Critical Severity CVE on Traefik Docker images
chsieber opened this issue · comments
I am getting flagged for an open CVE when using Traefik Docker image 2.6.0.
Trivy (Aquasec) is reporting an open Critical CVE with the package "containerd".
usr/local/bin/traefik (gobinary)
Total: 1 (CRITICAL: 1)
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
|---|---|---|---|---|---|
| github.com/containerd/containerd | CVE-2021-43816 | CRITICAL | v1.5.8 | 1.5.9 | containerd: Unprivileged pod may bind mount any privileged regular file on disk... avd.aquasec.com/nvd/cve-2021-43816 |
Hello @chsieber,
Thanks for opening the issue.
Traefik does not use containerd to launch containers. Even if we have containerd as a dependency, this means that we are not affected by this CVE and that the Trivy report is a false positive.
That being said, we will close this issue.