Please mitigate High Severity CVEs on Traefik Docker images.
francomile opened this issue · comments
Hi, please upgrade Apache Thrift on Traefik 1.7.33images for mitigating HIGH severity CVEs CVE-2019-0205, CVE-2019-0210 and CVE-2020-13949.
This vulnerabilities are currently found in Traefik docker images for version 1.7.33
+--------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| github.com/apache/thrift | CVE-2019-0205 | HIGH | v0.12.0 | 0.13.0 | thrift: Endless loop when |
| | | | | | feed with specific input data |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2019-0210 | | | | thrift: Out-of-bounds read |
| | | | | | related to TJSONProtocol |
| | | | | | or TSimpleJSONProtocol |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0210 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2020-13949 | | | v0.14.0 | libthrift: potential DoS when |
| | | | | | processing untrusted payloads |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13949 |
+--------------------------+------------------+----------+-------------------+---------------+---------------------------------------+Traefik version .2.5.4 images are also affected by high severity vulnerabilities related with containerd and docker cli
+----------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-41103 | HIGH | v1.3.2 | v1.4.11, v1.5.7 | containerd: insufficiently |
| | | | | | restricted permissions on container |
| | | | | | root and plugin directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-41103 |
+ +------------------+----------+ +-----------------+---------------------------------------+
| | CVE-2020-15257 | MEDIUM | | v1.3.9, v1.4.3 | containerd: unrestricted access |
| | | | | | to abstract Unix domain socket |
| | | | | | can lead to privileges... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15257 |
+ +------------------+ + +-----------------+---------------------------------------+
| | CVE-2021-21334 | | | v1.3.10, v1.4.4 | containerd CRI plugin: information |
| | | | | | leak between containers |
| | | | | | via environment variables |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21334 |
+ +------------------+ + +-----------------+---------------------------------------+
| | CVE-2021-32760 | | | v1.4.8, v1.5.4 | containerd: pulling and |
| | | | | | extracting crafted container |
| | | | | | image may result in Unix file... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| github.com/docker/cli | CVE-2021-41092 | HIGH | v0.0.0-20200221155518-740919cc7fc0 | v20.10.9 | docker: cli leaks private registry |
| | | | | | credentials to registry-1.docker.io |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-41092 |
+----------------------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
With respect to Traefik 1.7, this is a duplicate of traefik/traefik#8531
As for Traefik 2.5, we're currently working on updating the dependencies to fix the CVEs.
In any case, this issue should have been opened on the traefik repo, not here, so we're going to close it now.