We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version of Cadence server, and client(which language) This is very important to root cause bugs.
Server version: v1.2.15
Describe the bug There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.15 To Reproduce Is the issue reproducible?
Yes
Steps to reproduce the behavior:
Pull the latest image ubercadence/server:v1.2.15 from Dockerhub Scan the image with any vulnerability scanner
Scan results for: image axonhub.azurecr.io/ubercadence/server:v1.2.15 sha256:0cd848696052d46ed8c353671fbf2a1223df84d5cf1bcfe8b5950ce15a87ee91 Vulnerabilities +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2019-0210 | high | 7.50 | github.com/apache/thrift/lib/go/thrift | v0.0.0-20161221203622-b2a4d4ae21c7 | fixed in 0.13.0 | > 5 years | < 1 hour | In Apache Thrift 0.9.3 to 0.12.0, a server | | | | | | | > 5 years ago | | | implemented in Go using TJSONProtocol or | | | | | | | | | | TSimpleJSONProtocol may panic when feed with | | | | | | | | | | invalid input data. | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | fixed in v1.9.3 | > 1 years | < 1 hour | The github.com/sirupsen/logrus module of all | | | | | | | > 1 years ago | | | versions is vulnerable to denial of service. | | | | | | | | | | Logging more than 64kb of data in a single entry | | | | | | | | | | without new... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2023-6992 | medium | 5.50 | zlib | 1.2.13-r1 | | > 1 years | < 1 hour | Cloudflare version of zlib library was found | | | | | | | | | | to be vulnerable to memory corruption issues | | | | | | | | | | affecting the deflation algorithm implementation | | | | | | | | | | (deflate.c)... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2025-26519 | low | 0.00 | musl | 1.2.4-r2 | fixed in 1.2.4-r3 | n/a | < 1 hour | | | | | | | | 2 hours ago | | | | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2025-0725 | low | 0.00 | curl | 8.11.1-r0 | fixed in 8.12.0-r0 | 8 days | < 1 hour | When libcurl is asked to perform automatic gzip | | | | | | | 6 days ago | | | decompression of content-encoded HTTP responses | | | | | | | | | | with the `CURLOPT_ACCEPT_ENCODING` option, **using | | | | | | | | | | zli... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2025-0665 | low | 0.00 | curl | 8.11.1-r0 | fixed in 8.12.0-r0 | 8 days | < 1 hour | libcurl would wrongly close the same eventfd file | | | | | | | 6 days ago | | | descriptor twice when taking down a connection | | | | | | | | | | channel after having completed a threaded name | | | | | | | | | | resolv... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2025-0167 | low | 0.00 | curl | 8.11.1-r0 | fixed in 8.12.0-r0 | 8 days | < 1 hour | When asked to use a `.netrc` file for credentials | | | | | | | 6 days ago | | | **and** to follow HTTP redirects, curl could | | | | | | | | | | leak the password used for the first host to the | | | | | | | | | | follow... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ | CVE-2024-13176 | low | 0.00 | openssl | 3.1.7-r1 | fixed in 3.1.8-r0 | 24 days | < 1 hour | Issue summary: A timing side-channel which could | | | | | | | 2 days ago | | | potentially allow recovering the private key | | | | | | | | | | exists in the ECDSA signature computation. Impact | | | | | | | | | | summa... | +------------------+----------+------+----------------------------------------+------------------------------------+--------------------+-----------+------------+----------------------------------------------------+ Vulnerabilities found for image axonhub.azurecr.io/ubercadence/server:v1.2.15: total - 8, critical - 0, high - 1, medium - 2, low - 5 Vulnerability threshold check results: PASS Compliance Issues +----------+------------------------------------------------------------------------+ | SEVERITY | DESCRIPTION | +----------+------------------------------------------------------------------------+ | high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user | +----------+------------------------------------------------------------------------+ | high | Private keys stored in image | +----------+------------------------------------------------------------------------+ Compliance found for image axonhub.azurecr.io/ubercadence/server:v1.2.15: total - 2, critical - 0, high - 2, medium - 0, low - 0 Compliance threshold check results: PASS
Expected behavior No more CVEs found
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Version of Cadence server, and client(which language)
This is very important to root cause bugs.
Describe the bug
There are a lot of CVEs found from the latest Cadence image: ubercadence/server:v1.2.15
To Reproduce
Is the issue reproducible?
Steps to reproduce the behavior:
Expected behavior
No more CVEs found
The text was updated successfully, but these errors were encountered: