssl 3.0.8-r4
pkg:apk/alpine/openssl@3.0.8-r4?os_name=alpine&os_version=3.17
✗ HIGH CVE-2023-5363
https://scout.docker.com/v/CVE-2023-5363
Affected range : <3.0.12-r0
Fixed version : 3.0.12-r0
✗ MEDIUM CVE-2023-6129
https://scout.docker.com/v/CVE-2023-6129
Affected range : <3.0.12-r2
Fixed version : 3.0.12-r2
✗ MEDIUM CVE-2023-2650
https://scout.docker.com/v/CVE-2023-2650
Affected range : <3.0.9-r0
Fixed version : 3.0.9-r0
✗ MEDIUM CVE-2024-0727
https://scout.docker.com/v/CVE-2024-0727
Affected range : <3.0.12-r4
Fixed version : 3.0.12-r4
✗ MEDIUM CVE-2023-5678
https://scout.docker.com/v/CVE-2023-5678
Affected range : <3.0.12-r1
Fixed version : 3.0.12-r1
✗ MEDIUM CVE-2023-3817
https://scout.docker.com/v/CVE-2023-3817
Affected range : <3.0.10-r0
Fixed version : 3.0.10-r0
✗ MEDIUM CVE-2023-3446
https://scout.docker.com/v/CVE-2023-3446
Affected range : <3.0.9-r3
Fixed version : 3.0.9-r3
✗ MEDIUM CVE-2023-2975
https://scout.docker.com/v/CVE-2023-2975
Affected range : <3.0.9-r2
Fixed version : 3.0.9-r2
✗ UNSPECIFIED CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : <3.0.12-r5
Fixed version : 3.0.12-r5
✗ UNSPECIFIED CVE-2023-6237
https://scout.docker.com/v/CVE-2023-6237
Affected range : <3.0.12-r3
Fixed version : 3.0.12-r3
0C 1H 3M 0L golang.org/x/net 0.10.0
pkg:golang/golang.org/x/net@0.10.0
✗ HIGH CVE-2023-39325 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-39325
Affected range : <0.17.0
Fixed version : 0.17.0
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
✗ MEDIUM CVE-2023-3978 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
https://scout.docker.com/v/CVE-2023-3978
Affected range : <0.13.0
Fixed version : 0.13.0
CVSS Score : 6.1
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
✗ MEDIUM CVE-2023-45288 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-45288
Affected range : <0.23.0
Fixed version : 0.23.0
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
✗ MEDIUM CVE-2023-44487 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2023-44487
Affected range : <0.17.0
Fixed version : 0.17.0
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0C 0H 1M 0L google.golang.org/protobuf 1.30.0
pkg:golang/google.golang.org/protobuf@1.30.0
✗ MEDIUM CVE-2024-24786 [Loop with Unreachable Exit Condition ('Infinite Loop')]
https://scout.docker.com/v/CVE-2024-24786
Affected range : <1.33.0
Fixed version : 1.33.0
49 vulnerabilities found in 4 packages
UNSPECIFIED 8
LOW 0
MEDIUM 19
HIGH 20
CRITICAL 2
What's Next?
View base image update recommendations → docker scout recommendations quay.io/fairwinds/gemini:2.0
Version
Gemini Version 2.0/2.0.1 and Helm Chart Version 2.1.3
Search
I did search for other open and closed issues before opening this.
Code of Conduct
I agree to follow this project's Code of Conduct
Additional context
In reviewing the Dockerfile, I do not imagine this is a change that should require much of any code change - and may be as simple as re-creating the image with new alpine packages. Failing that an OS update should suffice.
The text was updated successfully, but these errors were encountered:
What happened?
I am looking to ship gemini into a cluster, but in scanning the image the following CVEs were flagged:
What did you expect to happen?
I would like to see these CVEs resolved, or at least a resolution to the highest severity vulnerabilities that have been flagged.
How can we reproduce this?
Although the list may vary, any image scanning tool with provide a similar list of CVEs. The simplest way being a scout scan using docker:
Version
Gemini Version 2.0/2.0.1 and Helm Chart Version 2.1.3
Search
Code of Conduct
Additional context
In reviewing the Dockerfile, I do not imagine this is a change that should require much of any code change - and may be as simple as re-creating the image with new alpine packages. Failing that an OS update should suffice.
The text was updated successfully, but these errors were encountered: