Reduce CVE for AWX's images

,

I saw AWX, AWX-operator and AWX-ee in quay.io are containing many vulnerabilities. Do we have any plan/road map to reduce them?

Hey @Crimrose,

as far as I am aware these images are mostly built on centos (8/9) stream images.

If you use them in certain contexts, for instance as EE base image the tooling will update the packages via dnf update. So the vulnerabilities you see in quay might not be correct.

I don’t trust quay.io vurls report. I used other tools like twislock scan & trivy to scan these images. Each image contains more than 70 vulrs.
As I saw in dockerfile of these images, tthey were installed many packages, some of them may not very necessary like vim. We can remove them to reduce size of image and reduce vulrs and some version of packages contain risks.

You can try scan them from external tools. If need I can share you a list of vulrs that I already scanned.

I think we can mitigate vulnerabilities from upstream images.

1 Like

AWX:23.7.0

Click here to see the detailed report

:x: quay.io/ansible/awx:23.7.0

Compliance (Critical, High or Expired)

ID Title Severity Category Exception
425 Private keys stored in image high Twistlock Labs

Vulnerabilities (Critical, High or Expired)

CVE Severity CVSS Package Exception
CVE-2023-5869 high 8.8 postgresql
13.11-1.el9
CVE-2023-5869 high 8.8 postgresql-private-libs
13.11-1.el9
CVE-2022-1271 high 8.8 xz-libs
5.2.5-8.el9
CVE-2022-47629 high 8.6 libksba
1.5.1-6.el9
Similar exceptions
PRISMA-2022-0168 high 7.8 pip
21.2.3
CVE-2024-22190 high 7.8 gitpython
3.1.32
CVE-2023-40590 high 7.8 gitpython
3.1.32
PRISMA-2023-0024 high 7.5 aiohttp
3.8.3
CVE-2023-49083 high 7.5 cryptography
41.0.3
CVE-2023-46695 high 7.5 django
4.2.6
CVE-2023-45283 high 7.5 go
1.21.3
CVE-2023-44487 high 7.5 libnghttp2
1.43.0-5.el9.1
CVE-2023-27522 high 7.5 uwsgi
2.0.21
CVE-2022-24070 high 7.5 subversion-libs
1.14.1-5.el9
CVE-2022-24070 high 7.5 subversion
1.14.1-5.el9
CVE-2024-23342 high 7.4 ecdsa
0.18.0
CVE-2023-49081 high 7.2 aiohttp
3.8.3
CVE-2023-2454 high 7.2 postgresql-private-libs
13.11-1.el9
CVE-2022-28331 critical 9.8 apr
1.7.0-12.el9
CVE-2022-23806 high 8.2 git-lfs
3.4.1-1.el9
Similar exceptions
CVE-2023-2603 high 7.8 libcap
2.48-9.el9
Similar exceptions


CVE-2022-47024 high 7.8 vim-minimal
8.2.2637-20.el9
CVE-2023-5363 high 7.5 openssl-libs
3.0.7-25.el9
CVE-2023-5363 high 7.5 openssl
3.0.7-25.el9
CVE-2023-39417 high 7.5 postgresql-private-libs
13.11-1.el9
CVE-2023-39417 high 7.5 postgresql
13.11-1.el9
CVE-2022-46663 high 7.5 less
590-2.el9
CVE-2023-7104 high 7.3 sqlite-libs
3.34.1-7.el9
CVE-2022-0413 high 7.3 vim-minimal
8.2.2637-20.el9
CVE-2023-2454 high 7.2 postgresql
13.11-1.el9
CVE-2022-2625 high 7.1 postgresql-private-libs
13.11-1.el9
CVE-2022-2625 high 7.1 postgresql
13.11-1.el9
CVE-2023-42465 high 7 sudo
1.9.5p2-9.el9
CVE-2022-3715 medium 6.6 bash
5.1.8-6.el9
Similar exceptions


CVE-2024-23829 medium 6.5 aiohttp
3.8.3
CVE-2023-51385 medium 6.5 openssh
8.7p1-38.el9
CVE-2023-51385 medium 6.5 openssh-clients
8.7p1-38.el9
CVE-2023-41040 medium 6.5 gitpython
3.1.32
CVE-2023-39615 medium 6.5 libxml2
2.9.13-5.el9
CVE-2023-28859 medium 6.5 redis
4.3.5
CVE-2023-22652 medium 6.5 libeconf
0.4.1-3.el9
CVE-2022-24963 medium 6.5 apr
1.7.0-12.el9
CVE-2023-32681 medium 6.1 requests
2.28.1
Similar exceptions

CVE-2021-32052 medium 6.1 python
3.9.18
CVE-2024-23334 medium 5.9 aiohttp
3.8.3
CVE-2023-7008 medium 5.9 systemd-pam
252-24.el9
CVE-2023-7008 medium 5.9 systemd-rpm-macros
252-24.el9
CVE-2023-7008 medium 5.9 systemd-libs
252-24.el9
CVE-2023-7008 medium 5.9 systemd
252-24.el9
CVE-2023-48795 medium 5.9 openssh
8.7p1-38.el9
CVE-2023-48795 medium 5.9 openssh-clients
8.7p1-38.el9
CVE-2021-46848 medium 5.9 libtasn1
4.16.0-8.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python3-devel
3.9.18-2.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python3-libs
3.9.18-2.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python3
3.9.18-2.el9
Similar exceptions
CVE-2024-22365 medium 5.5 pam
1.5.1-17.el9
CVE-2022-48303 medium 5.5 tar
1.34-6.el9
Similar exceptions
CVE-2021-3997 medium 5.5 systemd-libs
252-24.el9
CVE-2021-3997 medium 5.5 systemd-rpm-macros
252-24.el9
CVE-2021-3997 medium 5.5 systemd-pam
252-24.el9
CVE-2021-3997 medium 5.5 systemd
252-24.el9
CVE-2024-22195 medium 5.4 jinja2
3.1.2
CVE-2023-6681 medium 5.3 jwcrypto
1.4.2
CVE-2023-49082 medium 5.3 aiohttp
3.8.3
CVE-2023-47627 medium 5.3 aiohttp
3.8.3
CVE-2023-46218 medium 5.3 curl-minimal
7.76.1-28.el9
CVE-2023-46218 medium 5.3 libcurl-minimal
7.76.1-28.el9
CVE-2023-45284 medium 5.3 go
1.21.3
CVE-2023-37276 medium 5.3 aiohttp
3.8.3
CVE-2023-28487 medium 5.3 sudo
1.9.5p2-9.el9
Similar exceptions
CVE-2023-28486 medium 5.3 sudo
1.9.5p2-9.el9
Similar exceptions
CVE-2022-0391 medium 5.3 python3-devel
3.9.18-2.el9
Similar exceptions

CVE-2022-0391 medium 5.3 python3-libs
3.9.18-2.el9
Similar exceptions

CVE-2022-0391 medium 5.3 python3
3.9.18-2.el9
Similar exceptions

CVE-2023-5868 medium 4.3 postgresql-private-libs
13.11-1.el9
CVE-2023-5868 medium 4.3 postgresql
13.11-1.el9
CVE-2023-45803 medium 4.2 urllib3
1.26.17
CVE-2023-2455 medium 4.2 postgresql
13.11-1.el9
CVE-2023-2455 medium 4.2 postgresql-private-libs
13.11-1.el9
GHSA-pjjw-qhg8-p2p9 medium 4 aiohttp
3.8.3
CVE-2023-37920 critical 9.1 ca-certificates
2023.2.60_v7.0.306-90.1.el9
CVE-2016-1247 high 7.4 nginx-filesystem
1.22.1-2.el9
CVE-2016-1247 high 7.4 nginx
1.22.1-2.el9
CVE-2023-2953 high 7.1 openldap
2.6.6-1.el9
Similar exceptions




CVE-2023-4752 high 7 vim-minimal
8.2.2637-20.el9
CVE-2023-6129 medium 6.5 openssl
3.0.7-25.el9
CVE-2023-6129 medium 6.5 openssl-libs
3.0.7-25.el9
CVE-2023-50495 medium 6.5 ncurses-libs
6.2-10.20210508.el9
CVE-2023-50495 medium 6.5 ncurses-base
6.2-10.20210508.el9
CVE-2023-32636 medium 6.2 glib2
2.68.4-12.el9
Similar exceptions
CVE-2023-6237 medium 5.9 openssl-libs
3.0.7-25.el9
CVE-2023-6237 medium 5.9 openssl
3.0.7-25.el9
CVE-2022-48554 medium 5.5 file-libs
5.39-14.el9
CVE-2022-47011 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-47010 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-47007 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-1674 medium 5.5 vim-minimal
8.2.2637-20.el9
CVE-2021-3903 medium 5.5 vim-minimal
8.2.2637-20.el9
CVE-2023-5678 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-5678 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-3817 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-3817 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-3446 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-3446 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-2975 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-2975 medium 5.3 openssl
3.0.7-25.el9
CVE-2022-41409 medium 5.3 pcre2-syntax
10.40-4.el9
CVE-2022-41409 medium 5.3 pcre2
10.40-4.el9
CVE-2024-0232 medium 4.7 sqlite-libs
3.34.1-7.el9
CVE-2021-3572 medium 4.5 python3-pip
21.2.3-7.el9
Similar exceptions
CVE-2021-3572 medium 4.5 python3-pip-wheel
21.2.3-7.el9
Similar exceptions
CVE-2023-28858 low 3.7 redis
4.3.5
CVE-2022-41862 low 3.7 postgresql-private-libs
13.11-1.el9
CVE-2022-41862 low 3.7 postgresql
13.11-1.el9
CVE-2024-0727 low 3.3 openssl-libs
3.0.7-25.el9
CVE-2024-0727 low 3.3 openssl
3.0.7-25.el9
CVE-2023-2602 low 3.3 libcap
2.48-9.el9
Similar exceptions


CVE-2021-4217 low 3.3 unzip
6.0-56.el9
CVE-2023-39418 low 3.1 postgresql-private-libs
13.11-1.el9
CVE-2023-39418 low 3.1 postgresql
13.11-1.el9
CVE-2023-5870 low 2.2 postgresql
13.11-1.el9
CVE-2023-5870 low 2.2 postgresql-private-libs
13.11-1.el9
GHSA-v8gr-m533-ghj9 low 1 cryptography
41.0.3

AWX-operator

Click here to see the detailed report

:x: Quay

Vulnerabilities (Critical, High or Expired)

CVE Severity CVSS Package Exception
CVE-2023-40217 high 8.6 python39
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
CVE-2023-40217 high 8.6 python3-libs
3.6.8-51.el8_8.1
CVE-2023-40217 high 8.6 platform-python
3.6.8-51.el8_8.1
CVE-2023-40217 high 8.6 python39-libs
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
CVE-2023-39323 high 8.1 go
1.19.13
PRISMA-2022-0168 high 7.8 pip
20.2.4
CVE-2023-4911 high 7.8 glibc-common
2.28-225.el8
CVE-2023-4911 high 7.8 glibc-minimal-langpack
2.28-225.el8
CVE-2023-4911 high 7.8 glibc
2.28-225.el8
GHSA-m425-mq94-257g high 7.5 grpc package - google.golang.org/grpc - Go Packages
v1.53.0
CVE-2023-49083 high 7.5 cryptography
41.0.3
CVE-2023-45287 high 7.5 go
1.19.13
CVE-2023-45285 high 7.5 go
1.19.13
CVE-2023-45283 high 7.5 go
1.19.13
CVE-2023-44487 high 7.5 libnghttp2
1.33.0-3.el8_2.1
CVE-2023-39325 high 7.5 The Go Programming Language
v0.10.0
CVE-2024-0553 high 7.5 gnutls
3.6.16-6.el8_7
CVE-2023-36632 high 7.5 python39-setuptools
50.3.2-4.module+el8.5.0+12204+54860423
CVE-2023-36632 high 7.5 python39-setuptools-wheel
50.3.2-4.module+el8.5.0+12204+54860423
CVE-2023-36632 high 7.5 python39-pip
20.2.4-7.module+el8.6.0+13003+6bb2c488
CVE-2023-36632 high 7.5 python39-libs
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
CVE-2023-36632 high 7.5 python39
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
CVE-2023-36632 high 7.5 python3-libs
3.6.8-51.el8_8.1
CVE-2023-36632 high 7.5 python39-pip-wheel
20.2.4-7.module+el8.6.0+13003+6bb2c488
CVE-2023-36632 high 7.5 platform-python
3.6.8-51.el8_8.1
CVE-2022-48560 high 7.5 python3-libs
3.6.8-51.el8_8.1
CVE-2022-48560 high 7.5 platform-python
3.6.8-51.el8_8.1
CVE-2023-7104 high 7.3 sqlite-libs
3.26.0-18.el8_8
CVE-2023-5764 medium 6.6 ansible-core
2.15.3
CVE-2023-5455 medium 6.5 krb5-libs
1.18.2-25.el8_8
CVE-2023-4527 medium 6.5 glibc-minimal-langpack
2.28-225.el8
CVE-2023-4527 medium 6.5 glibc-common
2.28-225.el8
CVE-2023-4527 medium 6.5 glibc
2.28-225.el8
CVE-2023-39615 medium 6.5 libxml2
2.9.7-16.el8_8.1
CVE-2023-39615 medium 6.5 python3-libxml2
2.9.7-16.el8_8.1
CVE-2022-48564 medium 6.5 python3-libs
3.6.8-51.el8_8.1
CVE-2022-48564 medium 6.5 platform-python
3.6.8-51.el8_8.1
CVE-2021-35939 medium 6.5 rpm-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35939 medium 6.5 rpm-build-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35939 medium 6.5 python3-rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-35939 medium 6.5 rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-35938 medium 6.5 rpm-build-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35938 medium 6.5 rpm-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35938 medium 6.5 python3-rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-35938 medium 6.5 rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-35937 medium 6.3 rpm-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35937 medium 6.3 rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-35937 medium 6.3 rpm-build-libs
4.14.3-26.el8
Similar exceptions
CVE-2021-35937 medium 6.3 python3-rpm
4.14.3-26.el8
Similar exceptions
CVE-2021-43618 medium 6.2 gmp
6.1.2-10.el8
Similar exceptions</summary
CVE-2023-3978 medium 6.1 The Go Programming Language
v0.10.0
CVE-2023-39319 medium 6.1 go
1.19.13
CVE-2023-39318 medium 6.1 go
1.19.13
CVE-2023-32681 medium 6.1 python39-pip
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions

CVE-2023-32681 medium 6.1 python39-libs
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions

CVE-2023-32681 medium 6.1 python39-setuptools-wheel
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions

CVE-2023-32681 medium 6.1 python39
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions

CVE-2023-32681 medium 6.1 python39-setuptools
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions

CVE-2023-32681 medium 6.1 python39-pip-wheel
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions

CVE-2021-32052 medium 6.1 python
3.9.16
CVE-2023-7008 medium 5.9 systemd-libs
239-74.el8_8.5
CVE-2023-7008 medium 5.9 systemd
239-74.el8_8.5
CVE-2023-7008 medium 5.9 systemd-pam
239-74.el8_8.5
CVE-2023-5981 medium 5.9 gnutls
3.6.16-6.el8_7
CVE-2023-48795 medium 5.9 libssh-config
0.9.6-10.el8_8
CVE-2023-48795 medium 5.9 libssh
0.9.6-10.el8_8
CVE-2023-4813 medium 5.9 glibc-common
2.28-225.el8
CVE-2023-4813 medium 5.9 glibc-minimal-langpack
2.28-225.el8
CVE-2023-4813 medium 5.9 glibc
2.28-225.el8
CVE-2023-4806 medium 5.9 glibc
2.28-225.el8
CVE-2023-4806 medium 5.9 glibc-minimal-langpack
2.28-225.el8
CVE-2023-4806 medium 5.9 glibc-common
2.28-225.el8
CVE-2023-43804 medium 5.9 python3-urllib3
1.24.2-5.el8
CVE-2022-40897 medium 5.9 python39-setuptools-wheel
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions[GIM-104322] - 2023-04-13 - waiting_for_scan
[GIM-79943]
CVE-2022-40897 medium 5.9 python39-setuptools
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions[GIM-104322
CVE-2024-22365 medium 5.5 pam
1.3.1-25.el8
CVE-2024-22195 medium 5.4 jinja2
3.1.2
CVE-2023-46218 medium 5.3 curl
7.61.1-30.el8_8.3
CVE-2023-46218 medium 5.3 libcurl
7.61.1-30.el8_8.3
CVE-2023-45284 medium 5.3 go
1.19.13
CVE-2023-44487 medium 5.3 grpc package - google.golang.org/grpc - Go Packages
v1.53.0
CVE-2023-44487 medium 5.3 The Go Programming Language
v0.10.0
CVE-2023-39326 medium 5.3 go
1.19.13
CVE-2023-27043 medium 5.3 python39-libs
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions


CVE-2023-27043 medium 5.3 python39-pip
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions


CVE-2023-27043 medium 5.3 python3-libs
3.6.8-51.el8_8.1
Similar exceptions


CVE-2023-27043 medium 5.3 python39-setuptools-wheel
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions


CVE-2023-27043 medium 5.3 python39-setuptools
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions


CVE-2023-27043 medium 5.3 python39
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions


CVE-2023-27043 medium 5.3 platform-python
3.6.8-51.el8_8.1
Similar exceptions


CVE-2023-27043 medium 5.3 python39-pip-wheel
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions[GIM-99819]
[GIM-99848]

CVE-2022-0391 medium 5.3 python39-setuptools-wheel
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions

CVE-2022-0391 medium 5.3 python39-setuptools
50.3.2-4.module+el8.5.0+12204+54860423
Similar exceptions

CVE-2022-0391 medium 5.3 python39-pip-wheel
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions

CVE-2022-0391 medium 5.3 python39-libs
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions

CVE-2022-0391 medium 5.3 python39
3.9.16-1.module+el8.8.0+18968+3d7b19f0.1
Similar exceptions

CVE-2022-0391 medium 5.3 python39-pip
20.2.4-7.module+el8.6.0+13003+6bb2c488
Similar exceptions

