[Bug]: CVE-2022-1271 and CVE-2024-3596 Vulnerabilities detected in the latest image version #2778
Description
What happened?
Image with High Severity CVE: CVE-2022-1271
An arbitrary file write vulnerability was found in GNU gzip\'s zgrep utility. When zgrep is applied on the attacker\'s chosen file name (for example, a crafted file name), this can overwrite an attacker\'s content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
Operating System: CentOS Stream release 9
Asset Tertiary Identifier: sha256:87c3a239c2ed89773cb45a3ba29c6f6a57ea1d71c79e82ec18e44d18fbb0b812
CVE:
CVE-2022-1271
CVE-2024-3596
Image Name: docker.io/jaegertracing/jaeger-operator:1.62.0
Labels: org.label-schema.license:GPLv2,org.label-schema.name:CentOS Stream 9 Base Image,org.label-schema.schema-version:1.0,org.label-schema.vendor:CentOS,io.buildah.version:1.33.8,org.label-schema.build-date:20241008
PackageName: xz
PackageVersion: 5.2.5-8.el9
Image Name: docker.io/jaegertracing/jaeger-operator:1.62.0
Labels: org.label-schema.license:GPLv2,org.label-schema.name:CentOS Stream 9 Base Image,org.label-schema.schema-version:1.0,org.label-schema.vendor:CentOS,io.buildah.version:1.33.8,org.label-schema.build-date:20241008
PackageName: krb5
PackageVersion: 1.21.1-3.el9
Steps to reproduce
kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.62.0/jaeger-operator.yaml -n
##Apply Simple-jaeger
kubectl apply -f simple-jaeger.yaml -n
Expected behavior
Vulnerabilities are reported in the scan's
Relevant log output
Screenshot
No response
Additional context
No response
Jaeger backend version
1.62
SDK
No response
Pipeline
No response
Stogage backend
No response
Operating system
No response
Deployment model
Docker