Addressing a lot of security vulnerabilities in the Temporalio/admin-tools release temporalio/admin-tools:1.27.1 #7481

Open

Open

Addressing a lot of security vulnerabilities in the Temporalio/admin-tools release temporalio/admin-tools:1.27.1#7481

Labels

Expected Behavior

No CVE found

Actual Behavior

There are several CVEs found from the latest Temporal image:
temporalio/admin-tools:1.27.1-tctl-1.18.2-cli-1.3.0

Steps to Reproduce the Problem

Scan results for: image axonhub.azurecr.us/temporalio/admin-tools:1.27.1-tctl-1.18.2-cli-1.3.0 sha256:8ee113eb55b60642680baaf268e590955f05925f2232abb722ec43e11aee4ed0

Vulnerabilities

+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-45338 | high     | 0.00 | golang.org/x/net/html | v0.31.0                               | fixed in 0.33.0                 | 89 days    | < 1 hour   | An attacker can craft an input to the Parse        |
|                |          |      |                       |                                       | 89 days ago                     |            |            | functions that would be processed non-linearly     |
|                |          |      |                       |                                       |                                 |            |            | with respect to its length, resulting in extremely |
|                |          |      |                       |                                       |                                 |            |            | slow par...                                        |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2689  | medium   | 4.40 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 9 months | < 1 hour   | Denial of Service in Temporal Server prior to      |
|                |          |      |                       |                                       | > 9 months ago                  |            |            | version 1.20.5, 1.21.6, and 1.22.7 allows an       |
|                |          |      |                       |                                       |                                 |            |            | authenticated user who has permissions to interact |
|                |          |      |                       |                                       |                                 |            |            | with wor...                                        |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485  | low      | 3.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 6 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                |          |      |                       |                                       | > 1 years ago                   |            |            | before version 1.20 on all platforms allows an     |
|                |          |      |                       |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                |          |      |                       |                                       |                                 |            |            | namesp...                                          |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2025-21490 | low      | 0.00 | mariadb               | 11.4.4-r1                             | fixed in 11.4.5-r0              | 55 days    | < 1 hour   | Vulnerability in the MySQL Server product of       |
|                |          |      |                       |                                       | 21 days ago                     |            |            | Oracle MySQL (component: InnoDB).  Supported       |
|                |          |      |                       |                                       |                                 |            |            | versions that are affected are 8.0.40 and prior,   |
|                |          |      |                       |                                       |                                 |            |            | 8.4.3 and p...                                     |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2025-1094  | low      | 0.00 | postgresql17          | 17.2-r0                               | fixed in 17.4-r0                | 32 days    | < 1 hour   | Improper neutralization of quoting syntax in       |
|                |          |      |                       |                                       | 24 days ago                     |            |            | PostgreSQL libpq functions PQescapeLiteral(),      |
|                |          |      |                       |                                       |                                 |            |            | PQescapeIdentifier(), PQescapeString(), and        |
|                |          |      |                       |                                       |                                 |            |            | PQescapeStringC...                                 |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8176  | low      | 0.00 | expat                 | 2.6.4-r0                              | fixed in 2.7.0-r0               | 3 days     | < 1 hour   | A stack overflow vulnerability exists in the       |
|                |          |      |                       |                                       | 1 days ago                      |            |            | libexpat library due to the way it handles         |
|                |          |      |                       |                                       |                                 |            |            | recursive entity expansion in XML documents. When  |
|                |          |      |                       |                                       |                                 |            |            | parsing an X...                                    |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2025-22870  | high    | 8.80 | golang.org/x/net/http/httpproxy | v0.35.0                     | fixed in 0.36.0                 | 3 days     | < 1 hour   |        |
+----------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Metadata

Assignees

No one assigned

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests