Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities on v1.17 #917

Open
trumbaut opened this issue Jan 27, 2025 · 1 comment
Open

Vulnerabilities on v1.17 #917

trumbaut opened this issue Jan 27, 2025 · 1 comment

Comments

@trumbaut
Copy link

Upgrading smbplugin from v1.16 to v1.17 fixed several security issues. However, our vulnerability scanner still detects 36 security issues within the smbplugin container. Three of them are tagged with the Critical or Important severity:

CVE-2023-45853: Critical 9.8 (V3)
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

CVE-2023-31484: Important 8.10 (V3)
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-52425: Important 7.50 (V3)
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

The following components receive a CVSS Score above 8.0 but are tagged with a lower severity:

CVE-2019-1010022: Low 9.80 (V3)
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

CVE-2019-1010023: Low 8.80 (V3)
GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

CVE-2023-31486: Low 8.10 (V3)
HTTP::Tiny before 0.083; a Perl core module since 5.13.9 and available standalone on CPAN; has an insecure default TLS configuration where users must opt in to verify certificates.

Thanks for checking and fixing at least the main issues.
@andyzhangx
Copy link
Member

the CVE you mentioned are all unfixed CVEs in the debian base image, there is nothing we could do now.

# trivy image --ignore-unfixed registry.k8s.io/sig-storage/smbplugin:v1.17.0
2025-01-29T03:53:57.325Z        INFO    Vulnerability scanning is enabled
2025-01-29T03:53:57.325Z        INFO    Secret scanning is enabled
2025-01-29T03:53:57.325Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2025-01-29T03:53:57.325Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2025-01-29T03:53:57.560Z        INFO    Detected OS: debian
2025-01-29T03:53:57.560Z        INFO    Detecting Debian vulnerabilities...
2025-01-29T03:53:57.578Z        INFO    Number of language-specific files: 1
2025-01-29T03:53:57.578Z        INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/sig-storage/smbplugin:v1.17.0 (debian 12.9)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trumbaut @andyzhangx