I saw AWX, AWX-operator and AWX-ee in quay.io are containing many vulnerabilities. Do we have any plan/road map to reduce them?
Hey @Crimrose,
as far as I am aware these images are mostly built on centos (8/9) stream images.
If you use them in certain contexts, for instance as EE base image the tooling will update the packages via dnf update. So the vulnerabilities you see in quay might not be correct.
I don’t trust quay.io vurls report. I used other tools like twislock scan & trivy to scan these images. Each image contains more than 70 vulrs.
As I saw in dockerfile of these images, tthey were installed many packages, some of them may not very necessary like vim. We can remove them to reduce size of image and reduce vulrs and some version of packages contain risks.
You can try scan them from external tools. If need I can share you a list of vulrs that I already scanned.
I think we can mitigate vulnerabilities from upstream images.
1 Like
AWX:23.7.0
Click here to see the detailed report
quay.io/ansible/awx:23.7.0
Compliance (Critical, High or Expired)
| ID | Title | Severity | Category | Exception |
|---|---|---|---|---|
| 425 | Private keys stored in image | high | Twistlock Labs |
Vulnerabilities (Critical, High or Expired)
| CVE | Severity | CVSS | Package | Exception |
|---|---|---|---|---|
| CVE-2023-5869 | high | 8.8 | postgresql 13.11-1.el9 |
|
| CVE-2023-5869 | high | 8.8 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2022-1271 | high | 8.8 | xz-libs 5.2.5-8.el9 |
|
| CVE-2022-47629 | high | 8.6 | libksba 1.5.1-6.el9 |
Similar exceptions |
| PRISMA-2022-0168 | high | 7.8 | pip 21.2.3 |
|
| CVE-2024-22190 | high | 7.8 | gitpython 3.1.32 |
|
| CVE-2023-40590 | high | 7.8 | gitpython 3.1.32 |
|
| PRISMA-2023-0024 | high | 7.5 | aiohttp 3.8.3 |
|
| CVE-2023-49083 | high | 7.5 | cryptography 41.0.3 |
|
| CVE-2023-46695 | high | 7.5 | django 4.2.6 |
|
| CVE-2023-45283 | high | 7.5 | go 1.21.3 |
|
| CVE-2023-44487 | high | 7.5 | libnghttp2 1.43.0-5.el9.1 |
|
| CVE-2023-27522 | high | 7.5 | uwsgi 2.0.21 |
|
| CVE-2022-24070 | high | 7.5 | subversion-libs 1.14.1-5.el9 |
|
| CVE-2022-24070 | high | 7.5 | subversion 1.14.1-5.el9 |
|
| CVE-2024-23342 | high | 7.4 | ecdsa 0.18.0 |
|
| CVE-2023-49081 | high | 7.2 | aiohttp 3.8.3 |
|
| CVE-2023-2454 | high | 7.2 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2022-28331 | critical | 9.8 | apr 1.7.0-12.el9 |
|
| CVE-2022-23806 | high | 8.2 | git-lfs 3.4.1-1.el9 |
Similar exceptions |
| CVE-2023-2603 | high | 7.8 | libcap 2.48-9.el9 |
Similar exceptions |
| CVE-2022-47024 | high | 7.8 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-5363 | high | 7.5 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-5363 | high | 7.5 | openssl 3.0.7-25.el9 |
|
| CVE-2023-39417 | high | 7.5 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2023-39417 | high | 7.5 | postgresql 13.11-1.el9 |
|
| CVE-2022-46663 | high | 7.5 | less 590-2.el9 |
|
| CVE-2023-7104 | high | 7.3 | sqlite-libs 3.34.1-7.el9 |
|
| CVE-2022-0413 | high | 7.3 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-2454 | high | 7.2 | postgresql 13.11-1.el9 |
|
| CVE-2022-2625 | high | 7.1 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2022-2625 | high | 7.1 | postgresql 13.11-1.el9 |
|
| CVE-2023-42465 | high | 7 | sudo 1.9.5p2-9.el9 |
|
| CVE-2022-3715 | medium | 6.6 | bash 5.1.8-6.el9 |
Similar exceptions |
| CVE-2024-23829 | medium | 6.5 | aiohttp 3.8.3 |
|
| CVE-2023-51385 | medium | 6.5 | openssh 8.7p1-38.el9 |
|
| CVE-2023-51385 | medium | 6.5 | openssh-clients 8.7p1-38.el9 |
|
| CVE-2023-41040 | medium | 6.5 | gitpython 3.1.32 |
|
| CVE-2023-39615 | medium | 6.5 | libxml2 2.9.13-5.el9 |
|
| CVE-2023-28859 | medium | 6.5 | redis 4.3.5 |
|
| CVE-2023-22652 | medium | 6.5 | libeconf 0.4.1-3.el9 |
|
| CVE-2022-24963 | medium | 6.5 | apr 1.7.0-12.el9 |
|
| CVE-2023-32681 | medium | 6.1 | requests 2.28.1 |
Similar exceptions |
| CVE-2021-32052 | medium | 6.1 | python 3.9.18 |
|
| CVE-2024-23334 | medium | 5.9 | aiohttp 3.8.3 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-pam 252-24.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-rpm-macros 252-24.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-libs 252-24.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd 252-24.el9 |
|
| CVE-2023-48795 | medium | 5.9 | openssh 8.7p1-38.el9 |
|
| CVE-2023-48795 | medium | 5.9 | openssh-clients 8.7p1-38.el9 |
|
| CVE-2021-46848 | medium | 5.9 | libtasn1 4.16.0-8.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python3-devel 3.9.18-2.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python3-libs 3.9.18-2.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python3 3.9.18-2.el9 |
Similar exceptions |
| CVE-2024-22365 | medium | 5.5 | pam 1.5.1-17.el9 |
|
| CVE-2022-48303 | medium | 5.5 | tar 1.34-6.el9 |
Similar exceptions |
| CVE-2021-3997 | medium | 5.5 | systemd-libs 252-24.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd-rpm-macros 252-24.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd-pam 252-24.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd 252-24.el9 |
|
| CVE-2024-22195 | medium | 5.4 | jinja2 3.1.2 |
|
| CVE-2023-6681 | medium | 5.3 | jwcrypto 1.4.2 |
|
| CVE-2023-49082 | medium | 5.3 | aiohttp 3.8.3 |
|
| CVE-2023-47627 | medium | 5.3 | aiohttp 3.8.3 |
|
| CVE-2023-46218 | medium | 5.3 | curl-minimal 7.76.1-28.el9 |
|
| CVE-2023-46218 | medium | 5.3 | libcurl-minimal 7.76.1-28.el9 |
|
| CVE-2023-45284 | medium | 5.3 | go 1.21.3 |
|
| CVE-2023-37276 | medium | 5.3 | aiohttp 3.8.3 |
|
| CVE-2023-28487 | medium | 5.3 | sudo 1.9.5p2-9.el9 |
Similar exceptions |
| CVE-2023-28486 | medium | 5.3 | sudo 1.9.5p2-9.el9 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python3-devel 3.9.18-2.el9 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python3-libs 3.9.18-2.el9 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python3 3.9.18-2.el9 |
Similar exceptions |
| CVE-2023-5868 | medium | 4.3 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2023-5868 | medium | 4.3 | postgresql 13.11-1.el9 |
|
| CVE-2023-45803 | medium | 4.2 | urllib3 1.26.17 |
|
| CVE-2023-2455 | medium | 4.2 | postgresql 13.11-1.el9 |
|
| CVE-2023-2455 | medium | 4.2 | postgresql-private-libs 13.11-1.el9 |
|
| GHSA-pjjw-qhg8-p2p9 | medium | 4 | aiohttp 3.8.3 |
|
| CVE-2023-37920 | critical | 9.1 | ca-certificates 2023.2.60_v7.0.306-90.1.el9 |
|
| CVE-2016-1247 | high | 7.4 | nginx-filesystem 1.22.1-2.el9 |
|
| CVE-2016-1247 | high | 7.4 | nginx 1.22.1-2.el9 |
|
| CVE-2023-2953 | high | 7.1 | openldap 2.6.6-1.el9 |
Similar exceptions |
| CVE-2023-4752 | high | 7 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-6129 | medium | 6.5 | openssl 3.0.7-25.el9 |
|
| CVE-2023-6129 | medium | 6.5 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-50495 | medium | 6.5 | ncurses-libs 6.2-10.20210508.el9 |
|
| CVE-2023-50495 | medium | 6.5 | ncurses-base 6.2-10.20210508.el9 |
|
| CVE-2023-32636 | medium | 6.2 | glib2 2.68.4-12.el9 |
Similar exceptions |
| CVE-2023-6237 | medium | 5.9 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-6237 | medium | 5.9 | openssl 3.0.7-25.el9 |
|
| CVE-2022-48554 | medium | 5.5 | file-libs 5.39-14.el9 |
|
| CVE-2022-47011 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-47010 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-47007 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-1674 | medium | 5.5 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2021-3903 | medium | 5.5 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-5678 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-5678 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-3817 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-3817 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-3446 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-3446 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-2975 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-2975 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2022-41409 | medium | 5.3 | pcre2-syntax 10.40-4.el9 |
|
| CVE-2022-41409 | medium | 5.3 | pcre2 10.40-4.el9 |
|
| CVE-2024-0232 | medium | 4.7 | sqlite-libs 3.34.1-7.el9 |
|
| CVE-2021-3572 | medium | 4.5 | python3-pip 21.2.3-7.el9 |
Similar exceptions |
| CVE-2021-3572 | medium | 4.5 | python3-pip-wheel 21.2.3-7.el9 |
Similar exceptions |
| CVE-2023-28858 | low | 3.7 | redis 4.3.5 |
|
| CVE-2022-41862 | low | 3.7 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2022-41862 | low | 3.7 | postgresql 13.11-1.el9 |
|
| CVE-2024-0727 | low | 3.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2024-0727 | low | 3.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-2602 | low | 3.3 | libcap 2.48-9.el9 |
Similar exceptions |
| CVE-2021-4217 | low | 3.3 | unzip 6.0-56.el9 |
|
| CVE-2023-39418 | low | 3.1 | postgresql-private-libs 13.11-1.el9 |
|
| CVE-2023-39418 | low | 3.1 | postgresql 13.11-1.el9 |
|
| CVE-2023-5870 | low | 2.2 | postgresql 13.11-1.el9 |
|
| CVE-2023-5870 | low | 2.2 | postgresql-private-libs 13.11-1.el9 |
|
| GHSA-v8gr-m533-ghj9 | low | 1 | cryptography 41.0.3 |
AWX-operator
Click here to see the detailed report
Quay
Vulnerabilities (Critical, High or Expired)
| CVE | Severity | CVSS | Package | Exception |
|---|---|---|---|---|
| CVE-2023-40217 | high | 8.6 | python39 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
|
| CVE-2023-40217 | high | 8.6 | python3-libs 3.6.8-51.el8_8.1 |
|
| CVE-2023-40217 | high | 8.6 | platform-python 3.6.8-51.el8_8.1 |
|
| CVE-2023-40217 | high | 8.6 | python39-libs 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
|
| CVE-2023-39323 | high | 8.1 | go 1.19.13 |
|
| PRISMA-2022-0168 | high | 7.8 | pip 20.2.4 |
|
| CVE-2023-4911 | high | 7.8 | glibc-common 2.28-225.el8 |
|
| CVE-2023-4911 | high | 7.8 | glibc-minimal-langpack 2.28-225.el8 |
|
| CVE-2023-4911 | high | 7.8 | glibc 2.28-225.el8 |
|
| GHSA-m425-mq94-257g | high | 7.5 | grpc package - google.golang.org/grpc - Go Packages v1.53.0 |
|
| CVE-2023-49083 | high | 7.5 | cryptography 41.0.3 |
|
| CVE-2023-45287 | high | 7.5 | go 1.19.13 |
|
| CVE-2023-45285 | high | 7.5 | go 1.19.13 |
|
| CVE-2023-45283 | high | 7.5 | go 1.19.13 |
|
| CVE-2023-44487 | high | 7.5 | libnghttp2 1.33.0-3.el8_2.1 |
|
| CVE-2023-39325 | high | 7.5 | The Go Programming Language v0.10.0 |
|
| CVE-2024-0553 | high | 7.5 | gnutls 3.6.16-6.el8_7 |
|
| CVE-2023-36632 | high | 7.5 | python39-setuptools 50.3.2-4.module+el8.5.0+12204+54860423 |
|
| CVE-2023-36632 | high | 7.5 | python39-setuptools-wheel 50.3.2-4.module+el8.5.0+12204+54860423 |
|
| CVE-2023-36632 | high | 7.5 | python39-pip 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
|
| CVE-2023-36632 | high | 7.5 | python39-libs 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
|
| CVE-2023-36632 | high | 7.5 | python39 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
|
| CVE-2023-36632 | high | 7.5 | python3-libs 3.6.8-51.el8_8.1 |
|
| CVE-2023-36632 | high | 7.5 | python39-pip-wheel 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
|
| CVE-2023-36632 | high | 7.5 | platform-python 3.6.8-51.el8_8.1 |
|
| CVE-2022-48560 | high | 7.5 | python3-libs 3.6.8-51.el8_8.1 |
|
| CVE-2022-48560 | high | 7.5 | platform-python 3.6.8-51.el8_8.1 |
|
| CVE-2023-7104 | high | 7.3 | sqlite-libs 3.26.0-18.el8_8 |
|
| CVE-2023-5764 | medium | 6.6 | ansible-core 2.15.3 |
|
| CVE-2023-5455 | medium | 6.5 | krb5-libs 1.18.2-25.el8_8 |
|
| CVE-2023-4527 | medium | 6.5 | glibc-minimal-langpack 2.28-225.el8 |
|
| CVE-2023-4527 | medium | 6.5 | glibc-common 2.28-225.el8 |
|
| CVE-2023-4527 | medium | 6.5 | glibc 2.28-225.el8 |
|
| CVE-2023-39615 | medium | 6.5 | libxml2 2.9.7-16.el8_8.1 |
|
| CVE-2023-39615 | medium | 6.5 | python3-libxml2 2.9.7-16.el8_8.1 |
|
| CVE-2022-48564 | medium | 6.5 | python3-libs 3.6.8-51.el8_8.1 |
|
| CVE-2022-48564 | medium | 6.5 | platform-python 3.6.8-51.el8_8.1 |
|
| CVE-2021-35939 | medium | 6.5 | rpm-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35939 | medium | 6.5 | rpm-build-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35939 | medium | 6.5 | python3-rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35939 | medium | 6.5 | rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35938 | medium | 6.5 | rpm-build-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35938 | medium | 6.5 | rpm-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35938 | medium | 6.5 | python3-rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35938 | medium | 6.5 | rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35937 | medium | 6.3 | rpm-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35937 | medium | 6.3 | rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35937 | medium | 6.3 | rpm-build-libs 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-35937 | medium | 6.3 | python3-rpm 4.14.3-26.el8 |
Similar exceptions |
| CVE-2021-43618 | medium | 6.2 | gmp 6.1.2-10.el8 |
Similar exceptions</summary |
| CVE-2023-3978 | medium | 6.1 | The Go Programming Language v0.10.0 |
|
| CVE-2023-39319 | medium | 6.1 | go 1.19.13 |
|
| CVE-2023-39318 | medium | 6.1 | go 1.19.13 |
|
| CVE-2023-32681 | medium | 6.1 | python39-pip 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions |
| CVE-2023-32681 | medium | 6.1 | python39-libs 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2023-32681 | medium | 6.1 | python39-setuptools-wheel 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2023-32681 | medium | 6.1 | python39 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2023-32681 | medium | 6.1 | python39-setuptools 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2023-32681 | medium | 6.1 | python39-pip-wheel 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions |
| CVE-2021-32052 | medium | 6.1 | python 3.9.16 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-libs 239-74.el8_8.5 |
|
| CVE-2023-7008 | medium | 5.9 | systemd 239-74.el8_8.5 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-pam 239-74.el8_8.5 |
|
| CVE-2023-5981 | medium | 5.9 | gnutls 3.6.16-6.el8_7 |
|
| CVE-2023-48795 | medium | 5.9 | libssh-config 0.9.6-10.el8_8 |
|
| CVE-2023-48795 | medium | 5.9 | libssh 0.9.6-10.el8_8 |
|
| CVE-2023-4813 | medium | 5.9 | glibc-common 2.28-225.el8 |
|
| CVE-2023-4813 | medium | 5.9 | glibc-minimal-langpack 2.28-225.el8 |
|
| CVE-2023-4813 | medium | 5.9 | glibc 2.28-225.el8 |
|
| CVE-2023-4806 | medium | 5.9 | glibc 2.28-225.el8 |
|
| CVE-2023-4806 | medium | 5.9 | glibc-minimal-langpack 2.28-225.el8 |
|
| CVE-2023-4806 | medium | 5.9 | glibc-common 2.28-225.el8 |
|
| CVE-2023-43804 | medium | 5.9 | python3-urllib3 1.24.2-5.el8 |
|
| CVE-2022-40897 | medium | 5.9 | python39-setuptools-wheel 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions[GIM-104322] - 2023-04-13 - waiting_for_scan[GIM-79943] |
| CVE-2022-40897 | medium | 5.9 | python39-setuptools 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions[GIM-104322 |
| CVE-2024-22365 | medium | 5.5 | pam 1.3.1-25.el8 |
|
| CVE-2024-22195 | medium | 5.4 | jinja2 3.1.2 |
|
| CVE-2023-46218 | medium | 5.3 | curl 7.61.1-30.el8_8.3 |
|
| CVE-2023-46218 | medium | 5.3 | libcurl 7.61.1-30.el8_8.3 |
|
| CVE-2023-45284 | medium | 5.3 | go 1.19.13 |
|
| CVE-2023-44487 | medium | 5.3 | grpc package - google.golang.org/grpc - Go Packages v1.53.0 |
|
| CVE-2023-44487 | medium | 5.3 | The Go Programming Language v0.10.0 |
|
| CVE-2023-39326 | medium | 5.3 | go 1.19.13 |
|
| CVE-2023-27043 | medium | 5.3 | python39-libs 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python39-pip 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python3-libs 3.6.8-51.el8_8.1 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python39-setuptools-wheel 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python39-setuptools 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python39 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | platform-python 3.6.8-51.el8_8.1 |
Similar exceptions |
| CVE-2023-27043 | medium | 5.3 | python39-pip-wheel 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions[GIM-99819][GIM-99848] |
| CVE-2022-0391 | medium | 5.3 | python39-setuptools-wheel 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python39-setuptools 50.3.2-4.module+el8.5.0+12204+54860423 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python39-pip-wheel 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python39-libs 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python39 3.9.16-1.module+el8.8.0+18968+3d7b19f0.1 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python39-pip 20.2.4-7.module+el8.6.0+13003+6bb2c488 |
Similar exceptions |
| CVE-2023-45803 | medium | 4.2 | python3-urllib3 1.24.2-5.el8 |
|
| CVE-2023-37920 | critical | 9.1 | ca-certificates 2023.2.60_v7.0.306-80.0.el8_8 |
|
| CVE-2022-2182 | high | 7.8 | vim-minimal 8.0.1763-19.el8_6.4 |
Similar exceptions |
| CVE-2023-50495 | medium | 6.5 | ncurses-libs 6.1-9.20180224.el8_8.1 |
|
| CVE-2023-50495 | medium | 6.5 | ncurses-base 6.1-9.20180224.el8_8.1 |
|
| CVE-2023-32665 | medium | 6.5 | glib2 2.56.4-161.el8 |
Similar exceptions- 2023-09-06 - assign_resource |
| CVE-2023-32611 | medium | 6.5 | glib2 2.56.4-161.el8 |
Similar exceptions2023-09-06 - assign_resource- 2023-09-06 - assign_resource |
| CVE-2020-19188 | medium | 6.5 | ncurses-base 6.1-9.20180224.el8_8.1 |
|
| CVE-2020-19188 | medium | 6.5 | ncurses-libs 6.1-9.20180224.el8_8.1 |
|
| CVE-2023-22745 | medium | 6.4 | tpm2-tss 2.3.2-4.el8 |
|
| CVE-2023-29499 | medium | 6.2 | glib2 2.56.4-161.el8 |
Similar exceptions- 2023-09-06 - assign_resource- 2023-09-06 - assign_resource |
| CVE-2023-6004 | medium | 6.1 | libssh-config 0.9.6-10.el8_8 |
|
| CVE-2023-6004 | medium | 6.1 | libssh 0.9.6-10.el8_8 |
|
