CVE-2023-4863 - libwebp vuln in hubble-ui

Question

CVE-2023-4863 - libwebp vuln in hubble-ui

jhawkins1 opened this issue 10 months ago · comments

Using a Vulnerability Scanner, hubble-ui, is being flagged with CVE-2023-4863. The CVE is sourced to the libwebp library being provided by Alpine. This CVE is on the US DHS CISA Exploited Vulnerabilities List. This issue is to request an incremental update to Hubble to provide a new build that includes the Alpine Patch. It appears this patch is included in the latest NGINX Alpine Base Image that hubble-ui is derived from. Need an ETA of when this may be potentially pulled in for next incremental or major release of hubble. Thanks...

Robin Hahling · Answer 1 · Wed Oct 11 2023 19:25:10 GMT+0800 (China Standard Time)

Fixed by #678

kady1711 · Answer 2 · Thu Oct 19 2023 00:49:50 GMT+0800 (China Standard Time)

The Version v0.12.1 Does not Fix the CVE. This CVE is on the US DHS CISA Exploited Vulnerabilities List.

kady1711 · Answer 3 · Thu Oct 26 2023 05:01:53 GMT+0800 (China Standard Time)

@rolinh The version v.0.12.1 still has CISA CVE. it does not fix this issue . It does not include patch for alphine version 3.18. Also there is new CVE CVE-2023-44487 is included .

Robin Hahling · Answer 4 · Wed Nov 22 2023 23:59:54 GMT+0800 (China Standard Time)

@kady1711 Should be fixed in v0.12.2