Environment:
Vulnerability Summary: Our security scans have identified several MEDIUM severity vulnerabilities in the v0.56.2 release. We are requesting a patch release (v0.56.3) to address these findings:
- NVIDIA Driver Vulnerability (CVE-2024-58251):
- Outdated Busybox Package:
Why this is necessary: Many users deploy cAdvisor in environments with strict security compliance policies. The presence of these "High" severity vulnerabilities triggers alerts in CI/CD pipelines and production scanners, requiring manual exceptions or preventing deployment.
Providing a clean v0.56.3 image with an updated base and toolchain would greatly benefit the community and maintain cAdvisor's security posture.
Thank you for your help and for maintaining this essential tool!
Environment:
Image: ghcr.io/google/cadvisor:v0.56.2
Base OS: Alpine 3.22.2
Scanner: Trivy
Vulnerability Summary: Our security scans have identified several MEDIUM severity vulnerabilities in the v0.56.2 release. We are requesting a patch release (v0.56.3) to address these findings:
The image contains vulnerable user-space NVIDIA libraries.
Required Action: Update the bundled NVIDIA components to a version that mitigates this CVE.
Current: 1.37.0-r19
Fixed: 1.37.0-r20 (or higher)
Required Action: Trigger a rebuild to pull in the latest Alpine security patches for Busybox.
Why this is necessary: Many users deploy cAdvisor in environments with strict security compliance policies. The presence of these "High" severity vulnerabilities triggers alerts in CI/CD pipelines and production scanners, requiring manual exceptions or preventing deployment.
Providing a clean v0.56.3 image with an updated base and toolchain would greatly benefit the community and maintain cAdvisor's security posture.
Thank you for your help and for maintaining this essential tool!