| CVE-2022-47011 | medium | 5.5 | gdb-gdbserver 8.2-19.el8 |
|
| CVE-2022-47010 | medium | 5.5 | gdb-gdbserver 8.2-19.el8 |
|
| CVE-2022-47007 | medium | 5.5 | gdb-gdbserver 8.2-19.el8 |
|
| CVE-2022-2923 | medium | 5.5 | vim-minimal 8.0.1763-19.el8_6.4 |
Similar exceptions- 2023-06-21 - pending_triage |
| CVE-2021-39537 | medium | 5.5 | ncurses-libs 6.1-9.20180224.el8_8.1 |
|
| CVE-2021-39537 | medium | 5.5 | ncurses-base 6.1-9.20180224.el8_8.1 |
|
| CVE-2020-20703 | medium | 5.5 | vim-minimal 8.0.1763-19.el8_6.4 |
|
| CVE-2022-41409 | medium | 5.3 | pcre2 10.32-3.el8_6 |
|
| CVE-2024-0232 | medium | 4.7 | sqlite-libs 3.26.0-18.el8_8 |
|
| CVE-2023-4641 | medium | 4.7 | shadow-utils 4.6-17.el8 |
|
| CVE-2023-6918 | low | 3.7 | libssh 0.9.6-10.el8_8 |
|
| CVE-2023-6918 | low | 3.7 | libssh-config 0.9.6-10.el8_8 |
|
| CVE-2023-38546 | low | 3.7 | curl 7.61.1-30.el8_8.3 |
|
| CVE-2023-38546 | low | 3.7 | libcurl 7.61.1-30.el8_8.3 |
|
| CVE-2023-28322 | low | 3.7 | libcurl 7.61.1-30.el8_8.3 |
Similar exceptions2023-07-05 - assign_resource2023-07-05 - assign_resource 2023-07-05 - assign_resource |
| CVE-2023-28322 | low | 3.7 | curl 7.61.1-30.el8_8.3 |
Similar exceptions- 2023-07-05 - assign_resource- 2023-07-05 - assign_resource |
| CVE-2023-27534 | low | 3.7 | curl 7.61.1-30.el8_8.3 |
Similar exceptions2023-07-20 - waiting_for_scan[GIM-99740]2023-08-25 - assign_resource |
| CVE-2023-27534 | low | 3.7 | libcurl 7.61.1-30.el8_8.3 |
Similar exceptions2023-07-20 - waiting_for_scan[GIM-99740] - 2023-08-25 - assign_resource |
| CVE-2024-0727 | low | 3.3 | openssl 1.1.1k-12.el8_9 |
|
| CVE-2024-0727 | low | 3.3 | openssl-libs 1.1.1k-12.el8_9 |
|
| GHSA-v8gr-m533-ghj9 | low | 1 | cryptography 41.0.3 |
AWX-ee
Click here to see the detailed report
Quay
Compliance (Critical, High or Expired)
| ID | Title | Severity | Category | Exception |
|---|---|---|---|---|
| 425 | Private keys stored in image | high | Twistlock Labs |
Vulnerabilities (Critical, High or Expired)
| CVE | Severity | CVSS | Package | Exception |
|---|---|---|---|---|
| CVE-2022-1271 | high | 8.8 | xz-libs 5.2.5-8.el9 |
|
| CVE-2022-47629 | high | 8.6 | libksba 1.5.1-6.el9 |
Similar exceptions |
| CVE-2023-39323 | high | 8.1 | go 1.20.6 |
|
| PRISMA-2022-0168 | high | 7.8 | pip 23.3.2 |
|
| PRISMA-2023-0024 | high | 7.5 | aiohttp 3.9.3 |
|
| CVE-2023-45285 | high | 7.5 | go 1.20.6 |
|
| CVE-2023-45283 | high | 7.5 | go 1.20.6 |
|
| CVE-2023-45283 | high | 7.5 | go 1.21.3 |
|
| CVE-2023-44487 | high | 7.5 | libnghttp2 1.43.0-5.el9.1 |
|
| CVE-2023-39325 | high | 7.5 | go 1.20.6 |
|
| CVE-2022-24070 | high | 7.5 | subversion-libs 1.14.1-5.el9 |
|
| CVE-2022-24070 | high | 7.5 | subversion 1.14.1-5.el9 |
|
| CVE-2024-23652 | high | 7.4 | podman-remote 4.8.1-1.el9 |
|
| CVE-2022-28331 | critical | 9.8 | apr 1.7.0-12.el9 |
|
| CVE-2022-23806 | high | 8.2 | git-lfs 3.4.1-1.el9 |
Similar exceptions[ |
| CVE-2023-2603 | high | 7.8 | libcap 2.48-9.el9 |
Similar exceptions |
| CVE-2022-47024 | high | 7.8 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2024-23651 | high | 7.5 | podman-remote 4.8.1-1.el9 |
|
| CVE-2023-5363 | high | 7.5 | openssl 3.0.7-25.el9 |
|
| CVE-2023-5363 | high | 7.5 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2022-46663 | high | 7.5 | less 590-2.el9 |
|
| CVE-2022-30631 | high | 7.5 | podman-remote 4.8.1-1.el9 |
Similar exceptions |
| CVE-2023-7104 | high | 7.3 | sqlite-libs 3.34.1-7.el9 |
|
| CVE-2022-0413 | high | 7.3 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-0778 | medium | 6.8 | podman-remote 4.8.1-1.el9 |
|
| CVE-2022-3715 | medium | 6.6 | bash 5.1.8-6.el9 |
Similar exceptions |
| CVE-2023-6683 | medium | 6.5 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-51385 | medium | 6.5 | openssh-clients 8.7p1-38.el9 |
|
| CVE-2023-51385 | medium | 6.5 | openssh 8.7p1-38.el9 |
|
| CVE-2023-39615 | medium | 6.5 | libxml2 2.9.13-5.el9 |
|
| CVE-2023-3255 | medium | 6.5 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-22652 | medium | 6.5 | libeconf 0.4.1-3.el9 |
|
| CVE-2022-24963 | medium | 6.5 | apr 1.7.0-12.el9 |
|
| CVE-2023-5088 | medium | 6.4 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-39319 | medium | 6.1 | go 1.20.6 |
|
| CVE-2023-39318 | medium | 6.1 | go 1.20.6 |
|
| CVE-2021-32052 | medium | 6.1 | python 3.9.18 |
|
| CVE-2023-3019 | medium | 6 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-pam 252-23.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-libs 252-23.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd-rpm-macros 252-23.el9 |
|
| CVE-2023-7008 | medium | 5.9 | systemd 252-23.el9 |
|
| CVE-2023-48795 | medium | 5.9 | openssh-clients 8.7p1-38.el9 |
|
| CVE-2023-48795 | medium | 5.9 | openssh 8.7p1-38.el9 |
|
| CVE-2023-48795 | medium | 5.9 | podman-remote 4.8.1-1.el9 |
|
| CVE-2023-48795 | medium | 5.9 | paramiko 2.12.0 |
|
| CVE-2021-46848 | medium | 5.9 | libtasn1 4.16.0-8.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python3-libs 3.9.18-2.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python3 3.9.18-2.el9 |
Similar exceptions |
| CVE-2021-23336 | medium | 5.9 | python-unversioned-command 3.9.18-2.el9 |
Similar exceptions |
| CVE-2023-3301 | medium | 5.6 | qemu-img 8.2.0-2.el9 |
|
| CVE-2024-22365 | medium | 5.5 | pam 1.5.1-17.el9 |
|
| CVE-2022-48303 | medium | 5.5 | tar 1.34-6.el9 |
Similar exceptions |
| CVE-2021-3997 | medium | 5.5 | systemd 252-23.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd-libs 252-23.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd-pam 252-23.el9 |
|
| CVE-2021-3997 | medium | 5.5 | systemd-rpm-macros 252-23.el9 |
|
| CVE-2023-46218 | medium | 5.3 | curl-minimal 7.76.1-28.el9 |
|
| CVE-2023-46218 | medium | 5.3 | libcurl-minimal 7.76.1-28.el9 |
|
| CVE-2023-45284 | medium | 5.3 | go 1.21.3 |
|
| CVE-2023-45284 | medium | 5.3 | go 1.20.6 |
|
| CVE-2023-39326 | medium | 5.3 | podman-remote 4.8.1-1.el9 |
|
| CVE-2023-39326 | medium | 5.3 | go 1.20.6 |
|
| CVE-2023-29409 | medium | 5.3 | go 1.20.6 |
|
| CVE-2022-0391 | medium | 5.3 | python3-libs 3.9.18-2.el9 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python3 3.9.18-2.el9 |
Similar exceptions |
| CVE-2022-0391 | medium | 5.3 | python-unversioned-command 3.9.18-2.el9 |
Similar exceptions |
| CVE-2023-6693 | medium | 4.9 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-37920 | critical | 9.1 | ca-certificates 2023.2.60_v7.0.306-90.1.el9 |
|
| CVE-2023-2953 | high | 7.1 | openldap 2.6.6-1.el9 |
Similar exceptions |
| CVE-2023-4752 | high | 7 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-6129 | medium | 6.5 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-6129 | medium | 6.5 | openssl 3.0.7-25.el9 |
|
| CVE-2023-50495 | medium | 6.5 | ncurses-libs 6.2-10.20210508.el9 |
|
| CVE-2023-50495 | medium | 6.5 | ncurses-base 6.2-10.20210508.el9 |
|
| CVE-2023-32636 | medium | 6.2 | glib2 2.68.4-12.el9 |
Similar exceptions |
| CVE-2023-6237 | medium | 5.9 | openssl 3.0.7-25.el9 |
|
| CVE-2023-6237 | medium | 5.9 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2022-48554 | medium | 5.5 | file-libs 5.39-14.el9 |
|
| CVE-2022-47011 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-47010 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-47007 | medium | 5.5 | gdb-gdbserver 10.2-13.el9 |
|
| CVE-2022-1674 | medium | 5.5 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2021-3903 | medium | 5.5 | vim-minimal 8.2.2637-20.el9 |
|
| CVE-2023-5678 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-5678 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-3817 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-3817 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-3446 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-3446 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2023-2975 | medium | 5.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-2975 | medium | 5.3 | openssl 3.0.7-25.el9 |
|
| CVE-2022-41409 | medium | 5.3 | pcre2-syntax 10.40-4.el9 |
|
| CVE-2022-41409 | medium | 5.3 | pcre2 10.40-4.el9 |
|
| CVE-2021-41190 | medium | 5 | podman-remote 4.8.1-1.el9 |
|
| CVE-2024-0232 | medium | 4.7 | sqlite-libs 3.34.1-7.el9 |
|
| CVE-2021-3572 | medium | 4.5 | python3-pip-wheel 21.2.3-7.el9 |
Similar exceptions |
| CVE-2021-3595 | low | 3.8 | qemu-img 8.2.0-2.el9 |
|
| CVE-2021-3594 | low | 3.8 | qemu-img 8.2.0-2.el9 |
|
| CVE-2021-3593 | low | 3.8 | qemu-img 8.2.0-2.el9 |
|
| CVE-2021-3592 | low | 3.8 | qemu-img 8.2.0-2.el9 |
|
| CVE-2024-0727 | low | 3.3 | openssl 3.0.7-25.el9 |
|
| CVE-2024-0727 | low | 3.3 | openssl-libs 3.0.7-25.el9 |
|
| CVE-2023-2602 | low | 3.3 | libcap 2.48-9.el9 |
|
| CVE-2021-4217 | low | 3.3 | unzip 6.0-56.el9 |
|
| CVE-2021-20263 | low | 3.3 | qemu-img 8.2.0-2.el9 |
|
| CVE-2021-3735 | low | 3.2 | qemu-img 8.2.0-2.el9 |
|
| CVE-2020-25743 | low | 3.2 | qemu-img 8.2.0-2.el9 |
|
| CVE-2020-25741 | low | 3.2 | qemu-img 8.2.0-2.el9 |
|
| CVE-2020-25723 | low | 3.2 | qemu-img 8.2.0-2.el9 |
|
| CVE-2020-25084 | low | 3.2 | qemu-img 8.2.0-2.el9 |
|
| CVE-2020-24352 | low | 2.8 | qemu-img 8.2.0-2.el9 |
|
| CVE-2023-42467 | low | 2.3 | qemu-img 8.2.0-2.el9 |
Just worth noting that a lot of these packages (such as vim) are only installed in the development images, not the production images. The dockerfile is actually a jinja template and the production images ends up installing a lot fewer packages than the development environment images.
As for unpatched CVEs, this would possibly be something to take up with CentOS Stream folks, as @nwerker said. We use CentOS Stream 9, and the expectation is that vulnerable packages are fixed there and we would pick up those fixes each time we do a release of AWX.
3 Likes
Hopefully we can reduce vulr packages in each release. I’m very appreciated that.
Any reason AWX doesn’t use UBI 8/9 for it’s core images?
I have one question
Are you consider AWX, awx-operator, awx-ee in quay.io as a development images? And Automation platform is a Production image?
It makes sense if you treat awx as a development images. But if we consider it’s a production we should remove some packages only support for development phase.
No, the images on quay are production images. The images that you get when you make docker-compose-build in a clone of awx/awx are dev images.
The dev images have many more packages installed in them than the production images, so if you’re just looking at the Dockerfile template (which is shared for both images, but conditionalized on which image is being built), it’s important to look at the right section. For example, vim and tmux get installed in the dev image (only). (vim-minimal gets installed in the production image)
2 Likes