Security: base image promtail has a lot of vulnerabilities #4140

Joentje · 2021-08-11T08:55:13Z

Describe the bug
Running docker scan on promtail:2.3.0 image gives a lot of vulnerabilities.

Click here to expand report!

docker scan report

Testing grafana/promtail:2.3.0...

✗ Low severity vulnerability found in util-linux/libuuid1
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-UTILLINUX-1534833
  Introduced through: util-linux/libuuid1@2.33.1-0.1, e2fsprogs@1.44.5-1+deb10u3, util-linux/mount@2.33.1-0.1, util-linux/fdisk@2.33.1-0.1, util-linux/libblkid1@2.33.1-0.1, util-linux@2.33.1-0.1, sysvinit/sysvinit-utils@2.93-8, util-linux/bsdutils@1:2.33.1-0.1, util-linux/libfdisk1@2.33.1-0.1, util-linux/libmount1@2.33.1-0.1, util-linux/libsmartcols1@2.33.1-0.1
  From: util-linux/libuuid1@2.33.1-0.1
  From: e2fsprogs@1.44.5-1+deb10u3 > util-linux/libuuid1@2.33.1-0.1
  From: e2fsprogs@1.44.5-1+deb10u3 > util-linux/libblkid1@2.33.1-0.1 > util-linux/libuuid1@2.33.1-0.1
  and 25 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in tar
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-TAR-1063001
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.30+dfsg-6
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in tar
  Description: CVE-2005-2541
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-TAR-312331
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.30+dfsg-6
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in tar
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-TAR-341203
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > tar@1.30+dfsg-6
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Authentication Bypass
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-1291056
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Link Following
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-305144
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Missing Release of Resource after Effective Lifetime
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-542807
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in systemd/libsystemd0
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-570991
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in shadow/passwd
  Description: Time-of-check Time-of-use (TOCTOU)
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SHADOW-306205
  Introduced through: shadow/passwd@1:4.5-1.1, adduser@3.118, shadow/login@1:4.5-1.1, util-linux/mount@2.33.1-0.1
  From: shadow/passwd@1:4.5-1.1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1
  From: shadow/login@1:4.5-1.1
  and 1 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in shadow/passwd
  Description: Incorrect Permission Assignment for Critical Resource
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SHADOW-306230
  Introduced through: shadow/passwd@1:4.5-1.1, adduser@3.118, shadow/login@1:4.5-1.1, util-linux/mount@2.33.1-0.1
  From: shadow/passwd@1:4.5-1.1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1
  From: shadow/login@1:4.5-1.1
  and 1 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in shadow/passwd
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SHADOW-306250
  Introduced through: shadow/passwd@1:4.5-1.1, adduser@3.118, shadow/login@1:4.5-1.1, util-linux/mount@2.33.1-0.1
  From: shadow/passwd@1:4.5-1.1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1
  From: shadow/login@1:4.5-1.1
  and 1 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in shadow/passwd
  Description: Incorrect Permission Assignment for Critical Resource
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SHADOW-539852
  Introduced through: shadow/passwd@1:4.5-1.1, adduser@3.118, shadow/login@1:4.5-1.1, util-linux/mount@2.33.1-0.1
  From: shadow/passwd@1:4.5-1.1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1
  From: shadow/login@1:4.5-1.1
  and 1 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in perl/perl-base
  Description: Link Following
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-327793
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > perl/perl-base@5.28.1-6+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-345321
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-345353
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Uncontrolled Recursion
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-345502
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-345530
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in pcre3/libpcre3
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-572368
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Cryptographic Issues
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-OPENSSL-374709
  Introduced through: ca-certificates@20200601~deb10u2
  From: ca-certificates@20200601~deb10u2 > openssl@1.1.1d-0+deb10u6 > openssl/libssl1.1@1.1.1d-0+deb10u6
  From: ca-certificates@20200601~deb10u2 > openssl@1.1.1d-0+deb10u6
  Image layer: '/bin/sh -c apt-get update &&   apt-get install -qy   tzdata ca-certificates'

✗ Low severity vulnerability found in openssl/libssl1.1
  Description: Cryptographic Issues
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-OPENSSL-374996
  Introduced through: ca-certificates@20200601~deb10u2
  From: ca-certificates@20200601~deb10u2 > openssl@1.1.1d-0+deb10u6 > openssl/libssl1.1@1.1.1d-0+deb10u6
  From: ca-certificates@20200601~deb10u2 > openssl@1.1.1d-0+deb10u6
  Image layer: '/bin/sh -c apt-get update &&   apt-get install -qy   tzdata ca-certificates'

✗ Low severity vulnerability found in lz4/liblz4-1
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LZ4-473072
  Introduced through: systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1 > lz4/liblz4-1@1.8.3-1+deb10u1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > lz4/liblz4-1@1.8.3-1+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libtasn1-6
  Description: Resource Management Errors
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBTASN16-339585
  Introduced through: libtasn1-6@4.13-3, apt@1.8.2.3
  From: libtasn1-6@4.13-3
  From: apt@1.8.2.3 > gnutls28/libgnutls30@3.6.7-4+deb10u7 > libtasn1-6@4.13-3
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBSEPOL-1315628
  Introduced through: libsepol/libsepol1@2.8-1, adduser@3.118
  From: libsepol/libsepol1@2.8-1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1 > libsemanage/libsemanage1@2.8-2 > libsepol/libsepol1@2.8-1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBSEPOL-1315630
  Introduced through: libsepol/libsepol1@2.8-1, adduser@3.118
  From: libsepol/libsepol1@2.8-1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1 > libsemanage/libsemanage1@2.8-2 > libsepol/libsepol1@2.8-1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBSEPOL-1315636
  Introduced through: libsepol/libsepol1@2.8-1, adduser@3.118
  From: libsepol/libsepol1@2.8-1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1 > libsemanage/libsemanage1@2.8-2 > libsepol/libsepol1@2.8-1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libsepol/libsepol1
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBSEPOL-1315642
  Introduced through: libsepol/libsepol1@2.8-1, adduser@3.118
  From: libsepol/libsepol1@2.8-1
  From: adduser@3.118 > shadow/passwd@1:4.5-1.1 > libsemanage/libsemanage1@2.8-2 > libsepol/libsepol1@2.8-1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libseccomp/libseccomp2
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBSECCOMP-341044
  Introduced through: libseccomp/libseccomp2@2.3.3-4, apt@1.8.2.3
  From: libseccomp/libseccomp2@2.3.3-4
  From: apt@1.8.2.3 > libseccomp/libseccomp2@2.3.3-4
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in libgcrypt20
  Description: Use of a Broken or Risky Cryptographic Algorithm
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBGCRYPT20-391902
  Introduced through: apt@1.8.2.3, systemd/libsystemd-dev@247.3-6~bpo10+1
  From: apt@1.8.2.3 > gnupg2/gpgv@2.2.12-1+deb10u1 > libgcrypt20@1.8.4-5+deb10u1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1 > libgcrypt20@1.8.4-5+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in gnutls28/libgnutls30
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-340755
  Introduced through: gnutls28/libgnutls30@3.6.7-4+deb10u7, apt@1.8.2.3
  From: gnutls28/libgnutls30@3.6.7-4+deb10u7
  From: apt@1.8.2.3 > gnutls28/libgnutls30@3.6.7-4+deb10u7
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in gnupg2/gpgv
  Description: Use of a Broken or Risky Cryptographic Algorithm
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GNUPG2-535553
  Introduced through: gnupg2/gpgv@2.2.12-1+deb10u1, apt@1.8.2.3
  From: gnupg2/gpgv@2.2.12-1+deb10u1
  From: apt@1.8.2.3 > gnupg2/gpgv@2.2.12-1+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Double Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1078993
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Uncontrolled Recursion
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-338106
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Uncontrolled Recursion
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-338163
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-356371
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Resource Management Errors
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-356671
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Resource Management Errors
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-356735
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: CVE-2010-4051
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-356875
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-452228
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Access Restriction Bypass
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-452267
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Use of Insufficiently Random Values
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-453375
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-453640
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-534995
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in glibc/libc-bin
  Description: Integer Underflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-564233
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in coreutils
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-COREUTILS-317465
  Introduced through: coreutils@8.30-3
  From: coreutils@8.30-3
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in coreutils
  Description: Race Condition
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-COREUTILS-317494
  Introduced through: coreutils@8.30-3
  From: coreutils@8.30-3
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in bash
  Description: Improper Check for Dropped Privileges
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-BASH-536280
  Introduced through: bash@5.0-4
  From: bash@5.0-4
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Low severity vulnerability found in apt/libapt-pkg5.0
  Description: Improper Verification of Cryptographic Signature
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-APT-407502
  Introduced through: apt/libapt-pkg5.0@1.8.2.3, apt@1.8.2.3
  From: apt/libapt-pkg5.0@1.8.2.3
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3
  From: apt@1.8.2.3
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Medium severity vulnerability found in pcre3/libpcre3
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-PCRE3-572367
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre3/libpcre3@2:8.39-12
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Medium severity vulnerability found in libgcrypt20
  Description: Race Condition
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBGCRYPT20-460489
  Introduced through: apt@1.8.2.3, systemd/libsystemd-dev@247.3-6~bpo10+1
  From: apt@1.8.2.3 > gnupg2/gpgv@2.2.12-1+deb10u1 > libgcrypt20@1.8.4-5+deb10u1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1 > libgcrypt20@1.8.4-5+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Medium severity vulnerability found in glibc/libc-bin
  Description: Loop with Unreachable Exit Condition ('Infinite Loop')
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1035462
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Medium severity vulnerability found in glibc/libc-bin
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1055403
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Medium severity vulnerability found in glibc/libc-bin
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559181
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in systemd/libsystemd0
  Description: Privilege Chaining
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345386
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in systemd/libsystemd0
  Description: Incorrect Privilege Assignment
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345391
  Introduced through: util-linux/bsdutils@1:2.33.1-0.1, systemd/libsystemd-dev@247.3-6~bpo10+1, apt@1.8.2.3, util-linux/mount@2.33.1-0.1, systemd/libudev1@241-7~deb10u8
  From: util-linux/bsdutils@1:2.33.1-0.1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: systemd/libsystemd-dev@247.3-6~bpo10+1 > systemd/libsystemd0@247.3-6~bpo10+1
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > systemd/libsystemd0@247.3-6~bpo10+1
  and 5 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in libidn2/libidn2-0
  Description: Improper Input Validation
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100
  Introduced through: libidn2/libidn2-0@2.0.5-1+deb10u1, apt@1.8.2.3
  From: libidn2/libidn2-0@2.0.5-1+deb10u1
  From: apt@1.8.2.3 > gnutls28/libgnutls30@3.6.7-4+deb10u7 > libidn2/libidn2-0@2.0.5-1+deb10u1
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in glibc/libc-bin
  Description: Reachable Assertion
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1065768
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in glibc/libc-bin
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559488
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in glibc/libc-bin
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559493
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in gcc-8/libstdc++6
  Description: Information Exposure
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558
  Introduced through: gcc-8/libstdc++6@8.3.0-6, apt@1.8.2.3, meta-common-packages@meta
  From: gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.3 > gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > gcc-8/libstdc++6@8.3.0-6
  and 2 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ High severity vulnerability found in gcc-8/libstdc++6
  Description: Insufficient Entropy
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-469413
  Introduced through: gcc-8/libstdc++6@8.3.0-6, apt@1.8.2.3, meta-common-packages@meta
  From: gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.3 > gcc-8/libstdc++6@8.3.0-6
  From: apt@1.8.2.3 > apt/libapt-pkg5.0@1.8.2.3 > gcc-8/libstdc++6@8.3.0-6
  and 2 more...
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Critical severity vulnerability found in glibc/libc-bin
  Description: Use After Free
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1296899
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

✗ Critical severity vulnerability found in glibc/libc-bin
  Description: Integer Overflow or Wraparound
  Info: https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-1315333
  Introduced through: glibc/libc-bin@2.28-10, meta-common-packages@meta
  From: glibc/libc-bin@2.28-10
  From: meta-common-packages@meta > glibc/libc6@2.28-10
  Image layer: Introduced by your base image (debian:10.10-slim)

To Reproduce
docker scan grafana/promtail:2.3.0
or
snyk test --docker grafana/promtail:2.3.0

Expected behavior
Less high and critical vulnerabilities :). I see that base: debian:buster-slim is used. Is it possible to replace it with debian:bullseye-slim or even an other base with less vulnerabilities? I tried to build it locally, but didn't get it to work. Probably not enough knowledge of how the project works.

Environment:

Infrastructure: laptop
Deployment tool: docker

Screenshots, Promtail config, or terminal output
N/A

The text was updated successfully, but these errors were encountered:

stale · 2021-10-02T00:57:17Z

Hi! This issue has been automatically marked as stale because it has not had any
activity in the past 30 days.

We use a stalebot among other tools to help manage the state of issues in this project.
A stalebot can be very useful in closing issues in a number of cases; the most common
is closing issues or PRs where the original reporter has not responded.

Stalebots are also emotionless and cruel and can close issues which are still very relevant.

If this issue is important to you, please add a comment to keep it open. More importantly, please add a thumbs-up to the original issue entry.

We regularly sort for closed issues which have a stale label sorted by thumbs up.

We may also:

Mark issues as revivable if we think it's a valid issue but isn't something we are likely
to prioritize in the future (the issue will still remain closed).
Add a keepalive label to silence the stalebot if the issue is very common/popular/important.

We are doing our best to respond, organize, and prioritize all issues but it can be a challenging task,
our sincere apologies if you find yourself at the mercy of the stalebot.

lizzzcai · 2021-10-21T10:51:19Z

Hi, I raised a PR to upgrade the image to debian:bullseye-slim.

cyriltovena added component/packaging help wanted We would love help on these issues. Please come help us! labels Aug 30, 2021

stale bot added the stale A stale issue or PR that will automatically be closed. label Oct 2, 2021

lizzzcai mentioned this issue Oct 21, 2021

promtail: update promtail base image to debian:bullseye-slim #4516

Merged

2 tasks

stale bot removed the stale A stale issue or PR that will automatically be closed. label Oct 21, 2021

owen-d closed this as completed in #4516 Oct 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: base image promtail has a lot of vulnerabilities #4140

Security: base image promtail has a lot of vulnerabilities #4140

Joentje commented Aug 11, 2021

docker scan report

stale bot commented Oct 2, 2021

lizzzcai commented Oct 21, 2021

Security: base image promtail has a lot of vulnerabilities #4140

Security: base image promtail has a lot of vulnerabilities #4140

Comments

Joentje commented Aug 11, 2021

docker scan report

stale bot commented Oct 2, 2021

lizzzcai commented Oct 21, 2021