sriov-network-device-plugin v3.5.1 container image security vulnerabilities #447
Description
What happened?
HIGH and CRITICAL vulnerabilities issues found in ssriov-network-device-plugin v3.5.1 container image(ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1)
REPORT:
root@[ ~ ]# docker run aquasec/trivy image ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1
2022-10-23T13:03:28.033Z INFO Need to update DB
2022-10-23T13:03:28.034Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-10-23T13:03:28.034Z INFO Downloading DB...
12.16 MiB / 34.58 MiB [--------------------->_______________________________________] 35.16% ? p/s ?24.81 MiB / 34.58 MiB [------------------------------------------->_________________] 71.75% ? p/s ?34.58 MiB / 34.58 MiB [----------------------------------------------------------->] 100.00% ? p/s ?34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 37.38 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 34.97 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 32.71 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 30.60 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 28.63 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s34.58 MiB / 34.58 MiB [--------------------------------------------------] 100.00% 9.57 MiB p/s 3.8s2022-10-23T13:03:32.642Z INFO Vulnerability scanning is enabled
2022-10-23T13:03:32.642Z INFO Secret scanning is enabled
2022-10-23T13:03:32.642Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-23T13:03:32.642Z INFO Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-10-23T13:03:37.046Z INFO Detected OS: alpine
2022-10-23T13:03:37.046Z INFO Detecting Alpine vulnerabilities...
2022-10-23T13:03:37.049Z INFO Number of language-specific files: 1
2022-10-23T13:03:37.049Z INFO Detecting gobinary vulnerabilities...
ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.5.1 (alpine 3.16.0)
===============================================================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: heap-based buffer over-read and overflow in inflate() │
│ │ │ │ │ │ in inflate.c via a... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/bin/sriovdp (gobinary)
==========================
Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)
┌────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.10.0+incompatible │ 2.16.0 │ go-restful: Authorization Bypass Through User-Controlled Key │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-r48q-9g5r-8q2h │ UNKNOWN │ │ │ CORS filters that use an AllowedDomains configuration │
│ │ │ │ │ │ parameter │
│ │ │ │ │ │ can match domains outside the... │
│ │ │ │ │ │ https://github.com/advisories/GHSA-r48q-9g5r-8q2h │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH │ v0.0.0-20220127200216-cd36cc0744dd │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ MEDIUM │ v0.0.0-20220209214540-3681064d5158 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
├────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│ │ │ │ │ │ takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
└────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
What did you expect to happen?
0 HIGH and CRITICAL security vulnerabilities