Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vulnerability scanning of the image #351

Open
ngosang opened this issue Jan 15, 2022 · 11 comments
Open

Add vulnerability scanning of the image #351

ngosang opened this issue Jan 15, 2022 · 11 comments
Labels
enhancement hardening

Comments

@ngosang
Copy link

ngosang commented Jan 15, 2022

Critical vulnerabilities in Docker image phpmyadmin:5.1.1

Maybe you should add a "vulnerability bot" or something to check that periodically.

https://github.com/anchore/grype

grype phpmyadmin:5.1.1
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [229 packages]
 ✔ Scanned image           [444 vulnerabilities]
NAME                       INSTALLED           FIXED-IN                VULNERABILITY     SEVERITY   
apache2                    2.4.48-3.1+deb11u1                          CVE-2001-1534     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2003-1307     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2003-1580     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2003-1581     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2007-0086     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2007-1743     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2007-3303     Negligible  
apache2                    2.4.48-3.1+deb11u1                          CVE-2008-0456     Negligible  
apache2                    2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-34798    High        
apache2                    2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-36160    High        
apache2                    2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-39275    Critical    
apache2                    2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-40438    Critical    
apache2                    2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44224    High        
apache2                    2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44790    Critical    
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2001-1534     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2003-1307     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2003-1580     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2003-1581     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2007-0086     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2007-1743     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2007-3303     Negligible  
apache2-bin                2.4.48-3.1+deb11u1                          CVE-2008-0456     Negligible  
apache2-bin                2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-34798    High        
apache2-bin                2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-36160    High        
apache2-bin                2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-39275    Critical    
apache2-bin                2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-40438    Critical    
apache2-bin                2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44224    High        
apache2-bin                2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44790    Critical    
apache2-data               2.4.48-3.1+deb11u1                          CVE-2001-1534     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2003-1307     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2003-1580     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2003-1581     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2007-0086     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2007-1743     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2007-3303     Negligible  
apache2-data               2.4.48-3.1+deb11u1                          CVE-2008-0456     Negligible  
apache2-data               2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-34798    High        
apache2-data               2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-36160    High        
apache2-data               2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-39275    Critical    
apache2-data               2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-40438    Critical    
apache2-data               2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44224    High        
apache2-data               2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44790    Critical    
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2001-1534     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2003-1307     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2003-1580     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2003-1581     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2007-0086     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2007-1743     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2007-3303     Negligible  
apache2-utils              2.4.48-3.1+deb11u1                          CVE-2008-0456     Negligible  
apache2-utils              2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-34798    High        
apache2-utils              2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-36160    High        
apache2-utils              2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-39275    Critical    
apache2-utils              2.4.48-3.1+deb11u1  2.4.51-1~deb11u1        CVE-2021-40438    Critical    
apache2-utils              2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44224    High        
apache2-utils              2.4.48-3.1+deb11u1  2.4.52-1~deb11u2        CVE-2021-44790    Critical    
apt                        2.2.4                                       CVE-2011-3374     Negligible  
binutils                   2.35.2-2                                    CVE-2017-13716    Negligible  
binutils                   2.35.2-2                                    CVE-2018-12934    Negligible  
binutils                   2.35.2-2                                    CVE-2018-18483    Negligible  
binutils                   2.35.2-2                                    CVE-2018-20623    Negligible  
binutils                   2.35.2-2                                    CVE-2018-20673    Negligible  
binutils                   2.35.2-2                                    CVE-2018-20712    Negligible  
binutils                   2.35.2-2                                    CVE-2018-9996     Negligible  
binutils                   2.35.2-2                                    CVE-2019-1010204  Negligible  
binutils                   2.35.2-2                                    CVE-2020-35448    Negligible  
binutils                   2.35.2-2                                    CVE-2021-20197    Negligible  
binutils                   2.35.2-2                                    CVE-2021-20284    Negligible  
binutils                   2.35.2-2                                    CVE-2021-3487     Negligible  
binutils                   2.35.2-2                                    CVE-2021-3530     Negligible  
binutils                   2.35.2-2                                    CVE-2021-3549     Negligible  
binutils                   2.35.2-2                                    CVE-2021-3648     Negligible  
binutils                   2.35.2-2                                    CVE-2021-37322    Negligible  
binutils                   2.35.2-2                                    CVE-2021-45078    Negligible  
binutils-common            2.35.2-2                                    CVE-2017-13716    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-12934    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-18483    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-20623    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-20673    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-20712    Negligible  
binutils-common            2.35.2-2                                    CVE-2018-9996     Negligible  
binutils-common            2.35.2-2                                    CVE-2019-1010204  Negligible  
binutils-common            2.35.2-2                                    CVE-2020-35448    Negligible  
binutils-common            2.35.2-2                                    CVE-2021-20197    Negligible  
binutils-common            2.35.2-2                                    CVE-2021-20284    Negligible  
binutils-common            2.35.2-2                                    CVE-2021-3487     Negligible  
binutils-common            2.35.2-2                                    CVE-2021-3530     Negligible  
binutils-common            2.35.2-2                                    CVE-2021-3549     Negligible  
binutils-common            2.35.2-2                                    CVE-2021-3648     Negligible  
binutils-common            2.35.2-2                                    CVE-2021-37322    Negligible  
binutils-common            2.35.2-2                                    CVE-2021-45078    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2017-13716    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-12934    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-18483    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-20623    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-20673    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-20712    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2018-9996     Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2019-1010204  Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2020-35448    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-20197    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-20284    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-3487     Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-3530     Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-3549     Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-3648     Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-37322    Negligible  
binutils-x86-64-linux-gnu  2.35.2-2                                    CVE-2021-45078    Negligible  
coreutils                  8.32-4+b1           (won't fix)             CVE-2016-2781     Low         
coreutils                  8.32-4+b1                                   CVE-2017-18018    Negligible  
curl                       7.74.0-1.3+b1       (won't fix)             CVE-2021-22924    Low         
curl                       7.74.0-1.3+b1       (won't fix)             CVE-2021-22945    Critical    
curl                       7.74.0-1.3+b1       (won't fix)             CVE-2021-22946    High        
curl                       7.74.0-1.3+b1       (won't fix)             CVE-2021-22947    Medium      
curl                       7.74.0-1.3+b1       (won't fix)             CVE-2021-22898    Low         
curl                       7.74.0-1.3+b1                               CVE-2021-22922    Negligible  
curl                       7.74.0-1.3+b1                               CVE-2021-22923    Negligible  
libapr1                    1.7.0-6             1.7.0-6+deb11u1         CVE-2021-35940    High        
libapt-pkg6.0              2.2.4                                       CVE-2011-3374     Negligible  
libbinutils                2.35.2-2                                    CVE-2017-13716    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-12934    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-18483    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-20623    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-20673    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-20712    Negligible  
libbinutils                2.35.2-2                                    CVE-2018-9996     Negligible  
libbinutils                2.35.2-2                                    CVE-2019-1010204  Negligible  
libbinutils                2.35.2-2                                    CVE-2020-35448    Negligible  
libbinutils                2.35.2-2                                    CVE-2021-20197    Negligible  
libbinutils                2.35.2-2                                    CVE-2021-20284    Negligible  
libbinutils                2.35.2-2                                    CVE-2021-3487     Negligible  
libbinutils                2.35.2-2                                    CVE-2021-3530     Negligible  
libbinutils                2.35.2-2                                    CVE-2021-3549     Negligible  
libbinutils                2.35.2-2                                    CVE-2021-3648     Negligible  
libbinutils                2.35.2-2                                    CVE-2021-37322    Negligible  
libbinutils                2.35.2-2                                    CVE-2021-45078    Negligible  
libc-bin                   2.31-13                                     CVE-2021-43396    Negligible  
libc-bin                   2.31-13                                     CVE-2010-4756     Negligible  
libc-bin                   2.31-13                                     CVE-2018-20796    Negligible  
libc-bin                   2.31-13                                     CVE-2019-1010022  Negligible  
libc-bin                   2.31-13                                     CVE-2019-1010023  Negligible  
libc-bin                   2.31-13                                     CVE-2019-1010024  Negligible  
libc-bin                   2.31-13                                     CVE-2019-1010025  Negligible  
libc-bin                   2.31-13                                     CVE-2019-9192     Negligible  
libc-bin                   2.31-13             (won't fix)             CVE-2021-33574    Critical    
libc-dev-bin               2.31-13                                     CVE-2021-43396    Negligible  
libc-dev-bin               2.31-13                                     CVE-2010-4756     Negligible  
libc-dev-bin               2.31-13                                     CVE-2018-20796    Negligible  
libc-dev-bin               2.31-13                                     CVE-2019-1010022  Negligible  
libc-dev-bin               2.31-13                                     CVE-2019-1010023  Negligible  
libc-dev-bin               2.31-13                                     CVE-2019-1010024  Negligible  
libc-dev-bin               2.31-13                                     CVE-2019-1010025  Negligible  
libc-dev-bin               2.31-13                                     CVE-2019-9192     Negligible  
libc-dev-bin               2.31-13             (won't fix)             CVE-2021-33574    Critical    
libc6                      2.31-13                                     CVE-2021-43396    Negligible  
libc6                      2.31-13                                     CVE-2010-4756     Negligible  
libc6                      2.31-13                                     CVE-2018-20796    Negligible  
libc6                      2.31-13                                     CVE-2019-1010022  Negligible  
libc6                      2.31-13                                     CVE-2019-1010023  Negligible  
libc6                      2.31-13                                     CVE-2019-1010024  Negligible  
libc6                      2.31-13                                     CVE-2019-1010025  Negligible  
libc6                      2.31-13                                     CVE-2019-9192     Negligible  
libc6                      2.31-13             (won't fix)             CVE-2021-33574    Critical    
libc6-dev                  2.31-13                                     CVE-2021-43396    Negligible  
libc6-dev                  2.31-13                                     CVE-2010-4756     Negligible  
libc6-dev                  2.31-13                                     CVE-2018-20796    Negligible  
libc6-dev                  2.31-13                                     CVE-2019-1010022  Negligible  
libc6-dev                  2.31-13                                     CVE-2019-1010023  Negligible  
libc6-dev                  2.31-13                                     CVE-2019-1010024  Negligible  
libc6-dev                  2.31-13                                     CVE-2019-1010025  Negligible  
libc6-dev                  2.31-13                                     CVE-2019-9192     Negligible  
libc6-dev                  2.31-13             (won't fix)             CVE-2021-33574    Critical    
libctf-nobfd0              2.35.2-2                                    CVE-2017-13716    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-12934    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-18483    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-20623    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-20673    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-20712    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2018-9996     Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2019-1010204  Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2020-35448    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-20197    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-20284    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-3487     Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-3530     Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-3549     Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-3648     Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-37322    Negligible  
libctf-nobfd0              2.35.2-2                                    CVE-2021-45078    Negligible  
libctf0                    2.35.2-2                                    CVE-2017-13716    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-12934    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-18483    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-20623    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-20673    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-20712    Negligible  
libctf0                    2.35.2-2                                    CVE-2018-9996     Negligible  
libctf0                    2.35.2-2                                    CVE-2019-1010204  Negligible  
libctf0                    2.35.2-2                                    CVE-2020-35448    Negligible  
libctf0                    2.35.2-2                                    CVE-2021-20197    Negligible  
libctf0                    2.35.2-2                                    CVE-2021-20284    Negligible  
libctf0                    2.35.2-2                                    CVE-2021-3487     Negligible  
libctf0                    2.35.2-2                                    CVE-2021-3530     Negligible  
libctf0                    2.35.2-2                                    CVE-2021-3549     Negligible  
libctf0                    2.35.2-2                                    CVE-2021-3648     Negligible  
libctf0                    2.35.2-2                                    CVE-2021-37322    Negligible  
libctf0                    2.35.2-2                                    CVE-2021-45078    Negligible  
libcurl4                   7.74.0-1.3+b1       (won't fix)             CVE-2021-22924    Low         
libcurl4                   7.74.0-1.3+b1       (won't fix)             CVE-2021-22945    Critical    
libcurl4                   7.74.0-1.3+b1       (won't fix)             CVE-2021-22946    High        
libcurl4                   7.74.0-1.3+b1       (won't fix)             CVE-2021-22947    Medium      
libcurl4                   7.74.0-1.3+b1       (won't fix)             CVE-2021-22898    Low         
libcurl4                   7.74.0-1.3+b1                               CVE-2021-22922    Negligible  
libcurl4                   7.74.0-1.3+b1                               CVE-2021-22923    Negligible  
libexpat1                  2.2.10-2                                    CVE-2021-46143    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22822    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22823    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22824    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22825    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22826    Unknown     
libexpat1                  2.2.10-2                                    CVE-2022-22827    Unknown     
libexpat1                  2.2.10-2            (won't fix)             CVE-2021-45960    High        
libexpat1                  2.2.10-2                                    CVE-2013-0340     Negligible  
libgcrypt20                1.8.7-6             (won't fix)             CVE-2021-33560    High        
libgcrypt20                1.8.7-6                                     CVE-2018-6829     Negligible  
libglib2.0-0               2.66.8-1                                    CVE-2012-0039     Negligible  
libgmp10                   2:6.2.1+dfsg-1      2:6.2.1+dfsg-1+deb11u1  CVE-2021-43618    High        
libgnutls30                3.7.1-5                                     CVE-2011-3389     Medium      
libgssapi-krb5-2           1.18.3-6            1.18.3-6+deb11u1        CVE-2021-37750    Medium      
libgssapi-krb5-2           1.18.3-6                                    CVE-2004-0971     Negligible  
libgssapi-krb5-2           1.18.3-6                                    CVE-2018-5709     Negligible  
libjansson4                2.13.1-1.1                                  CVE-2020-36325    Negligible  
libk5crypto3               1.18.3-6            1.18.3-6+deb11u1        CVE-2021-37750    Medium      
libk5crypto3               1.18.3-6                                    CVE-2004-0971     Negligible  
libk5crypto3               1.18.3-6                                    CVE-2018-5709     Negligible  
libkrb5-3                  1.18.3-6            1.18.3-6+deb11u1        CVE-2021-37750    Medium      
libkrb5-3                  1.18.3-6                                    CVE-2004-0971     Negligible  
libkrb5-3                  1.18.3-6                                    CVE-2018-5709     Negligible  
libkrb5support0            1.18.3-6            1.18.3-6+deb11u1        CVE-2021-37750    Medium      
libkrb5support0            1.18.3-6                                    CVE-2004-0971     Negligible  
libkrb5support0            1.18.3-6                                    CVE-2018-5709     Negligible  
libldap-2.4-2              2.4.57+dfsg-3                               CVE-2015-3276     Negligible  
libldap-2.4-2              2.4.57+dfsg-3                               CVE-2017-14159    Negligible  
libldap-2.4-2              2.4.57+dfsg-3                               CVE-2017-17740    Negligible  
libldap-2.4-2              2.4.57+dfsg-3                               CVE-2020-15719    Negligible  
liblua5.3-0                5.3.3-1.1+b1        (won't fix)             CVE-2019-6706     High        