CVE-2023-45803 medium 4.2 python3-urllib3
1.24.2-5.el8
CVE-2023-37920 critical 9.1 ca-certificates
2023.2.60_v7.0.306-80.0.el8_8
CVE-2022-2182 high 7.8 vim-minimal
8.0.1763-19.el8_6.4
Similar exceptions
CVE-2023-50495 medium 6.5 ncurses-libs
6.1-9.20180224.el8_8.1
CVE-2023-50495 medium 6.5 ncurses-base
6.1-9.20180224.el8_8.1
CVE-2023-32665 medium 6.5 glib2
2.56.4-161.el8
Similar exceptions
- 2023-09-06 - assign_resource
CVE-2023-32611 medium 6.5 glib2
2.56.4-161.el8
Similar exceptions 2023-09-06 - assign_resource
- 2023-09-06 - assign_resource
CVE-2020-19188 medium 6.5 ncurses-base
6.1-9.20180224.el8_8.1
CVE-2020-19188 medium 6.5 ncurses-libs
6.1-9.20180224.el8_8.1
CVE-2023-22745 medium 6.4 tpm2-tss
2.3.2-4.el8
CVE-2023-29499 medium 6.2 glib2
2.56.4-161.el8
Similar exceptions- 2023-09-06 - assign_resource
- 2023-09-06 - assign_resource
CVE-2023-6004 medium 6.1 libssh-config
0.9.6-10.el8_8
CVE-2023-6004 medium 6.1 libssh
0.9.6-10.el8_8
CVE-2022-47011 medium 5.5 gdb-gdbserver
8.2-19.el8
CVE-2022-47010 medium 5.5 gdb-gdbserver
8.2-19.el8
CVE-2022-47007 medium 5.5 gdb-gdbserver
8.2-19.el8
CVE-2022-2923 medium 5.5 vim-minimal
8.0.1763-19.el8_6.4
Similar exceptions - 2023-06-21 - pending_triage
CVE-2021-39537 medium 5.5 ncurses-libs
6.1-9.20180224.el8_8.1
CVE-2021-39537 medium 5.5 ncurses-base
6.1-9.20180224.el8_8.1
CVE-2020-20703 medium 5.5 vim-minimal
8.0.1763-19.el8_6.4
CVE-2022-41409 medium 5.3 pcre2
10.32-3.el8_6
CVE-2024-0232 medium 4.7 sqlite-libs
3.26.0-18.el8_8
CVE-2023-4641 medium 4.7 shadow-utils
4.6-17.el8
CVE-2023-6918 low 3.7 libssh
0.9.6-10.el8_8
CVE-2023-6918 low 3.7 libssh-config
0.9.6-10.el8_8
CVE-2023-38546 low 3.7 curl
7.61.1-30.el8_8.3
CVE-2023-38546 low 3.7 libcurl
7.61.1-30.el8_8.3
CVE-2023-28322 low 3.7 libcurl
7.61.1-30.el8_8.3
Similar exceptions 2023-07-05 - assign_resource
2023-07-05 - assign_resource
2023-07-05 - assign_resource
CVE-2023-28322 low 3.7 curl
7.61.1-30.el8_8.3
Similar exceptions- 2023-07-05 - assign_resource
- 2023-07-05 - assign_resource
CVE-2023-27534 low 3.7 curl
7.61.1-30.el8_8.3
Similar exceptions 2023-07-20 - waiting_for_scan
[GIM-99740]2023-08-25 - assign_resource
CVE-2023-27534 low 3.7 libcurl
7.61.1-30.el8_8.3
Similar exceptions 2023-07-20 - waiting_for_scan
[GIM-99740] - 2023-08-25 - assign_resource
CVE-2024-0727 low 3.3 openssl
1.1.1k-12.el8_9
CVE-2024-0727 low 3.3 openssl-libs
1.1.1k-12.el8_9
GHSA-v8gr-m533-ghj9 low 1 cryptography
41.0.3

AWX-ee

Click here to see the detailed report

:x: Quay

Compliance (Critical, High or Expired)

ID Title Severity Category Exception
425 Private keys stored in image high Twistlock Labs

Vulnerabilities (Critical, High or Expired)

CVE Severity CVSS Package Exception
CVE-2022-1271 high 8.8 xz-libs
5.2.5-8.el9
CVE-2022-47629 high 8.6 libksba
1.5.1-6.el9
Similar exceptions
CVE-2023-39323 high 8.1 go
1.20.6
PRISMA-2022-0168 high 7.8 pip
23.3.2
PRISMA-2023-0024 high 7.5 aiohttp
3.9.3
CVE-2023-45285 high 7.5 go
1.20.6
CVE-2023-45283 high 7.5 go
1.20.6
CVE-2023-45283 high 7.5 go
1.21.3
CVE-2023-44487 high 7.5 libnghttp2
1.43.0-5.el9.1
CVE-2023-39325 high 7.5 go
1.20.6
CVE-2022-24070 high 7.5 subversion-libs
1.14.1-5.el9
CVE-2022-24070 high 7.5 subversion
1.14.1-5.el9
CVE-2024-23652 high 7.4 podman-remote
4.8.1-1.el9
CVE-2022-28331 critical 9.8 apr
1.7.0-12.el9
CVE-2022-23806 high 8.2 git-lfs
3.4.1-1.el9
Similar exceptions[
CVE-2023-2603 high 7.8 libcap
2.48-9.el9
Similar exceptions


CVE-2022-47024 high 7.8 vim-minimal
8.2.2637-20.el9
CVE-2024-23651 high 7.5 podman-remote
4.8.1-1.el9
CVE-2023-5363 high 7.5 openssl
3.0.7-25.el9
CVE-2023-5363 high 7.5 openssl-libs
3.0.7-25.el9
CVE-2022-46663 high 7.5 less
590-2.el9
CVE-2022-30631 high 7.5 podman-remote
4.8.1-1.el9
Similar exceptions
CVE-2023-7104 high 7.3 sqlite-libs
3.34.1-7.el9
CVE-2022-0413 high 7.3 vim-minimal
8.2.2637-20.el9
CVE-2023-0778 medium 6.8 podman-remote
4.8.1-1.el9
CVE-2022-3715 medium 6.6 bash
5.1.8-6.el9
Similar exceptions


