Hi! I have recently pulled the official Prometheus docker image and analysed it with Trivy (a security and vulnerability scanner). The result shows several vulnerabilities:
$ trivy image --vuln-type library prom/prometheus
2023-05-29T16:51:13.777+0200 INFO Vulnerability scanning is enabled
2023-05-29T16:51:13.777+0200 INFO Secret scanning is enabled
2023-05-29T16:51:13.777+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-29T16:51:13.777+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-05-29T16:51:19.490+0200 INFO Number of language-specific files: 2
2023-05-29T16:51:19.490+0200 INFO Detecting gobinary vulnerabilities...
bin/prometheus (gobinary)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM │ v1.44.245 │ │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8911 │
│ ├───────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-8912 │ LOW │ │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
bin/promtool (gobinary)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM │ v1.44.245 │ │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8911 │
│ ├───────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-8912 │ LOW │ │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?
Thanks in advance!