liblua5.3-0                5.3.3-1.1+b1        (won't fix)             CVE-2020-24370    Medium      
liblua5.3-0                5.3.3-1.1+b1        (won't fix)             CVE-2021-43519    Medium      
libncurses6                6.2+20201114-2                              CVE-2021-39537    Negligible  
libncursesw6               6.2+20201114-2                              CVE-2021-39537    Negligible  
libpcre3                   2:8.39-13                                   CVE-2017-11164    Negligible  
libpcre3                   2:8.39-13                                   CVE-2017-16231    Negligible  
libpcre3                   2:8.39-13                                   CVE-2017-7245     Negligible  
libpcre3                   2:8.39-13                                   CVE-2017-7246     Negligible  
libpcre3                   2:8.39-13                                   CVE-2019-20838    Negligible  
libperl5.32                5.32.1-4+deb11u1                            CVE-2011-4116     Negligible  
libperl5.32                5.32.1-4+deb11u1    (won't fix)             CVE-2020-16156    High        
libpng16-16                1.6.37-3                                    CVE-2019-6129     Negligible  
libsepol1                  3.1-1               (won't fix)             CVE-2021-36084    Low         
libsepol1                  3.1-1               (won't fix)             CVE-2021-36085    Low         
libsepol1                  3.1-1               (won't fix)             CVE-2021-36086    Low         
libsepol1                  3.1-1               (won't fix)             CVE-2021-36087    Low         
libsqlite3-0               3.34.1-3                                    CVE-2021-36690    Negligible  
libssl1.1                  1.1.1k-1                                    CVE-2007-6755     Negligible  
libssl1.1                  1.1.1k-1                                    CVE-2010-0928     Negligible  
libssl1.1                  1.1.1k-1            1.1.1k-1+deb11u1        CVE-2021-3711     Critical    
libssl1.1                  1.1.1k-1            1.1.1k-1+deb11u1        CVE-2021-3712     High        
libsystemd0                247.3-6                                     CVE-2013-4392     Negligible  
libsystemd0                247.3-6                                     CVE-2020-13529    Negligible  
libsystemd0                247.3-6             (won't fix)             CVE-2021-3997     Unknown     
libtinfo6                  6.2+20201114-2                              CVE-2021-39537    Negligible  
libudev1                   247.3-6                                     CVE-2013-4392     Negligible  
libudev1                   247.3-6                                     CVE-2020-13529    Negligible  
libudev1                   247.3-6             (won't fix)             CVE-2021-3997     Unknown     
libwebp6                   0.6.1-2.1                                   CVE-2016-9085     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2011-4917     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2020-35501    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2021-3669     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2017-13693    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2017-13694    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2004-0230     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2005-3660     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2007-3719     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2008-2544     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2008-4609     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2010-4563     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2010-5321     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2011-4915     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2012-4542     Negligible  
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2013-7445     High        
linux-libc-dev             5.10.46-4                                   CVE-2014-9892     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2014-9900     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2015-2877     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2016-10723    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2016-8660     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2017-0630     Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2018-1121     Negligible  
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2018-12928    Low         
linux-libc-dev             5.10.46-4                                   CVE-2018-17977    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-11191    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12378    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12379    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12380    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12381    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12382    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12455    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-12456    Negligible  
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-15213    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2019-15794    Medium      
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-16089    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2019-16229    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-16230    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-16231    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-16232    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-16233    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-16234    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2019-19070    Negligible  
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-19378    High        
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-19449    High        
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-19814    High        
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2019-20794    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2020-11725    Negligible  
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-14304    Medium      
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-15802    Medium      
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-24504    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2020-26555    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2020-26556    High        
linux-libc-dev             5.10.46-4                                   CVE-2020-26557    High        
linux-libc-dev             5.10.46-4                                   CVE-2020-26559    High        
linux-libc-dev             5.10.46-4                                   CVE-2020-26560    High        
linux-libc-dev             5.10.46-4                                   CVE-2021-26934    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2021-32078    Negligible  
linux-libc-dev             5.10.46-4                                   CVE-2021-3759     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2020-16119    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3656     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3679     Medium      
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3732     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3739     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3743     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3753     Unknown     
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-37576    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-38160    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-38166    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-38199    Medium      
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-40490    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-41073    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2021-3653     High        
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2020-26541    Medium      
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-35039    High        
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-37159    Medium      
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-38204    Medium      
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-38205    Low         
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-38300    High        
linux-libc-dev             5.10.46-4           5.10.46-5               CVE-2020-3702     Medium      
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-20320    Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-42008    High        
linux-libc-dev             5.10.46-4                                   CVE-2021-3847     Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-34866    Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-20322    Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-42252    High        
linux-libc-dev             5.10.46-4                                   CVE-2021-43976    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2021-4037     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4095     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-3864     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-39685    Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-0920     Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2020-27820    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-20321    Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3640     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3744     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3760     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3764     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3772     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4001     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4002     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4083     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-41864    High        
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-42327    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-42739    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-43056    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-43267    Critical    
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-43389    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-43975    Medium      
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-3752     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4028     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-28711    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-28712    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-28713    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-28714    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-28715    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4135     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-45095    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2021-4148     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4149     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4150     Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-4154     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4197     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-44733    High        
linux-libc-dev             5.10.46-4                                   CVE-2021-45469    High        
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-39633    Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-4155     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4202     Unknown     
linux-libc-dev             5.10.46-4           5.10.84-1               CVE-2021-4203     Unknown     
linux-libc-dev             5.10.46-4                                   CVE-2021-45480    Medium      
linux-libc-dev             5.10.46-4                                   CVE-2021-4204     Unknown     
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-45485    High        
linux-libc-dev             5.10.46-4           5.10.70-1               CVE-2021-46283    Unknown     
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-12362    High        
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-12363    Medium      
linux-libc-dev             5.10.46-4           (won't fix)             CVE-2020-12364    Medium      
login                      1:4.8.1-1                                   CVE-2007-5686     Negligible  
login                      1:4.8.1-1                                   CVE-2013-4235     Negligible  
login                      1:4.8.1-1                                   CVE-2019-19882    Negligible  
m4                         1.4.18-5                                    CVE-2008-1687     Negligible  
m4                         1.4.18-5                                    CVE-2008-1688     Negligible  
ncurses-base               6.2+20201114-2                              CVE-2021-39537    Negligible  
ncurses-bin                6.2+20201114-2                              CVE-2021-39537    Negligible  
openssl                    1.1.1k-1                                    CVE-2007-6755     Negligible  
openssl                    1.1.1k-1                                    CVE-2010-0928     Negligible  
openssl                    1.1.1k-1            1.1.1k-1+deb11u1        CVE-2021-3711     Critical    
openssl                    1.1.1k-1            1.1.1k-1+deb11u1        CVE-2021-3712     High        
passwd                     1:4.8.1-1                                   CVE-2007-5686     Negligible  
passwd                     1:4.8.1-1                                   CVE-2013-4235     Negligible  
passwd                     1:4.8.1-1                                   CVE-2019-19882    Negligible  
patch                      2.7.6-7                                     CVE-2010-4651     Negligible  
patch                      2.7.6-7                                     CVE-2018-6951     Negligible  
patch                      2.7.6-7                                     CVE-2018-6952     Negligible  
patch                      2.7.6-7                                     CVE-2021-45261    Negligible  
perl                       5.32.1-4+deb11u1                            CVE-2011-4116     Negligible  
perl                       5.32.1-4+deb11u1    (won't fix)             CVE-2020-16156    High        
perl-base                  5.32.1-4+deb11u1                            CVE-2011-4116     Negligible  
perl-base                  5.32.1-4+deb11u1    (won't fix)             CVE-2020-16156    High        
perl-modules-5.32          5.32.1-4+deb11u1                            CVE-2011-4116     Negligible  
perl-modules-5.32          5.32.1-4+deb11u1    (won't fix)             CVE-2020-16156    High        
re2c                       2.0.3-1                                     CVE-2018-21232    Negligible  
tar                        1.34+dfsg-1                                 CVE-2005-2541     Negligible
@ibennetch ibennetch self-assigned this Jan 15, 2022
@ibennetch
Copy link
Member

Thank you for the report.

There's a lot here for me to process; for instance I thought the tags were automatically rebuilt whenever any of the included/dependency images got updated. For another matter, a lot of the automated tools that I used to have access to through Docker Hub seem to be gone and moved to a more expensive service tier.

So thank you for the report, and I apologize that I don't have an immediate response, but I will begin looking into this and see if I can get to the bottom of it.

@ngosang
Copy link
Author

ngosang commented Jan 23, 2022

phpmyadmin 5.1.2 is out

@ibennetch
Copy link
Member

Yes, that's true. However, 5.1.3 will be released soon; in order to reduce the load on the folks who maintain the official Docker images we decided to delay the pull request to update the Docker image.

As far as the "community" repository at phpmyadmin/phpmyadmin, the recent changes to Docker Hub's service tiers have impacted our ability to programmatically trigger builds, so we are evaluating whether we should discontinue that repository or what the best way is to adapt moving forward.

In the mean time, you can use this repository directly to get the newer version if that's of critical importance.

Thank you for pointing this out; it's a known issue.

@ngosang
Copy link
Author

ngosang commented Jan 23, 2022
edited
Loading

GitHub has his own Docker Registry without any limits. I maintain several projects and I release the Docker images in both registries with this GitHub Action.
https://github.com/ngosang/urbackup-exporter/blob/master/.github/workflows/release-docker.yml

NOTE: With that file I building 2 Docker images (Alpine and Debian) for 8 OS architectures each one = 16 docker images. Then I publishing all of them in DockerHub and GHCR. 32 Docker images in total.

https://hub.docker.com/r/ngosang/urbackup-exporter/tags
https://github.com/ngosang/urbackup-exporter/pkgs/container/urbackup-exporter

@williamdes williamdes changed the title Critical vulnerabilities in Docker image phpmyadmin:5.1.1 Add vulnerability scanning of the image Aug 3, 2023
@williamdes
Copy link
Member

I did run this today, except slim/psr7 that will be fixed in 5.2.2 there is nothing we can do.
Still good to know

grype phpmyadmin:5.2.1 | grep -v -F "Negligible" | grep -v -F "won't fix" | grep -v -F "GHSA-rpcf-p37j-wm4j"
 ✔ Vulnerability DB                [no update available]  
 ✔ Loaded image                                                                                                                                                                                  phpmyadmin:5.2.1
 ✔ Parsed image                                                                                                                           sha256:47a64b267aa29b57ee64d150ff06cefa1f418d69cb9be268774d42e333a5b9c3
 ✔ Cataloged packages              [258 packages]  
 ✔ Scanned for vulnerabilities     [307 vulnerabilities]  
   ├── 1 critical, 18 high, 30 medium, 6 low, 246 negligible (6 unknown)
   └── 2 fixed
NAME                       INSTALLED          FIXED-IN     TYPE          VULNERABILITY        SEVERITY   
libphp                     8.2.8                           binary        CVE-2007-4596        High        
libphp                     8.2.8                           binary        CVE-2007-3205        Medium      
libphp                     8.2.8                           binary        CVE-2007-2728        Medium      
libproc2-0                 2:4.0.2-3                       deb           CVE-2023-4016        Low         
linux-libc-dev             6.1.38-1                        deb           CVE-2023-4004        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3776        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3640        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3611        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-35827       High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-2176        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2021-3864        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2021-3847        High        
linux-libc-dev             6.1.38-1                        deb           CVE-2023-4010        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3863        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3773        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3772        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-37454       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-37453       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-31083       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-31082       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-2898        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-2430        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-23005       Medium      
linux-libc-dev             6.1.38-1           6.1.38-2     deb           CVE-2023-20593       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-1206        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-0597        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-0160        Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2020-36694       Medium      
linux-libc-dev             6.1.38-1                        deb           CVE-2023-3397        Unknown     
linux-libc-dev             6.1.38-1                        deb           CVE-2023-1194        Unknown     
linux-libc-dev             6.1.38-1                        deb           CVE-2023-1193        Unknown     
linux-libc-dev             6.1.38-1                        deb           CVE-2023-1192        Unknown     
php-cli                    8.2.8                           binary        CVE-2007-4596        High        
php-cli                    8.2.8                           binary        CVE-2007-3205        Medium      
php-cli                    8.2.8                           binary        CVE-2007-2728        Medium      
procps                     2:4.0.2-3                       deb           CVE-2023-4016        Low         
slim/psr7                  1.4                1.4.1        php-composer  GHSA-q2qj-628g-vhfw  Medium

@Orscheler
Copy link

Hi @williamdes,

is there any update on this? Scanning the current 5.2.1 container, there is still a high number of vulnabilities (based on my trivy scan): 5 Critical | 109 High | 380 Medium | 81 Low | 378 unassigned

May you check, which components are being required for the build-process only and therefore can be removed from the container-image itself, after the build-process was successful?

Especially the linux-libc-dev library having 688 vulnabilities, which is about 70% of all.
A full list is being attached.

Thx & Best

# CRITICAL
libc-bin	2.36-9+deb12u9		NVD CVE-2019-1010022	
libc-dev-bin	2.36-9+deb12u9		NVD CVE-2019-1010022	
libc6	2.36-9+deb12u9		NVD CVE-2019-1010022	
libc6-dev	2.36-9+deb12u9		NVD CVE-2019-1010022	
zlib1g	1:1.2.13.dfsg-1		NVD CVE-2023-45853	

# HIGH
twig/twig	v3.5.0		NVD CVE-2024-45411	
libc-bin	2.36-9+deb12u9		NVD CVE-2019-1010023	
libc-bin	2.36-9+deb12u9		NVD CVE-2018-20796	
libc-bin	2.36-9+deb12u9		NVD CVE-2019-9192	
libc-dev-bin	2.36-9+deb12u9		NVD CVE-2019-9192	
libc-dev-bin	2.36-9+deb12u9		NVD CVE-2019-1010023	
libc-dev-bin	2.36-9+deb12u9		NVD CVE-2018-20796	
libc6	2.36-9+deb12u9		NVD CVE-2018-20796	
libc6	2.36-9+deb12u9		NVD CVE-2019-1010023	
libc6	2.36-9+deb12u9		NVD CVE-2019-9192	
libc6-dev	2.36-9+deb12u9		NVD CVE-2019-1010023	
libc6-dev	2.36-9+deb12u9		NVD CVE-2018-20796	
libc6-dev	2.36-9+deb12u9		NVD CVE-2019-9192	
libexpat1	2.5.0-1+deb12u1		NVD CVE-2023-52425	
libgcrypt20	1.10.1-3		NVD CVE-2018-6829	
libgssapi-krb5-2	1.20.1-2+deb12u2		NVD CVE-2018-5709	
libjansson4	2.14-2		NVD CVE-2020-36325	
libk5crypto3	1.20.1-2+deb12u2		NVD CVE-2018-5709	
libkrb5-3	1.20.1-2+deb12u2		NVD CVE-2018-5709	
libkrb5support0	1.20.1-2+deb12u2		NVD CVE-2018-5709	
libldap-2.5-0	2.5.13+dfsg-5		NVD CVE-2023-2953	
libldap-2.5-0	2.5.13+dfsg-5		NVD CVE-2017-17740	
libldap-2.5-0	2.5.13+dfsg-5		NVD CVE-2015-3276	
libperl5.36	5.36.0-7+deb12u1		NVD CVE-2023-31486	
libperl5.36	5.36.0-7+deb12u1		NVD CVE-2023-31484	
libxml2	2.9.14+dfsg-1.3~deb12u1		NVD CVE-2024-25062	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46820	
linux-libc-dev	6.1.119-1		NVD CVE-2024-47745	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50063	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46813	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50112	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53099	
linux-libc-dev	6.1.119-1		NVD CVE-2021-3864	
linux-libc-dev	6.1.119-1		NVD CVE-2024-44951	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46774	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56662	
linux-libc-dev	6.1.119-1		NVD CVE-2024-35866	
linux-libc-dev	6.1.119-1		NVD CVE-2024-49996	
linux-libc-dev	6.1.119-1		NVD CVE-2019-19070	
linux-libc-dev	6.1.119-1		NVD CVE-2022-45885	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46833	
linux-libc-dev	6.1.119-1		NVD CVE-2024-41061	
linux-libc-dev	6.1.119-1		NVD CVE-2024-44942	
linux-libc-dev	6.1.119-1		NVD CVE-2023-3640	
linux-libc-dev	6.1.119-1		NVD CVE-2024-26930	
linux-libc-dev	6.1.119-1		NVD CVE-2023-52452	
linux-libc-dev	6.1.119-1		NVD CVE-2022-1247	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56675	
linux-libc-dev	6.1.119-1		NVD CVE-2024-44941	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50055	
linux-libc-dev	6.1.119-1		NVD CVE-2024-47691	
linux-libc-dev	6.1.119-1		NVD CVE-2024-21803	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50047	
linux-libc-dev	6.1.119-1		NVD CVE-2022-0400	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53142	
linux-libc-dev	6.1.119-1		NVD CVE-2024-26913	
linux-libc-dev	6.1.119-1		NVD CVE-2023-52751	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50029	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53068	
linux-libc-dev	6.1.119-1		NVD CVE-2024-35929	
linux-libc-dev	6.1.119-1		NVD CVE-2022-25265	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56650	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56663	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50246	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46786	
linux-libc-dev	6.1.119-1		NVD CVE-2023-26242	
linux-libc-dev	6.1.119-1		NVD CVE-2024-38630	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50275	
linux-libc-dev	6.1.119-1		NVD CVE-2019-19814	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50061	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53108	
linux-libc-dev	6.1.119-1		NVD CVE-2022-2961	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50164	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56672	
linux-libc-dev	6.1.119-1		NVD CVE-2024-35887	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53141	
linux-libc-dev	6.1.119-1		NVD CVE-2023-39191	
linux-libc-dev	6.1.119-1		NVD CVE-2019-19449	
linux-libc-dev	6.1.119-1		NVD CVE-2019-12456	
linux-libc-dev	6.1.119-1		NVD CVE-2024-49989	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56658	
linux-libc-dev	6.1.119-1		NVD CVE-2019-19378	
linux-libc-dev	6.1.119-1		NVD CVE-2022-3238	
linux-libc-dev	6.1.119-1		NVD CVE-2024-39479	
linux-libc-dev	6.1.119-1		NVD CVE-2024-27042	
linux-libc-dev	6.1.119-1		NVD CVE-2024-49928	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56664	
linux-libc-dev	6.1.119-1		NVD CVE-2022-45884	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50121	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50217	
linux-libc-dev	6.1.119-1		NVD CVE-2021-26934	
linux-libc-dev	6.1.119-1		NVD CVE-2024-56651	
linux-libc-dev	6.1.119-1		NVD CVE-2024-49861	
linux-libc-dev	6.1.119-1		NVD CVE-2021-3847	
linux-libc-dev	6.1.119-1		NVD CVE-2024-42162	
linux-libc-dev	6.1.119-1		NVD CVE-2024-38570	
linux-libc-dev	6.1.119-1		NVD CVE-2024-50226	
linux-libc-dev	6.1.119-1		NVD CVE-2024-46811	
linux-libc-dev	6.1.119-1		NVD CVE-2020-11725	
linux-libc-dev	6.1.119-1		NVD CVE-2013-7445	
linux-libc-dev	6.1.119-1		NVD CVE-2024-53133	
patch	2.7.6-7		NVD CVE-2018-6952	
patch	2.7.6-7		NVD CVE-2018-6951	
perl	5.36.0-7+deb12u1		NVD CVE-2023-31484	
perl	5.36.0-7+deb12u1		NVD CVE-2023-31486	
perl-base	5.36.0-7+deb12u1		NVD CVE-2023-31486	
perl-base	5.36.0-7+deb12u1		NVD CVE-2023-31484	
perl-modules-5.36	5.36.0-7+deb12u1		NVD CVE-2023-31484	
perl-modules-5.36	5.36.0-7+deb12u1		NVD CVE-2023-31486

@ibennetch
Copy link
Member

ibennetch commented Jan 7, 2025 via email

@williamdes
Copy link
Member

is there any update on this? Scanning the current 5.2.1 container, there is still a high number of vulnabilities (based on my trivy scan): 5 Critical | 109 High | 380 Medium | 81 Low | 378 unassigned

Can you confirm that you are using the Docker official repository phpmyadmin and not phpmyadmin/phpmyadmin. They update the base images often if I am correct.

@Orscheler
Copy link

Orscheler commented Jan 8, 2025
edited
Loading

Of course using the official one:

  "metadata" : {
    "timestamp" : "2025-01-07T16:23:01Z",
    "tools" : [
      {
        "vendor" : "OWASP",
        "name" : "Dependency-Track",
        "version" : "4.11.7"
      }
    ],
    "component" : {
      "type" : "container",
      "bom-ref" : "0f82474c-e619-43ab-aa30-5821d8851e80",
      "name" : "phpmyadmin",
      "version" : "5.2.1"
    }
  },

Getting rid of the Apache and having a lightweight solution with nginx & php, being controlled by supervisor, may also be an option to get rid of all those dependencies: #346

@williamdes
Copy link
Member

I can kick off a rebuild of the Docker images again later today to
hopefully resolve these.

@ibennetch it will not work for Docker official repo
but maybe @tianon can fire a re-build of phpmyadmin:5.2.1 ?
If there a procedure I am not aware of ?

@williamdes
Copy link
Member

It seems to be a manual not very documented process
Ref: docker-library/official-images#18021 (comment)

But when I update my PR: docker-library/official-images#17398
it should solve it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement hardening
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ibennetch @williamdes @ngosang @Orscheler