Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities in Docker images #30

Closed
MFIB00 opened this issue Oct 10, 2023 · 2 comments
Closed

Vulnerabilities in Docker images #30

MFIB00 opened this issue Oct 10, 2023 · 2 comments
Assignees

Comments

@MFIB00
Copy link

MFIB00 commented Oct 10, 2023

Hello!

I decided to scan docker images, that have been creted after docker-compose up -d command. So, Snyk've found multiple vulnerabilities in datalens images. In attachment you can find full scan results. The great concern is about critical vulnerabilities with RCE. Are they affect to current version of datalnes? Is there any plans to update old components in the future?

Thank you!
datalens-us_0.96.0.txt
datalens-ui_0.795.0.txt
datalens-data-api_0.2037.0.txt
datalens-control-api_0.2037.0.txt

@resure
Copy link
Contributor

resure commented Oct 11, 2023

Hi. Most of the triggers listed in attached files are related to various packages that are not directly involved with the service itself (like vim). We'll probably switch to more lightweight base images with fewer dependencies in the future.

We are regularly analyse our dependencies, but we'll take a thorough look at your listing too, in case there is really something that can be exploited.

P.S. Just in case if you'll want to report some confirmed security problem in the future, please take a look at SECURITY.md

@dzarlax
Copy link

dzarlax commented Nov 10, 2023

The pull request describes what has been updated datalens-tech/datalens-backend#48 if needed.

Reports are the attached. These files contain scan results for the new images. There remain two vulnerabilities marked as high risk:

  • one does not affect us at all, because we do not use the vulnerable part of the library
  • the second can cause file parser fail in some situations, we'll look into it later

snyk-data-api-report.txt
snyk-control-api-report.txt

All vulnerabilities, including these two, which we can still correct (i.e., those that did not come with the base image of Ubuntu and somehow affect us), are additionally described below and why we did not update immediately

Upgrade [email protected] to [email protected] to fix ✗ Missing Cryptographic Step (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6036192] in [email protected] == Not vulnerable, will update later

Upgrade [email protected] to [email protected] to fix ✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532] in [email protected] == Not vulnerable, will update later

Upgrade [email protected] to [email protected] to fix ✗ Double Free [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2940619] in [email protected] ✗ Improper Handling of Syntactically Invalid Structure [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2942122] in [email protected] ✗ Out-of-Bounds Write [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2359034] in [email protected] == Breaks current behavior, need to consider, the vulnerability does not affect users.

Upgrade [email protected] to [email protected] to fix ✗ Inefficient Algorithmic Complexity (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177] in [email protected] ✗ Denial of Service (DoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6041510] in [email protected] == Not vulnerable

Pin [email protected] to [email protected] to fix ✗ Information Exposure Through Sent Data [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-5926907] in [email protected] ✗ Information Exposure Through Sent Data (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459] in [email protected] == Seems not vulnerable, medium, potentially breaking changes, will update later

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants