[bitnami/schema-registry] Critical & High Security Finding in Schema-Registry - MiniZip | Zlib #73221
Labels
schema-registry
stale
15 days without activity
tech-issues
The user has a technical issue about an application
triage
Triage is needed
Name and Version
bitnami/schema-registry:7.7.1
What architecture are you using?
amd64
What steps will reproduce the bug?
Hi,
We are using the Bitnami Schema Registry in the AWS Cloud. The AWS ECR Image Scan has detected critical vulnerabilities, specifically CVE-2023-45853 (https://security-tracker.debian.org/tracker/CVE-2023-45853).
This issue affects all versions from 7.3 to 7.7.1, and unfortunately, this security finding has not been resolved for 1.5 years. Are there plans to patch this in the next versions?
What is the expected behavior?
No High or Critical findings
What do you see instead?
Critical findings
Vulnerable package: zlib::1:1.2.13.dfsg-1
Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
The text was updated successfully, but these errors were encountered: