Closed
Description
There are multiple vulnerabilities within drone images (drone, drone-runniner-kube, drone-vault-extension) as mentioned below.
Is there any plan to address this in future release?
<style> </style>| CVE Name | Asset Name | Vulnerability Description | Remediation | Current Version | Recommended Version | DetailedName |
|---|---|---|---|---|---|---|
| CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package busybox version 1.32.1-r7 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-28391, which exists in versions < 1.32.1-r8. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). The vulnerability can be remediated by updating the package to version 1.32.1-r8 or higher, by adding the following command to the Dockerfile: RUN apk upgrade busybox. |
apk upgrade busybox | 1.32.1-r7 | 1.32.1-r8 | busybox |
| CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package libcrypto1.1 version 1.1.1l-r0 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-0778, which exists in versions < 1.1.1n-r0. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). This vulnerability has a known exploit available. Source: Packetstorm. The vulnerability can be remediated by updating the package to version 1.1.1n-r0 or higher, by adding the following command to the Dockerfile: RUN apk upgrade libcrypto1.1. |
apk upgrade libcrypto1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libcrypto1.1 |
| End-of-Life Version of Technology | docker.io/drone/drone-runner-kube | The OS Linux Alpine version 3.13.7 has been End-of-Life since 2022-11-01 as indicated in Alpine Releases. End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. |
3.13.7 | 3.14.8 | Linux Alpine | |
| End-of-Life Version of Technology | docker.io/drone/drone | The OS Linux Alpine version 3.11.13 has been End-of-Life since 2021-11-01 as indicated in Alpine Releases. End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. |
3.11.13 | 3.14.8 | Linux Alpine | |
| CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package busybox version 1.32.1-r7 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-30065, which exists in versions < 1.32.1-r9. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). The vulnerability can be remediated by updating the package to version 1.32.1-r9 or higher, by adding the following command to the Dockerfile: RUN apk upgrade busybox. |
apk upgrade busybox | 1.32.1-r7 | 1.32.1-r9 | busybox |
| CVE-2022-37434 | docker.io/drone/drone-runner-kube | The package zlib version 1.2.11-r3 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-37434, which exists in versions < 1.2.12-r2. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: Critical (NVD severity: Critical). This vulnerability has a known exploit available. Source: Github [1, 2, 3]. The vulnerability can be remediated by updating the package to version 1.2.12-r2 or higher, by adding the following command to the Dockerfile: RUN apk upgrade zlib. |
apk upgrade zlib | 1.2.11-r3 | 1.2.12-r2 | zlib |
| CVE-2022-37434 | docker.io/drone/drone | The package zlib version 1.2.11-r3 was detected in APK package manager on a container image running Alpine 3.11.13 is vulnerable to CVE-2022-37434, which exists in versions < 1.2.11-r4. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: Critical (NVD severity: Critical). This vulnerability has a known exploit available. Source: Github [1, 2, 3]. The vulnerability can be remediated by updating the package to version 1.2.11-r4 or higher, by adding the following command to the Dockerfile: RUN apk upgrade zlib. |
apk upgrade zlib | 1.2.11-r3 | 1.2.11-r4 | zlib |
| CVE-2018-25032 | docker.io/drone/drone-runner-kube | The package zlib version 1.2.11-r3 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2018-25032, which exists in versions < 1.2.12-r0. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). The vulnerability can be remediated by updating the package to version 1.2.12-r0 or higher, by adding the following command to the Dockerfile: RUN apk upgrade zlib. |
apk upgrade zlib | 1.2.11-r3 | 1.2.12-r0 | zlib |
| CVE-2022-28391 | docker.io/drone/drone-runner-kube | The package ssl_client version 1.32.1-r7 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-28391, which exists in versions < 1.32.1-r8. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). The vulnerability can be remediated by updating the package to version 1.32.1-r8 or higher, by adding the following command to the Dockerfile: RUN apk upgrade ssl_client. |
apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r8 | ssl_client |
| End-of-Life Version of Technology | docker.io/drone/vault | The OS Linux Alpine version 3.6.5 has been End-of-Life since 2019-05-01 as indicated in Alpine Releases. End-of-Life versions of operating systems have no further official support by the vendor and thus no security patches. Furthermore, newly discovered vulnerabilities are not reported. Thus, such technologies pose a threat that is both unknown and will not be fixed. |
3.6.5 | 3.14.8 | Linux Alpine | |
| CVE-2022-0778 | docker.io/drone/drone-runner-kube | The package libssl1.1 version 1.1.1l-r0 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-0778, which exists in versions < 1.1.1n-r0. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). This vulnerability has a known exploit available. Source: Packetstorm. The vulnerability can be remediated by updating the package to version 1.1.1n-r0 or higher, by adding the following command to the Dockerfile: RUN apk upgrade libssl1.1. |
apk upgrade libssl1.1 | 1.1.1l-r0 | 1.1.1n-r0 | libssl1.1 |
| CVE-2022-30065 | docker.io/drone/drone-runner-kube | The package ssl_client version 1.32.1-r7 was detected in APK package manager on a container image running Alpine 3.13.7 is vulnerable to CVE-2022-30065, which exists in versions < 1.32.1-r9. The vulnerability was found in the Official Alpine Security Advisories with vendor severity: High (NVD severity: High). The vulnerability can be remediated by updating the package to version 1.32.1-r9 or higher, by adding the following command to the Dockerfile: RUN apk upgrade ssl_client. |
apk upgrade ssl_client | 1.32.1-r7 | 1.32.1-r9 | ssl_client |
Metadata
Assignees
Labels
No labels