Addressing a lot of security vulnerabilities in the Temporalio/admin-tools release temporalio/admin-tools:1.26.2-tctl-1.18.1-cli-1.2.0

[thle40]

Actual Behavior

There are a lot of CVEs found from the latest Temporal image:
temporalio/admin-tools:1.26.2-tctl-1.18.1-cli-1.2.0
Steps to Reproduce the Problem

Pull the latest image temporalio/admin-tools:1.26.2-tctl-1.18.1-cli-1.2.0from Dockerhub
Scan the image with any vulnerability scanner

Scan results for: image temporalio/admin-tools:1.26.2-tctl-1.18.1-cli-1.2.0 sha256:5cd1ded2a877d8deca13059770544d291f97b81e5552ab37bd1e0f68362bb30d
Vulnerabilities

+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
|       CVE        | SEVERITY | CVSS |        PACKAGE        |                VERSION                |             STATUS              | PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-6345    | high     | 8.80 | setuptools            | 65.5.0                                | fixed in 70.0.0                 | > 6 months | < 1 hour   | A vulnerability in the package_index module of     |
|                  |          |      |                       |                                       | > 6 months ago                  |            |            | pypa/setuptools versions up to 69.1.1 allows for   |
|                  |          |      |                       |                                       |                                 |            |            | remote code execution via its download functions.  |
|                  |          |      |                       |                                       |                                 |            |            | Thes...                                            |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| PRISMA-2022-0168 | high     | 7.80 | pip                   | 24.0                                  | open                            | > 2 years  | < 1 hour   | An issue was discovered in pip (all versions)      |
|                  |          |      |                       |                                       |                                 |            |            | because it installs the version with the highest   |
|                  |          |      |                       |                                       |                                 |            |            | version number, even if the user had intended to   |
|                  |          |      |                       |                                       |                                 |            |            | obtain...                                          |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-7348    | high     | 7.50 | postgresql16          | 16.3-r0                               | fixed in 16.4-r0                | > 5 months | < 1 hour   | Time-of-check Time-of-use (TOCTOU) race condition  |
|                  |          |      |                       |                                       | 77 days ago                     |            |            | in pg_dump in PostgreSQL allows an object creator  |
|                  |          |      |                       |                                       |                                 |            |            | to execute arbitrary SQL functions as the user     |
|                  |          |      |                       |                                       |                                 |            |            | run...                                             |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-45338   | high     | 0.00 | golang.org/x/net/html | v0.24.0                               | fixed in 0.33.0                 | 29 days    | < 1 hour   | An attacker can craft an input to the Parse        |
|                  |          |      |                       |                                       | 29 days ago                     |            |            | functions that would be processed non-linearly     |
|                  |          |      |                       |                                       |                                 |            |            | with respect to its length, resulting in extremely |
|                  |          |      |                       |                                       |                                 |            |            | slow par...                                        |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9681    | medium   | 6.50 | curl                  | 8.9.1-r2                              | fixed in 8.11.0-r0              | 71 days    | < 1 hour   | When curl is asked to use HSTS, the expiry time    |
|                  |          |      |                       |                                       | 71 days ago                     |            |            | for a subdomain might overwrite a parent domain\'s |
|                  |          |      |                       |                                       |                                 |            |            | cache entry, making it end sooner or later than    |
|                  |          |      |                       |                                       |                                 |            |            | oth...                                             |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2022-40897   | medium   | 5.90 | setuptools            | 65.5.0                                | fixed in 65.5.1                 | > 2 years  | < 1 hour   | Python Packaging Authority (PyPA) setuptools       |
|                  |          |      |                       |                                       | > 2 years ago                   |            |            | before 65.5.1 allows remote attackers to cause a   |
|                  |          |      |                       |                                       |                                 |            |            | denial of service via HTML in a crafted package or |
|                  |          |      |                       |                                       |                                 |            |            | custo...                                           |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-2689    | medium   | 0.00 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.5, 1.21.6, 1.22.7 | > 7 months | < 1 hour   | Denial of Service in Temporal Server prior to      |
|                  |          |      |                       |                                       | > 7 months ago                  |            |            | version 1.20.5, 1.21.6, and 1.22.7 allows an       |
|                  |          |      |                       |                                       |                                 |            |            | authenticated user who has permissions to interact |
|                  |          |      |                       |                                       |                                 |            |            | with wor...                                        |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2023-3485    | low      | 3.60 | go.temporal.io/server | v1.18.1-0.20230217005328-b313b7f58641 | fixed in 1.20.0                 | > 4 months | < 1 hour   | Insecure defaults in open-source Temporal Server   |
|                  |          |      |                       |                                       | > 1 years ago                   |            |            | before version 1.20 on all platforms allows an     |
|                  |          |      |                       |                                       |                                 |            |            | attacker to craft a task token with access to a    |
|                  |          |      |                       |                                       |                                 |            |            | namesp...                                          |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9287    | low      | 0.00 | python3               | 3.12.6-r0                             | fixed in 3.12.8-r0              | 86 days    | < 1 hour   | A vulnerability has been found in the CPython      |
|                  |          |      |                       |                                       | 41 days ago                     |            |            | `venv` module and CLI where path names provided    |
|                  |          |      |                       |                                       |                                 |            |            | when creating a virtual environment were not       |
|                  |          |      |                       |                                       |                                 |            |            | quoted prop...                                     |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-9143    | low      | 0.00 | openssl               | 3.3.2-r0                              | fixed in 3.3.2-r1               | > 3 months | < 1 hour   | Issue summary: Use of the low-level GF(2^m)        |
|                  |          |      |                       |                                       | 88 days ago                     |            |            | elliptic curve APIs with untrusted explicit values |
|                  |          |      |                       |                                       |                                 |            |            | for the field polynomial can lead to out-of-bounds |
|                  |          |      |                       |                                       |                                 |            |            | memo...                                            |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-8096    | low      | 0.00 | curl                  | 8.9.1-r2                              | fixed in 8.10.0-r0              | > 4 months | < 1 hour   | When curl is told to use the Certificate Status    |
|                  |          |      |                       |                                       | > 4 months ago                  |            |            | Request TLS extension, often referred to as OCSP   |
|                  |          |      |                       |                                       |                                 |            |            | stapling, to verify that the server certificate is |
|                  |          |      |                       |                                       |                                 |            |            | va...                                              |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-50602   | low      | 0.00 | expat                 | 2.6.3-r0                              | fixed in 2.6.4-r0               | 81 days    | < 1 hour   | An issue was discovered in libexpat before 2.6.4.  |
|                  |          |      |                       |                                       | 69 days ago                     |            |            | There is a crash within the XML_ResumeParser       |
|                  |          |      |                       |                                       |                                 |            |            | function because XML_StopParser can stop/suspend   |
|                  |          |      |                       |                                       |                                 |            |            | an uns...                                          |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-12254   | low      | 0.00 | python3               | 3.12.6-r0                             | fixed in 3.12.8-r1              | 41 days    | < 1 hour   | Starting in Python 3.12.0, the                     |
|                  |          |      |                       |                                       | 40 days ago                     |            |            | asyncio._SelectorSocketTransport.writelines()      |
|                  |          |      |                       |                                       |                                 |            |            | method would not "pause" writing and signal to the |
|                  |          |      |                       |                                       |                                 |            |            | Protocol to drain  th...                           |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-11053   | low      | 0.00 | curl                  | 8.9.1-r2                              | fixed in 8.11.1-r0              | 36 days    | < 1 hour   | When asked to both use a `.netrc` file for         |
|                  |          |      |                       |                                       | 35 days ago                     |            |            | credentials and to follow HTTP redirects, curl     |
|                  |          |      |                       |                                       |                                 |            |            | could leak the password used for the first host to |
|                  |          |      |                       |                                       |                                 |            |            | the follo...                                       |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10979   | low      | 0.00 | postgresql16          | 16.3-r0                               | fixed in 16.5-r0                | 63 days    | < 1 hour   | Incorrect control of environment variables in      |
|                  |          |      |                       |                                       | 61 days ago                     |            |            | PostgreSQL PL/Perl allows an unprivileged database |
|                  |          |      |                       |                                       |                                 |            |            | user to change sensitive process environment       |
|                  |          |      |                       |                                       |                                 |            |            | variable...                                        |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10978   | low      | 0.00 | postgresql16          | 16.3-r0                               | fixed in 16.5-r0                | 63 days    | < 1 hour   | Incorrect privilege assignment in PostgreSQL       |
|                  |          |      |                       |                                       | 61 days ago                     |            |            | allows a less-privileged application user to view  |
|                  |          |      |                       |                                       |                                 |            |            | or change different rows from those intended.  An  |
|                  |          |      |                       |                                       |                                 |            |            | attac...                                           |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10977   | low      | 0.00 | postgresql16          | 16.3-r0                               | fixed in 16.5-r0                | 63 days    | < 1 hour   | Client use of server error message in PostgreSQL   |
|                  |          |      |                       |                                       | 61 days ago                     |            |            | allows a server not trusted under current SSL or   |
|                  |          |      |                       |                                       |                                 |            |            | GSS settings to furnish arbitrary non-NUL bytes to |
|                  |          |      |                       |                                       |                                 |            |            | t...                                               |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+
| CVE-2024-10976   | low      | 0.00 | postgresql16          | 16.3-r0                               | fixed in 16.5-r0                | 63 days    | < 1 hour   | Incomplete tracking in PostgreSQL of tables        |
|                  |          |      |                       |                                       | 61 days ago                     |            |            | with row security allows a reused query to view    |
|                  |          |      |                       |                                       |                                 |            |            | or change different rows from those intended.      |
|                  |          |      |                       |                                       |                                 |            |            | CVE-2023-24...                                     |
+------------------+----------+------+-----------------------+---------------------------------------+---------------------------------+------------+------------+----------------------------------------------------+

Vulnerabilities found for image temporalio/admin-tools:1.26.2-tctl-1.18.1-cli-1.2.0: total - 18, critical - 0, high - 4, medium - 3, low - 11
Vulnerability threshold check results: PASS

Compliance Issues

+----------+------------------------------+
| SEVERITY |         DESCRIPTION          |
+----------+------------------------------+
| high     | Private keys stored in image |
+----------+------------------------------+