"cloudtogo4edge/kubelet:v1.21.1-alpine3.13" CVE vulnerabilities found via trivy docker container:
The information provided in the given output includes:
This information tells us that the command docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image cloudtogo4edge/kubelet:v1.21.1-alpine3.13 was executed on the machine/node with IP address 192.168.0.18.
The output shows that the trivy vulnerability scanner is being used to scan the Docker image with the tag cloudtogo4edge/kubelet:v1.21.1-alpine3.13, which is based on the Alpine 3.13.5 operating system. The scanner downloads a database and scans for known vulnerabilities.
The output also shows that the image has 84 vulnerabilities, with 4 critical vulnerabilities, 29 high, 51 medium, and 0 low severity vulnerabilities. Trivy lists the vulnerabilities found, including their severity, the installed version, fixed version, and title. It also provides a link to further information about each vulnerability.
Additionally, trivy warns that the detected Alpine version is no longer supported by the distribution and that security updates are not provided, so the vulnerability detection may be insufficient.
- CVE-2021-42381: A security vulnerability affecting the Busybox tool. Specifically, a use-after-free vulnerability in the awk applet that could lead to denial of service and possibly other security issues.
- The use of a tool called "trivy" to scan a Docker image ("cloudtogo4edge/kubelet:v1.21.1-alpine3.13") for vulnerabilities.
- The download of a vulnerability database for trivy.
- The detection of the operating system in the Docker image as "alpine".
- A warning that the version of Alpine Linux in the image ("3.13.5") is no longer supported by the distribution and that vulnerability detection may be insufficient because security updates are not provided.
- The scan results indicate that the image has a total of 84 vulnerabilities, including 4 critical, 29 high, 51 medium, and 0 low severity issues.
- The first vulnerability found in the scan (CVE-2021-36159) is rated critical and affects the "apk-tools" library. The issue involves a mishandling of libfetch that could lead to security issues.
- The second vulnerability found in the scan (CVE-2021-3995) is rated medium and affects the "blkid" utility in the "util-linux" package. The issue involves unauthorized unmount of FUSE filesystems belonging to users with similar UID.
Overall, this information alerts the user to a number of security vulnerabilities in the Docker image being scanned, as well as providing details about the specific vulnerabilities and affected packages. It also highlights the importance of keeping software and operating systems up-to-date to reduce the risk of security issues.
│ │ CVE-2021-42381 │ │ │ │ busybox: use-after-free in awk applet leads to denial of │ │ │ │ │ │ │ service and possibly... │ [node1] (local) root@192.168.0.18 ~ $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image cloudtogo4edge/kubelet:v1.21.1-alpine3.13 2023-03-08T05:52:44.235Z INFO Need to update DB 2023-03-08T05:52:44.235Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2023-03-08T05:52:44.235Z INFO Downloading DB... 18.45 MiB / 35.94 MiB [------------------------------->_____________________________] 51.34% ? p/s ?35.94 MiB / 35.94 MiB [----------------------------------------------------------->] 100.00% ? p/s ?35.94 MiB / 35.94 MiB [----------------------------------------------------- - ----->] 100.00% ? p/s ?35.94 MiB / 35.94 MiB [---------------------------------------------->] 100.00% 29.13 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [---------------------------------------------->] 100.00% 29.13 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [------------------------------ - --------------->] 100.00% 29.13 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [---------------------------------------------->] 100.00% 27.25 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [---------------------------------------------->] 100.00% 27.25 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [------- - -------------------------------------->] 100.00% 27.25 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [---------------------------------------------->] 100.00% 25.49 MiB p/s ETA 0s35.94 MiB / 35.94 MiB [-------------------------------------------------] 100.00% 19.74 MiB p/s 2.0s2023-03 - 08T05:52:46.704Z INFO Vulnerability scanning is enabled 2023-03-08T05:52:46.704Z INFO Secret scanning is enabled 2023-03-08T05:52:46.704Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-03-08T05:52:46.704Z INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection 2023-03-08T05:52:48.215Z INFO Detected OS: alpine 2023-03-08T05:52:48.216Z INFO Detecting Alpine vulnerabilities... 2023-03-08T05:52:48.220Z INFO Number of language-specific files: 0 2023-03-08T05:52:48.228Z WARN This OS version is no longer supported by the distribution: alpine 3.13.5 2023-03-08T05:52:48.229Z WARN The vulnerability detection may be insufficient because security updates are not provided Blank line cloudtogo4edge/kubelet:v1.21.1-alpine3.13 (alpine 3.13.5) ========================================================= Total: 84 (UNKNOWN: 0, LOW: 0, MEDIUM: 51, HIGH: 29, CRITICAL: 4) Blank line ┌───────────────────────┬────────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤ │ apk-tools │ CVE-2021-36159 │ CRITICAL │ 2.12.5-r0 │ 2.12.6-r0 │ libfetch before 2021-07-26, as used in apk-tools, xbps, and │ │ │ │ │ │ │ other products, mishandles... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36159 │ ├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────���───────┼─────────────────────────────────────────────────────────────┤ │ blkid │ CVE-2021-3995 │ MEDIUM │ 2.36.1-r1 │ 2.37.3-r0 │ util-linux: Unauthorized unmount of FUSE filesystems │ │ │ │ │ │ │ belonging to users with similar uid... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3995 │ │ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2021-3996 │ │ │ │ util-linux: Unauthorized unmount of filesystems in libmount │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3996 │ │ ├────────────────┤ │ ├──────────────────┼─────────────────────────────────────────────────────────────┤ │ │ CVE-2022-0563 │ │ │ 2.37.4-r0 │ util-linux: partial disclosure of arbitrary files in chfn │ │ │ │ │ │ │ and chsh when compiled... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-0563 │ ├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤ │ busybox │ CVE-2021-42378 │ HIGH │ 1.32.1-r6 │ 1.32.1-r7 │ busybox: use-after-free in awk applet leads to denial of │ │ │ │ │ │ │ service and possibly... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-42378 │ │ ├────────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2021-42379 │ │ │ │ busybox: use-after-free in awk applet leads to denial of │ │ │ │ │ │ │ service and possibly... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-42379 │ │ ├���───────────────┤ │ │ ├─────────────────────────────────────────────────────────────┤ │ │ CVE-2021-42380 │ │ │ │ busybox: use-after-free in awk applet leads to denial of │ │ │ │ │ │ │ service and possibly... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-42380 │ │ ├────────────────┤ │ │ ├────────────────────────────���────────────────────────────────┤