Addressing security vulnerabilities in the Cadence release v1.3.0 #6971
Description
Version of Cadence server, and client(which language)
Server version: v1.3.0
Describe the bug
There are CVEs found from the latest Cadence image: ubercadence/server:v1.3.0
To Reproduce
Is the issue reproducible?
- Yes
Steps to reproduce the behavior:
Pull the latest image ubercadence/server:v1.3.0 from Dockerhub
Scan the image with any vulnerability scanner
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | FIXIN |
|---|---|---|---|---|---|
| CVE-2025-30204 | high | 8.7 | github.com/golang-jwt/jwt/v5 | v5.2.0 | 5.2.2 |
| PRISMA-2023-0056 | medium | 6.20 | github.com/sirupsen/logrus | v1.9.0 | v1.9.3 |
| CWE-400 | HIGH | 8.7 | github.com/sirupsen/logrus | v1.9.0 | v1.9.1 |
| CVE-2025-22870 | HIGH | 8.8 | golang.org/x/net/http/httpproxy | v0.26.0 | 0.36.0 |
| CVE-2025-22868 | HIGH | 8.7 | golang.org/x/oauth2/jws | v0.11.0 | 0.27.0 |
| CWE-121 | MEDIUM | 5.9 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | 1.32.0 |
| CVE-2024-24786 | MEDIUM | 6.9 | google.golang.org/protobuf/encoding/protojson | v1.31.0 | 1.33.0 |
| CVE-2024-24786 | MEDIUM | 6.9 | google.golang.org/protobuf/internal/encoding/json | v1.31.0 | 1.33.0 |
Compliance Issues
+----------+------------------------------------------------------------------------+
| SEVERITY | DESCRIPTION |
+----------+------------------------------------------------------------------------+
| high | (CIS_Docker_v1.5.0 - 4.1) Image should be created with a non-root user |
+----------+------------------------------------------------------------------------+
| high | Private keys stored in image |
+----------+------------------------------------------------------------------------+
Expected behavior
No more CVEs found