Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability (CVE-2023-39325) in node-collector image #5590

Closed
chen-keinan opened this issue Nov 15, 2023 · 0 comments · Fixed by #5591
Closed

Vulnerability (CVE-2023-39325) in node-collector image #5590

chen-keinan opened this issue Nov 15, 2023 · 0 comments · Fixed by #5591
Assignees
@chen-keinan
Labels
kind/security Categorizes issue or PR as related to Trivy's own security or internal vulnerabilities. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.47.1

Comments

@chen-keinan
Copy link
Contributor

chen-keinan commented Nov 15, 2023
edited
Loading 

$ trivy image ghcr.io/aquasecurity/node-collector:0.0.8

Global options:  
2023-11-15T00:09:27.491Z  INFO  Need to update DB
2023-11-15T00:09:27.491Z  INFO  DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-15T00:09:27.491Z  INFO  Downloading DB...
40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [----------------------------------------------------------->] 100.00% ? p/s ?40.82 MiB / 40.82 MiB [-------------------------------------------------] 100.00% 38.19 MiB p/s 1.3s2023-11-15T00:09:28.931Z  INFO  Vulnerability scanning is enabled
2023-11-15T00:09:28.931Z  INFO  Secret scanning is enabled
2023-11-15T00:09:28.931Z  INFO  If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-15T00:09:28.931Z  INFO  Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-15T00:09:30.094Z  INFO  Detected OS: alpine
2023-11-15T00:09:30.094Z  WARN  This OS version is not on the EOL list: alpine 3.19_alpha20230901
2023-11-15T00:09:30.094Z  INFO  Detecting Alpine vulnerabilities...
2023-11-15T00:09:30.095Z  INFO  Number of language-specific files: 1
2023-11-15T00:09:30.095Z  INFO  Detecting gobinary vulnerabilities...

ghcr.io/aquasecurity/node-collector:2dfdfac30f73a8251bc3b70f432fba99d7b16478-amd64 (alpine 3.19_alpha20230901)
==============================================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/node-collector (gobinary)
=======================================
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH     │ fixed  │ v0.13.0           │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                  │                │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
@chen-keinan chen-keinan added kind/security Categorizes issue or PR as related to Trivy's own security or internal vulnerabilities. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning labels Nov 15, 2023
@chen-keinan chen-keinan self-assigned this Nov 15, 2023
@chen-keinan chen-keinan mentioned this issue Nov 15, 2023
Merged
2 tasks
@chen-keinan chen-keinan added this to the v0.47.1 milestone Nov 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chen-keinan chen-keinan

Labels
kind/security Categorizes issue or PR as related to Trivy's own security or internal vulnerabilities. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
v0.47.1
Development

Successfully merging a pull request may close this issue.

chore: bump node-collector v0.0.9 chen-keinan/trivy
1 participant
@chen-keinan