You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
Please fix the vulnerabilities and one compliance finding:
vulnerabilities:
CVE-2021-38297: go
CVE-2021-41772: go
CVE-2021-41771: go
CVE-2021-39293: go
CVE-2021-33198: go
CVE-2021-33196: go
CVE-2021-33194: go
CVE-2021-29923: go
CVE-2021-27918: go
CVE-2020-28367: go
CVE-2020-28366: go
CVE-2020-28362: go
CVE-2020-16845: go
CVE-2021-33195: go
compliance:
- "(CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user"
Expected behavior
All the CVEs are addressed and fixed in future release(s).
Portainer Logs
N/A
Steps to reproduce the issue:
N/A
Technical details:
Portainer version: 2.11.0
Docker version (managed by Portainer): N/A
Kubernetes version (managed by Portainer): N/A
Platform (windows/linux): linux
Command used to start Portainer Agent: N/A
Browser: N/A
Have you reviewed our technical documentation and knowledge base? No
Additional context
"vulnerabilities": [
{
"id": "CVE-2021-38297",
"status": "fixed in 1.17.2, 1.16.9",
"cvss": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
"severity": "critical",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
"riskFactors": [
"Attack vector: network",
"Critical severity",
"Has fix",
"Recent vulnerability",
"Attack complexity: low"
],
"impactedVersions": [
"<1.16.9"
],
"publishedDate": "2021-10-18T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-10-18T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-38297",
"status": "fixed in 1.17.2, 1.16.9",
"cvss": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
"severity": "critical",
"packageName": "go",
"packageVersion": "1.16.6",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Critical severity",
"Has fix",
"Recent vulnerability"
],
"impactedVersions": [
"<1.16.9"
],
"publishedDate": "2021-10-18T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-10-18T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-38297",
"status": "fixed in 1.17.2, 1.16.9",
"cvss": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"description": "Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.",
"severity": "critical",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-38297",
"riskFactors": [
"Critical severity",
"Has fix",
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network"
],
"impactedVersions": [
"<1.16.9"
],
"publishedDate": "2021-10-18T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-10-18T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41772",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.16.6",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41772",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
"riskFactors": [
"Has fix",
"High severity",
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41772",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41772",
"riskFactors": [
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability",
"Attack complexity: low"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41771",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
"riskFactors": [
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41771",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.16.6",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
"riskFactors": [
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-41771",
"status": "fixed in 1.17.3, 1.16.10",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-41771",
"riskFactors": [
"High severity",
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"Has fix"
],
"impactedVersions": [
"<1.16.10"
],
"publishedDate": "2021-11-08T06:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-11-08T06:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-39293",
"status": "fixed in 1.17.1, 1.16.8",
"cvss": 7.5,
"description": "DOCUMENTATION: A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw. STATEMENT: * In OpenShift Container Platform, multiple components are written in Go and use archive/zip from the standard library. However, all such components are short lived client side tools, not long lived server side executables. As the maximum impact of this vulnerability is a denial of service in client utilities, this vulnerability is rated Low for OpenShift Container Platform. * This flaw is out of support scope for Red Hat Enterprise Linux 7. For more information about Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata * Because Service Telemetry Framework1.2 will be retiring soon and the flaw\\'s impact is lower, no update will be provided at this time for STF1.2\\'s smart-gateway-container and sg-core-container.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.16.6",
"link": "https://github.com/golang/go/issues/47801",
"riskFactors": [
"High severity",
"Recent vulnerability",
"DoS",
"Has fix"
],
"impactedVersions": [
"<1.16.8,1.16"
],
"publishedDate": "2021-08-18T00:00:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33198",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33198",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33198",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33196",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33196",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive\\'s header) can cause a NewReader or OpenReader panic.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33196",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33194",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"DoS",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<=1.15.12"
],
"publishedDate": "2021-05-26T15:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33194",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33194",
"riskFactors": [
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"DoS",
"High severity"
],
"impactedVersions": [
"<=1.15.12"
],
"publishedDate": "2021-05-26T15:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-29923",
"status": "fixed in 1.17",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.16.6",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.17"
],
"publishedDate": "2021-08-07T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-07T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-29923",
"status": "fixed in 1.17",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"riskFactors": [
"Has fix",
"High severity",
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network"
],
"impactedVersions": [
"<1.17"
],
"publishedDate": "2021-08-07T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-07T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-29923",
"status": "fixed in 1.17",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"description": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.17"
],
"publishedDate": "2021-08-07T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-07T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-27918",
"status": "fixed in 1.16.1, 1.15.9",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.9"
],
"publishedDate": "2021-03-11T00:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-03-11T00:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-27918",
"status": "fixed in 1.16.1, 1.15.9",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-27918",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.9"
],
"publishedDate": "2021-03-11T00:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-03-11T00:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28367",
"status": "fixed in 1.15.5, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
"riskFactors": [
"High severity",
"Recent vulnerability",
"Attack vector: network",
"Has fix"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28367",
"status": "fixed in 1.15.5, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28367",
"riskFactors": [
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28366",
"status": "fixed in 1.15.5, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
"riskFactors": [
"Has fix",
"High severity",
"Recent vulnerability",
"Attack vector: network"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28366",
"status": "fixed in 1.15.5, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28366",
"riskFactors": [
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28362",
"status": "fixed in 1.15.4, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
"riskFactors": [
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"DoS",
"Has fix",
"High severity"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-28362",
"status": "fixed in 1.15.4, 1.14.12",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-28362",
"riskFactors": [
"DoS",
"Has fix",
"High severity",
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network"
],
"impactedVersions": [
"<1.14.12"
],
"publishedDate": "2020-11-18T17:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-11-18T17:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2020-16845",
"status": "fixed in 1.14.7, 1.13.15",
"cvss": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"description": "Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2020-16845",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.13.15"
],
"publishedDate": "2020-08-06T18:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2020-08-06T18:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33195",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.3,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.15",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
"riskFactors": [
"Recent vulnerability",
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
},
{
"id": "CVE-2021-33195",
"status": "fixed in 1.16.5, 1.15.13",
"cvss": 7.3,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"description": "Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.",
"severity": "high",
"packageName": "go",
"packageVersion": "1.13.8",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33195",
"riskFactors": [
"Attack complexity: low",
"Attack vector: network",
"Has fix",
"High severity",
"Recent vulnerability"
],
"impactedVersions": [
"<1.15.13"
],
"publishedDate": "2021-08-02T19:15:00Z",
"discoveredDate": "2021-12-30T11:30:09Z",
"fixDate": "2021-08-02T19:15:00Z",
"layerTime": "1970-01-01T00:00:00Z"
}
The text was updated successfully, but these errors were encountered:
Bug description
Please fix the vulnerabilities and one compliance finding:
Expected behavior
All the CVEs are addressed and fixed in future release(s).
Portainer Logs
N/A
Steps to reproduce the issue:
N/A
Technical details:
Additional context
The text was updated successfully, but these errors were encountered: