-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities in Docker images #30
Comments
Hi. Most of the triggers listed in attached files are related to various packages that are not directly involved with the service itself (like We are regularly analyse our dependencies, but we'll take a thorough look at your listing too, in case there is really something that can be exploited. P.S. Just in case if you'll want to report some confirmed security problem in the future, please take a look at SECURITY.md |
The pull request describes what has been updated datalens-tech/datalens-backend#48 if needed. Reports are the attached. These files contain scan results for the new images. There remain two vulnerabilities marked as high risk:
snyk-data-api-report.txt All vulnerabilities, including these two, which we can still correct (i.e., those that did not come with the base image of Ubuntu and somehow affect us), are additionally described below and why we did not update immediately Upgrade [email protected] to [email protected] to fix ✗ Missing Cryptographic Step (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6036192] in [email protected] == Not vulnerable, will update later Upgrade [email protected] to [email protected] to fix ✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTS-5595532] in [email protected] == Not vulnerable, will update later Upgrade [email protected] to [email protected] to fix ✗ Double Free [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2940619] in [email protected] ✗ Improper Handling of Syntactically Invalid Structure [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2942122] in [email protected] ✗ Out-of-Bounds Write [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-UJSON-2359034] in [email protected] == Breaks current behavior, need to consider, the vulnerability does not affect users. Upgrade [email protected] to [email protected] to fix ✗ Inefficient Algorithmic Complexity (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177] in [email protected] ✗ Denial of Service (DoS) (new) [High Severity][https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6041510] in [email protected] == Not vulnerable Pin [email protected] to [email protected] to fix ✗ Information Exposure Through Sent Data [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-5926907] in [email protected] ✗ Information Exposure Through Sent Data (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-URLLIB3-6002459] in [email protected] == Seems not vulnerable, medium, potentially breaking changes, will update later |
Hello!
I decided to scan docker images, that have been creted after docker-compose up -d command. So, Snyk've found multiple vulnerabilities in datalens images. In attachment you can find full scan results. The great concern is about critical vulnerabilities with RCE. Are they affect to current version of datalnes? Is there any plans to update old components in the future?
Thank you!
datalens-us_0.96.0.txt
datalens-ui_0.795.0.txt
datalens-data-api_0.2037.0.txt
datalens-control-api_0.2037.0.txt
The text was updated successfully, but these errors were encountered: