Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update superset "numexpr 2.8.4" dependency in docker image of superset 3.1.0/3.1.1 because of CVE-2023-39631⁠ #26967

Closed
3 tasks done
nigzak opened this issue Feb 1, 2024 · 2 comments
Closed
3 tasks done

Update superset "numexpr 2.8.4" dependency in docker image of superset 3.1.0/3.1.1 because of CVE-2023-39631⁠ #26967

nigzak opened this issue Feb 1, 2024 · 2 comments
Assignees
@dpgaspar

Comments

@nigzak
Copy link
Contributor

nigzak commented Feb 1, 2024
edited
Loading

Bug description

The docker inspector marks the image of superset 3.1.0 with a finding of numexpr 2.8.4
image

https://scout.docker.com/vulnerabilities/id/CVE-2023-39631?s=pypa&n=numexpr&t=pypi&vr==2.8.4&utm_source=desktop&utm_medium=ExternalLink

CVSS SCORE = 9.8

image

How to reproduce the bug

download image 3.1.0
open in docker inspector

Screenshots/recordings

No response

Superset version

3.1.0
3.1.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

3.0.3 is NOT affected by this

image

Checklist

  • I have searched Superset docs and Slack and didn't find a solution to my problem.
  • I have searched the GitHub issue tracker and didn't find a similar bug report.
  • I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
@nigzak nigzak changed the title Update superset "numexpr 2.8.4" dependency in docker image because of CVE-2023-39631⁠ Update superset "numexpr 2.8.4" dependency in docker image of superset 3.1.0 because of CVE-2023-39631⁠ Feb 1, 2024
@nigzak
Copy link
Contributor Author

nigzak commented Feb 21, 2024

superset 3.1.1 also affected

@nigzak nigzak changed the title Update superset "numexpr 2.8.4" dependency in docker image of superset 3.1.0 because of CVE-2023-39631⁠ Update superset "numexpr 2.8.4" dependency in docker image of superset 3.1.0/3.1.1 because of CVE-2023-39631⁠ Feb 21, 2024
@nigzak nigzak mentioned this issue Feb 21, 2024
Merged
9 tasks
@nigzak
Copy link
Contributor Author

nigzak commented Mar 1, 2024

closing issue, pull request is merged with the update

@nigzak nigzak closed this as completed Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dpgaspar dpgaspar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dpgaspar @nigzak