Comments (6)
powersj
commented on August 17, 2024
Hi.
It found CVE-2018-12976
As a best practice, it is preferred to disclose CVEs to a security team versus a public issue. You can check out our disclosure steps at: https://www.influxdata.com/how-to-report-security-vulnerabilities/ I'll look at adding a reference to this document into this repo as well.
I've recently downloaded the latest docker image
Which image and which version?
As this repo maintains the images for multiple products include influxdb, telelgraf, etc. it would help to narrow this down.
Thanks!
from influxdata-docker.
M-JobPixel
commented on August 17, 2024
Sorry for not following a procedure that I was unaware of. But it's not like this is exactly secret. All I did was download your :latest image from your dockerhub and uploaded it to AWS' ECR whereupon they scanned it, as they do all images, and the report found the CVE. This is a fairly common procedure and one that anyone can easily do.
The Dockerfile I used to build and push the image looks like:
FROM influxdb:latest
So that would be version 2.7.1
from influxdata-docker.
powersj
commented on August 17, 2024
The CVE in question references github.com/golang/gddo.
This package is imported in InfluxDB in the go.mod and used by http/telegraf.go specifically github.com/golang/gddo/httputil module with one call to httputil.NegotiateContentType()
As mentioned in the security announcement it appears to only affect users running their own instance of gddo, which InfluxDB is not doing.
I will pass this on to our security team and get a response.
from influxdata-docker.
M-JobPixel
commented on August 17, 2024
Thanks for the response.
I guess it's ok to have a potential vulnerability in code which you import and never use.
I will annotate my SOC-2 compliance report with this detail.
from influxdata-docker.
jdstrand
commented on August 17, 2024
I will pass this on to our security team and get a response.
Sorry for the delay. @powersj's analysis is correct. While influxdb imports github.com/golang/gddo/httputil, it is only to use httputil.NegotiateContentType which is not affected by this CVE. I'm not sure what capability your tooling has, but I recommend dismissing the alert with either 'inaccurate' or 'code not used'.
from influxdata-docker.
gavin-snorkel
commented on August 17, 2024
Hi,
We are running into the same issue as well as our scanner is picking up the critical CVE (https://nvd.nist.gov/vuln/detail/CVE-2018-12976). Unfortunately we don't have a way to dismiss this CVE due to the fact that it's CRITICAL. It seems like it should go away by updating your gddo deps at a later build? (current one at 2018***)
Thanks and really appreciate the help.
-Gavin
from influxdata-docker.
Related Issues (20)
- deprecated "influxd print-config" is used in entrypoint.sh > 2.2 HOT 1
- (Docker container) extra ":" added to "http-bind-address" configuration value HOT 3
- influx user create in entrypoint script gives 401 Unauthorized HOT 1
- Influx 2.1.0 and up: influxd.sqlite -> database locked. Azure Linux web app with share
- Telegraf docker image runs as root user HOT 3
- Error in plugin: Got permission denied while trying to connect to the Docker daemon socket HOT 1
- telegraf READ.ME - Minimal example to start an InfluxDB container fails with the current versions HOT 3
- Env configurations not recognized in lastest tagged image? HOT 1
- docker pull influxdb HOT 1
- Telegraf container - logtarget/logfile not working when using input.docker with special user/group ID HOT 5
- [InfluxDBv2] Wrong Error Description for DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
- [InfluxDBv2] Admin Token via `DOCKER_INFLUXDB_INIT_ADMIN_TOKEN_FILE` env var is not set in the container causing authorization errors HOT 1
- Automated Setup leaves a file behind preventing startup in influxdb:latest HOT 1
- Default directories
- Start Telegraf container with latest config from Influx Web UI [workaround] HOT 3
- Influx DB 1.8 program will not open
- Chronograf 1.10.2 docker image critical vulnerability CVE-2023-45853
- Running in rootless docker is nonfunctional with host filesystem bind mounts due to overriden user ID inside container
- Telegraf: inputs.docker can no longer access Docker socket due to recent entrypoint.sh changes HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from influxdata-docker.