Ojas
08/23/2022, 4:24 AMzlib
version 1.2.12-r1
was detected in APK package manager
on a container image running Alpine 3.16.0
is vulnerable to CVE-2022-37434
, which exists in versions \u003c 1.2.12-r2
.\n\nThe vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity: Critical
([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity: Critical
).\n\nThis vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)].\n\nThe vulnerability can be remediated by updating the package to version 1.2.12-r2
or higher,zwass
08/23/2022, 3:32 PMzlib
. The next version of Fleet (should be published today) will use the new alpine
base image that should have the fix though. If you need it right now, or with a different Fleet version, you would need to build yourself from the Dockerfile.Ojas
08/23/2022, 3:47 PM