We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Critical vulnerability found on github.com/cosmos/ibc-go/v4 v4.5.1
When building a docker image of Axelar 0.35.6 and running trivy to scan for vulns a Critical vuln is found:
┌─────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤ │ github.com/cosmos/ibc-go/v4 │ GHSA-j496-crgh-34mx │ CRITICAL │ fixed │ v4.5.1 │ 4.6.0 │ ibc-go: Potential Reentrancy using Timeout Callbacks in │ │ │ │ │ │ │ │ ibc-hooks │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-j496-crgh-34mx │ └─────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘
Upon building the image and running trivy it wouldnt find vulns where there is a fix already available
Build an image with the following dockerfile:
FROM amazonlinux:2023 ARG VERSION=v0.35.6 ARG ARCH=x86_64 ARG WASMVM_VERSION=v1.3.1 ADD --chmod=755 https://github.com/axelarnetwork/axelar-core/releases/download/${VERSION}/axelard-linux-${ARCH}-${VERSION} /usr/local/bin/axelard # jq, lz4, and tar is used for unarchiving snapshots RUN --mount=type=cache,target=/var/cache/yum \ yum install -y lz4 tar jq RUN groupadd --gid 1001 axelard && \ useradd --uid 1000 --gid 1001 --shell /bin/bash --create-home axelard RUN wget https://github.com/CosmWasm/wasmvm/releases/download/${WASMVM_VERSION}/libwasmvm.x86_64.so \ -O /usr/local/lib/libwasmvm.x86_64.so && \ wget https://github.com/CosmWasm/wasmvm/releases/download/${WASMVM_VERSION}/checksums.txt -O /tmp/checksums.txt && \ sha256sum /usr/local/lib/libwasmvm.x86_64.so | grep $(cat /tmp/checksums.txt | grep libwasmvm.x86_64.so | cut -d ' ' -f 1); ENV LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH USER axelard WORKDIR /home/axelard
Run trivy against this image built
There are some other vulns found of lower severity:
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 4, HIGH: 1) ┌─────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/cometbft/cometbft │ GHSA-hq58-p9mv-338c │ LOW │ fixed │ v0.34.31 │ 0.38.6, 0.37.5, 0.34.32 │ CometBFT's default for `BlockParams.MaxBytes` consensus │ │ │ │ │ │ │ │ parameter may increase block times and affect... │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-hq58-p9mv-338c │ ├─────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/dvsekhvalnov/jose2go │ CVE-2023-50658 │ MEDIUM │ │ v1.5.0 │ 1.6.0 │ The jose2go component before 1.6.0 for Go allows attackers │ │ │ │ │ │ │ │ to cause a... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50658 │ │ ├─────────────────────┤ │ │ ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ GHSA-mhpq-9638-x6pw │ │ │ │ 1.5.1-0.20231206184617-48ba0b76bc88 │ Denial of service when decrypting attack controlled input in │ │ │ │ │ │ │ │ github.com/dvsekhvalnov/jose2go │ │ │ │ │ │ │ │ https://github.com/advisories/GHSA-mhpq-9638-x6pw │ ├─────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/ethereum/go-ethereum │ CVE-2023-40591 │ HIGH │ │ v1.10.26 │ 1.12.1-stable │ Go-Ethereum vulnerable to denial of service via malicious │ │ │ │ │ │ │ │ p2p message │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-40591 │ ├─────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ golang.org/x/net │ CVE-2023-45288 │ MEDIUM │ │ v0.21.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ ├─────────────────────────────────┼─────────────────────┤ │ ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ google.golang.org/protobuf │ CVE-2024-24786 │ │ │ v1.31.0 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │ │ │ │ │ │ │ │ infinite loop in protojson.Unmarshal when unmarshaling │ │ │ │ │ │ │ │ certain forms of... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24786 │ └─────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Description/Reasoning
Critical vulnerability found on github.com/cosmos/ibc-go/v4 v4.5.1
Current Behaviour
When building a docker image of Axelar 0.35.6 and running trivy to scan for vulns a Critical vuln is found:
Expected Behaviour
Upon building the image and running trivy it wouldnt find vulns where there is a fix already available
Steps to reproduce (for bugs)
Build an image with the following dockerfile:
Run trivy against this image built
Relevant Logs or Files
There are some other vulns found of lower severity:
The text was updated successfully, but these errors were encountered: