AWX and Lodash

Chuck_Harpham · September 5, 2023, 5:50pm

I am rather new to Ansible/AWX… Does anybody know if the default install of AWX uses lodash… the company’s vulnerability scanner found a potential vulnerability alert on Lodash, I have no idea where there is installed… I do know it is somehow related to js… I am currently using AWX 15.0.1 which I know is not the latest

golakiyaalice · September 28, 2023, 11:59am

Hi All,
I am trying to import all the images to my private ACR through dedicated organization level pipelines which scans the images using snyk tool and below is the results of vulnerabilities.

AWX_Project · September 29, 2023, 5:31pm

do you have a more detailed report, i.e. what is the critical vulnerability for the awx-operator that your scanner flagged?

AWX Team

golakiyaalice · October 2, 2023, 4:40am

Hi,
Below is the list.
I somehow managed to fix the awx-operator image.

AWX Image:

Snyk
Severity
CVSSv3 Score
CVE
Description
Module
Disclosed
Published
Snyk

high
8.8
CVE-2022-1271

Incorrect Behavior Order: Early Validation
centos:9:xz-libs@5.2.5-8.el9
2022-04-07
2022-04-09
…

high
7.5
CVE-2022-24070

Use After Free
centos:9:subversion-libs@1.14.1-5.el9
2021-11-04
2022-04-13
…

high
7.5
CVE-2022-24070

Use After Free
centos:9:subversion@1.14.1-5.el9
2021-11-04
2022-04-13
…

high
5.3
CVE-2023-40217

Authentication Bypass by Primary Weakness
centos:9:python3-libs@3.9.17-1.el9
2023-08-25
2023-08-31
…

high
5.3
CVE-2023-40217

Authentication Bypass by Primary Weakness
centos:9:python3-devel@3.9.17-1.el9
2023-08-25
2023-08-31
…

high
5.3
CVE-2023-40217

Authentication Bypass by Primary Weakness
centos:9:python3@3.9.17-1.el9
2023-08-25
2023-08-31
…

high
8.6
CVE-2022-47629

Integer Overflow or Wraparound
centos:9:libksba@1.5.1-6.el9
2022-10-17
2023-01-17
…

high
7.5
CVE-2023-23946

Directory Traversal
centos:9:git-core@2.39.3-1.el9
2023-02-14
2023-02-18
…

high
5.5
CVE-2023-22490

Resource Leak
centos:9:git-core@2.39.3-1.el9
2023-02-14
2023-02-18
…

high
2.2
CVE-2023-25815

Use of Externally-Controlled Format String
centos:9:git-core@2.39.3-1.el9
2023-04-25
2023-04-26
…

high
7.8
CVE-2023-29007

Arbitrary Code Injection
centos:9:git-core@2.39.3-1.el9
2023-04-25
2023-04-26
…

high
7.5
CVE-2023-25652

Directory Traversal
centos:9:git-core@2.39.3-1.el9
2023-04-25
2023-04-26
…

Topic		Replies	Views
AWX and Lodash Ansible Project awx	0	0	September 5, 2023
Ansible AWX Vulnerability Scanning and Fixing. AWX Project awx	6	0	December 8, 2020
AWX Vulnerabilities on packages AWX Project awx	2	0	December 12, 2018
Reduce CVE for AWX's images Project Discussions awx , ee	10	346	February 8, 2024
Announcing AWX 24.3.1 and AWX-Operator 2.16.1 Ecosystem Releases awx	2	471	May 1, 2024

AWX and Lodash

Related topics