You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no CVE found in the temporalio/server image.
Actual Behavior
There are 27 vulnerabilities found for image temporalio/server:1.23.0, including 5 high, 19 medium and 3 low CVEs.
Scan results:
Scan results for: image temporalio/server:1.23.0 sha256:5ace4dfce78a30f760d9a0550dceef17e47fac11374e83d85a2762cde767ea41
Vulnerabilities
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108 | high | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.36.4 | fixed in 0.46.0 |> 5 months |< 1 hour | OpenTelemetry-Go Contrib is a collection of |||||||> 5 months ago ||| third-party packages for OpenTelemetry-Go. |||||||||| Prior to version 0.46.0, the grpc Unary Server |||||||||| Interceptor out ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-47108 | high | 7.50 | go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc | v0.42.0 | fixed in 0.46.0 |> 5 months |< 1 hour | OpenTelemetry-Go Contrib is a collection of |||||||> 5 months ago ||| third-party packages for OpenTelemetry-Go. |||||||||| Prior to version 0.46.0, the grpc Unary Server |||||||||| Interceptor out ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-39325 | high | 7.50 | golang.org/x/net/http2 | v0.7.0 | fixed in 0.17.0 |> 6 months |< 1 hour | A malicious HTTP/2 client which rapidly creates ||||||| 51 days ago ||| requests and immediately resets them can cause |||||||||| excessive server resource consumption. While the |||||||||| total ... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487 | high | 5.30 | golang.org/x/net | v0.7.0 | fixed in 0.17.0 |> 6 months |< 1 hour | The HTTP/2 protocol allows a denial of service |||||||> 6 months ago ||| (server resource consumption) because request |||||||||| cancellation can reset many streams quickly, as |||||||||| exploited... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-44487 | high | 5.30 | google.golang.org/grpc | v1.53.0 | fixed in 1.58.3, 1.57.1, 1.56.3 |> 6 months |< 1 hour | The HTTP/2 protocol allows a denial of service |||||||> 5 months ago ||| (server resource consumption) because request |||||||||| cancellation can reset many streams quickly, as |||||||||| exploited... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 |> 1 years |< 1 hour | The github.com/sirupsen/logrus module of all |||||||> 1 years ago ||| versions is vulnerable to denial of service. |||||||||| Logging more than 64kb of data in a single entry |||||||||| without new... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-6992 | medium | 5.50 | zlib | 1.3.1-r0 ||> 3 months |< 1 hour | Cloudflare version of zlib library was found |||||||||| to be vulnerable to memory corruption issues |||||||||| affecting the deflation algorithm implementation |||||||||| (deflate.c)... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42366 | medium | 5.50 | busybox | 1.36.1 ||> 4 months |< 1 hour | A heap-buffer-overflow was discovered in BusyBox |||||||||| v.1.36.1 in the next_token functionat awk.c:1159. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42365 | medium | 5.50 | busybox | 1.36.1 ||> 4 months |< 1 hour | A use-after-free vulnerability was discovered in|||||||||| BusyBox v.1.36.1 via a crafted awk pattern in the |||||||||| awk.c copyvar function. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42364 | medium | 5.50 | busybox | 1.36.1 ||> 4 months |< 1 hour | A use-after-free vulnerability in BusyBox v.1.36.1 |||||||||| allows attackers to cause a denial of service |||||||||| via a crafted awk pattern in the awk.c evaluate |||||||||| funct... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-42363 | medium | 5.50 | busybox | 1.36.1 ||> 4 months |< 1 hour | A use-after-free vulnerability was discovered ||||||||||in xasprintf functionin xfuncs_printf.c:344 in|||||||||| BusyBox v.1.36.1. |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2435 | moderate | 4.30 | github.com/temporalio/ui-server/v2 | v2.21.3 | fixed in 2.25.0 | 14 days |< 1 hour | For an attacker with pre-existing access to send ||||||| 14 days ago ||| a signal to a workflow, the attacker can make the |||||||||| signal name a script that executes when a victim |||||||||| vi... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-28180 | moderate | 0.00 | gopkg.in/square/go-jose.v2 | v2.6.0 | fixed in| 39 days |< 1 hour | Package jose aims to provide an implementation ||||||| 32 days ago ||| of the Javascript Object Signing and Encryption ||||||||||set of standards. An attacker could send a JWE |||||||||| containi... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/internal/sanitize | v5.4.3 | fixed in 5.5.4 | 42 days |< 1 hour | pgx: SQL Injection via Protocol Message Size ||||||| 33 days ago ||| Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/pgproto3 | v5.4.3 | fixed in 5.5.4 | 42 days |< 1 hour | pgx: SQL Injection via Protocol Message Size ||||||| 33 days ago ||| Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-27304 | moderate | 0.00 | github.com/jackc/pgx/v5/pgconn | v5.4.3 | fixed in 5.5.4 | 42 days |< 1 hour | pgx: SQL Injection via Protocol Message Size ||||||| 33 days ago ||| Overflow |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | fixed in 1.33.0 | 42 days |< 1 hour | The protojson.Unmarshal functioncan enter an ||||||| 42 days ago ||| infinite loop when unmarshaling certain forms |||||||||| of invalid JSON. This condition can occur when |||||||||| unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | fixed in 1.33.0 | 42 days |< 1 hour | The protojson.Unmarshal functioncan enter an ||||||| 42 days ago ||| infinite loop when unmarshaling certain forms |||||||||| of invalid JSON. This condition can occur when |||||||||| unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/internal/encoding/json | v1.28.1 | fixed in 1.33.0 | 42 days |< 1 hour | The protojson.Unmarshal functioncan enter an ||||||| 42 days ago ||| infinite loop when unmarshaling certain forms |||||||||| of invalid JSON. This condition can occur when |||||||||| unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-24786 | moderate | 0.00 | google.golang.org/protobuf/encoding/protojson | v1.28.1 | fixed in 1.33.0 | 42 days |< 1 hour | The protojson.Unmarshal functioncan enter an ||||||| 42 days ago ||| infinite loop when unmarshaling certain forms |||||||||| of invalid JSON. This condition can occur when |||||||||| unmarshalin... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.22.0 | fixed in 0.23.0 | 12 days |< 1 hour | An attacker may cause an HTTP/2 endpoint to ||||||| 12 days ago |||read arbitrary amounts of header data by sending |||||||||| an excessive number of CONTINUATION frames. |||||||||| Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | net/http | 1.22.1 | fixed in 1.21.9, 1.22.2 | 12 days |< 1 hour | An attacker may cause an HTTP/2 endpoint to ||||||| 12 days ago |||read arbitrary amounts of header data by sending |||||||||| an excessive number of CONTINUATION frames. |||||||||| Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.7.0 | fixed in 0.23.0 | 12 days |< 1 hour | An attacker may cause an HTTP/2 endpoint to ||||||| 12 days ago |||read arbitrary amounts of header data by sending |||||||||| an excessive number of CONTINUATION frames. |||||||||| Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-45288 | moderate | 0.00 | golang.org/x/net/http2 | v0.18.0 | fixed in 0.23.0 | 12 days |< 1 hour | An attacker may cause an HTTP/2 endpoint to ||||||| 12 days ago |||read arbitrary amounts of header data by sending |||||||||| an excessive number of CONTINUATION frames. |||||||||| Maintaining H... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485 | low | 3.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0 |> 9 months |< 1 hour | Insecure defaults in open-source Temporal Server |||||||> 9 months ago ||| before version 1.20 on all platforms allows an |||||||||| attacker to craft a task token with access to a |||||||||| namesp... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-25629 | low | 0.00 | c-ares | 1.24.0-r1 | fixed in 1.27.0-r0 | 53 days |< 1 hour | c-ares is a C library for asynchronous DNS ||||||| 22 days ago ||| requests. `ares__read_line()` is used to |||||||||| parse local configuration files such as ||||||||||`/etc/resolv.conf`, `/etc/... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2511 | low | 0.00 | openssl | 3.1.4-r5 | fixed in 3.1.4-r6 | n/a |< 1 hour | Issue summary: Some non-default TLS server ||||||| 7 days ago ||| configurations can cause unbounded memory growth |||||||||| when processing TLSv1.3 sessions Impact summary: |||||||||| An attac... |
+------------------+----------+------+-----------------------------------------------------------------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
Vulnerabilities found for image temporalio/server:1.23.0: total - 27, critical - 0, high - 5, medium - 19, low - 3
Vulnerability threshold check results: PASS
Compliance found for image temporalio/server:1.23.0: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS
Steps to Reproduce the Problem
Pull the latest image temporalio/server:1.23.0 from Dockerhub
Scan the image with any vulnerability scanner
Specifications
Version: 1.23.0
Platform: N/A
The text was updated successfully, but these errors were encountered:
Expected Behavior
There is no CVE found in the
temporalio/server
image.Actual Behavior
There are 27 vulnerabilities found for image temporalio/server:1.23.0, including 5 high, 19 medium and 3 low CVEs.
Scan results:
Steps to Reproduce the Problem
temporalio/server:1.23.0
from DockerhubSpecifications
1.23.0
The text was updated successfully, but these errors were encountered: