Hi! I have recently pulled the official Promtail docker image and analysed it with Trivy (a security and vulnerability scanner). The result shows several vulnerabilities:
$ trivy image --vuln-type library grafana/promtail:main-a7976b5
2023-05-30T07:23:02.589Z INFO Vulnerability scanning is enabled
2023-05-30T07:23:02.589Z INFO Secret scanning is enabled
2023-05-30T07:23:02.589Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-30T07:23:02.589Z INFO Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-30T07:23:03.404Z INFO Number of language-specific files: 1
2023-05-30T07:23:03.404Z INFO Detecting gobinary vulnerabilities...
usr/bin/loki (gobinary)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM │ v1.44.217 │ │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8911 │
│ ├───────────────┼──────────┤ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2020-8912 │ LOW │ │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Do you have any information/statement about these CVEs related to your product? Is your software actually affected by them?
Thanks in advance!