Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] docker images not building due to gevent CVE #6518

Open
dakotabenjamin opened this issue Aug 6, 2024 · 0 comments
Open

[BUG] docker images not building due to gevent CVE #6518

dakotabenjamin opened this issue Aug 6, 2024 · 0 comments
Assignees
@ramyaragupathy
Labels
ci/cd containerization issues that relate to containers infrastructure priority: high scope: backend

Comments

@dakotabenjamin
Copy link
Member

Describe the bug
Docker image builds fail due to being blocked by a CVE:

 ghcr.io/hotosm/tasking-manager/backend:develop (debian 12.6)
============================================================
Total: 0 (CRITICAL: 0)


Python (python-pkg)
===================
Total: 1 (CRITICAL: 1)

┌───────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gevent (METADATA) │ CVE-2023-41419 │ CRITICAL │ fixed  │ 22.10.2           │ 23.9.0        │ python-gevent: privilege escalation via a crafted script to │
│                   │                │          │        │                   │               │ the WSGIServer component                                    │
│                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-41419                  │
└───────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

solution: Update Gevent to (at minimum) fixed version shown above.

Expected behavior
Docker images should build successfully in the CI Workflow.

Setting to High priority because builds are blocked, and the severity of the CVE is critical.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramyaragupathy ramyaragupathy

Labels
ci/cd containerization issues that relate to containers infrastructure priority: high scope: backend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dakotabenjamin @ramyaragupathy