Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-6345 in cp-kafka:7.4.6 images (RHEL) #353

Open
nemobis opened this issue Sep 11, 2024 · 2 comments
Open

CVE-2024-6345 in cp-kafka:7.4.6 images (RHEL) #353

nemobis opened this issue Sep 11, 2024 · 2 comments

Comments

@nemobis
Copy link

nemobis commented Sep 11, 2024

The trivy scanner finds one potential vulnerability in the most recent 7.4.x image, 7.4.6 (same on cp-schema-registry:7.4.6, cp-server:7.4.6, cp-zookeeper:7.4.6).

2024-09-11T11:07:49Z	INFO	Detected OS	family="redhat" version="8.10"
2024-09-11T11:07:49Z	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="8" pkg_num=175
2024-09-11T11:07:49Z	INFO	Number of language-specific files	num=2
2024-09-11T11:07:49Z	INFO	[python-pkg] Detecting vulnerabilities...
2024-09-11T11:07:49Z	INFO	[jar] Detecting vulnerabilities...
2024-09-11T11:07:49Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.53/docs/scanner/vulnerability#severity-selection for details.
2024-09-11T11:07:49Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

cp-kafka:7.4.6.tar (redhat 8.10)
================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────┐
│          Library           │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                        Title                        │
├────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────┤
│ platform-python-setuptools │ CVE-2024-6345 │ HIGH     │ fixed  │ 39.2.0-7.el8      │ 39.2.0-8.el8_10 │ pypa/setuptools: Remote code execution via download │
│                            │               │          │        │                   │                 │ functions in the package_index module in...         │
│                            │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-6345           │
├────────────────────────────┤               │          │        │                   │                 │                                                     │
│ python3-setuptools-wheel   │               │          │        │                   │                 │                                                     │
│                            │               │          │        │                   │                 │                                                     │
│                            │               │          │        │                   │                 │                                                     │
└────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────┘
@winfriedgerlach
Copy link

winfriedgerlach commented Nov 15, 2024
edited
Loading

Issue was fixed in CP 7.7.1.
@nemobis @janjwerner-confluent can we close this issue?

@nemobis
Copy link
Author

nemobis commented Nov 15, 2024

Thanks. I've not tested the new version but I guess so!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nemobis @winfriedgerlach