CVE-2023-6683 medium 6.5 qemu-img
8.2.0-2.el9
CVE-2023-51385 medium 6.5 openssh-clients
8.7p1-38.el9
CVE-2023-51385 medium 6.5 openssh
8.7p1-38.el9
CVE-2023-39615 medium 6.5 libxml2
2.9.13-5.el9
CVE-2023-3255 medium 6.5 qemu-img
8.2.0-2.el9
CVE-2023-22652 medium 6.5 libeconf
0.4.1-3.el9
CVE-2022-24963 medium 6.5 apr
1.7.0-12.el9
CVE-2023-5088 medium 6.4 qemu-img
8.2.0-2.el9
CVE-2023-39319 medium 6.1 go
1.20.6
CVE-2023-39318 medium 6.1 go
1.20.6
CVE-2021-32052 medium 6.1 python
3.9.18
CVE-2023-3019 medium 6 qemu-img
8.2.0-2.el9
CVE-2023-7008 medium 5.9 systemd-pam
252-23.el9
CVE-2023-7008 medium 5.9 systemd-libs
252-23.el9
CVE-2023-7008 medium 5.9 systemd-rpm-macros
252-23.el9
CVE-2023-7008 medium 5.9 systemd
252-23.el9
CVE-2023-48795 medium 5.9 openssh-clients
8.7p1-38.el9
CVE-2023-48795 medium 5.9 openssh
8.7p1-38.el9
CVE-2023-48795 medium 5.9 podman-remote
4.8.1-1.el9
CVE-2023-48795 medium 5.9 paramiko
2.12.0
CVE-2021-46848 medium 5.9 libtasn1
4.16.0-8.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python3-libs
3.9.18-2.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python3
3.9.18-2.el9
Similar exceptions
CVE-2021-23336 medium 5.9 python-unversioned-command
3.9.18-2.el9
Similar exceptions
CVE-2023-3301 medium 5.6 qemu-img
8.2.0-2.el9
CVE-2024-22365 medium 5.5 pam
1.5.1-17.el9
CVE-2022-48303 medium 5.5 tar
1.34-6.el9
Similar exceptions
CVE-2021-3997 medium 5.5 systemd
252-23.el9
CVE-2021-3997 medium 5.5 systemd-libs
252-23.el9
CVE-2021-3997 medium 5.5 systemd-pam
252-23.el9
CVE-2021-3997 medium 5.5 systemd-rpm-macros
252-23.el9
CVE-2023-46218 medium 5.3 curl-minimal
7.76.1-28.el9
CVE-2023-46218 medium 5.3 libcurl-minimal
7.76.1-28.el9
CVE-2023-45284 medium 5.3 go
1.21.3
CVE-2023-45284 medium 5.3 go
1.20.6
CVE-2023-39326 medium 5.3 podman-remote
4.8.1-1.el9
CVE-2023-39326 medium 5.3 go
1.20.6
CVE-2023-29409 medium 5.3 go
1.20.6
CVE-2022-0391 medium 5.3 python3-libs
3.9.18-2.el9
Similar exceptions

CVE-2022-0391 medium 5.3 python3
3.9.18-2.el9
Similar exceptions

CVE-2022-0391 medium 5.3 python-unversioned-command
3.9.18-2.el9
Similar exceptions

CVE-2023-6693 medium 4.9 qemu-img
8.2.0-2.el9
CVE-2023-37920 critical 9.1 ca-certificates
2023.2.60_v7.0.306-90.1.el9
CVE-2023-2953 high 7.1 openldap
2.6.6-1.el9
Similar exceptions




CVE-2023-4752 high 7 vim-minimal
8.2.2637-20.el9
CVE-2023-6129 medium 6.5 openssl-libs
3.0.7-25.el9
CVE-2023-6129 medium 6.5 openssl
3.0.7-25.el9
CVE-2023-50495 medium 6.5 ncurses-libs
6.2-10.20210508.el9
CVE-2023-50495 medium 6.5 ncurses-base
6.2-10.20210508.el9
CVE-2023-32636 medium 6.2 glib2
2.68.4-12.el9
Similar exceptions
CVE-2023-6237 medium 5.9 openssl
3.0.7-25.el9
CVE-2023-6237 medium 5.9 openssl-libs
3.0.7-25.el9
CVE-2022-48554 medium 5.5 file-libs
5.39-14.el9
CVE-2022-47011 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-47010 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-47007 medium 5.5 gdb-gdbserver
10.2-13.el9
CVE-2022-1674 medium 5.5 vim-minimal
8.2.2637-20.el9
CVE-2021-3903 medium 5.5 vim-minimal
8.2.2637-20.el9
CVE-2023-5678 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-5678 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-3817 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-3817 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-3446 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-3446 medium 5.3 openssl
3.0.7-25.el9
CVE-2023-2975 medium 5.3 openssl-libs
3.0.7-25.el9
CVE-2023-2975 medium 5.3 openssl
3.0.7-25.el9
CVE-2022-41409 medium 5.3 pcre2-syntax
10.40-4.el9
CVE-2022-41409 medium 5.3 pcre2
10.40-4.el9
CVE-2021-41190 medium 5 podman-remote
4.8.1-1.el9
CVE-2024-0232 medium 4.7 sqlite-libs
3.34.1-7.el9
CVE-2021-3572 medium 4.5 python3-pip-wheel
21.2.3-7.el9
Similar exceptions
CVE-2021-3595 low 3.8 qemu-img
8.2.0-2.el9
CVE-2021-3594 low 3.8 qemu-img
8.2.0-2.el9
CVE-2021-3593 low 3.8 qemu-img
8.2.0-2.el9
CVE-2021-3592 low 3.8 qemu-img
8.2.0-2.el9
CVE-2024-0727 low 3.3 openssl
3.0.7-25.el9
CVE-2024-0727 low 3.3 openssl-libs
3.0.7-25.el9
CVE-2023-2602 low 3.3 libcap
2.48-9.el9



CVE-2021-4217 low 3.3 unzip
6.0-56.el9
CVE-2021-20263 low 3.3 qemu-img
8.2.0-2.el9
CVE-2021-3735 low 3.2 qemu-img
8.2.0-2.el9
CVE-2020-25743 low 3.2 qemu-img
8.2.0-2.el9
CVE-2020-25741 low 3.2 qemu-img
8.2.0-2.el9
CVE-2020-25723 low 3.2 qemu-img
8.2.0-2.el9
CVE-2020-25084 low 3.2 qemu-img
8.2.0-2.el9
CVE-2020-24352 low 2.8 qemu-img
8.2.0-2.el9
CVE-2023-42467 low 2.3 qemu-img
8.2.0-2.el9

Just worth noting that a lot of these packages (such as vim) are only installed in the development images, not the production images. The dockerfile is actually a jinja template and the production images ends up installing a lot fewer packages than the development environment images.

As for unpatched CVEs, this would possibly be something to take up with CentOS Stream folks, as @nwerker said. We use CentOS Stream 9, and the expectation is that vulnerable packages are fixed there and we would pick up those fixes each time we do a release of AWX.

2 Likes

Hopefully we can reduce vulr packages in each release. I’m very appreciated that.

Any reason AWX doesn’t use UBI 8/9 for it’s core images?

I have one question
Are you consider AWX, awx-operator, awx-ee in quay.io as a development images? And Automation platform is a Production image?

It makes sense if you treat awx as a development images. But if we consider it’s a production we should remove some packages only support for development phase.

No, the images on quay are production images. The images that you get when you make docker-compose-build in a clone of awx/awx are dev images.

The dev images have many more packages installed in them than the production images, so if you’re just looking at the Dockerfile template (which is shared for both images, but conditionalized on which image is being built), it’s important to look at the right section. For example, vim and tmux get installed in the dev image (only). (vim-minimal gets installed in the production image)

1 Like