I am deploying metabase/metabase image to AWS and AWS inspector picked up two high severity CVEs:
https://nvd.nist.gov/vuln/detail/CVE-2022-28366 https://nvd.nist.gov/vuln/detail/CVE-2022-29546
I don't do anything to modify the image, my Dockerfile is the following:
FROM metabase/metabase:v0.49.2
I don't see any references to the libraries from CVE in metabase github repository. Does anyone have any idea why these CVEs are picked up by AWS Inspector? Can metabase remove these dependencies from the image?
Luiggi
April 2, 2024, 1:20pm
2
Hi, seems that it's our CSSBox dependency: security: avoid CVE-2022-28366 and CVE-2022-28366 / use org.htmlunit:neko-htmlunit@3.6.0 by miurahr · Pull Request #81 · radkovo/CSSBox · GitHub . I just pinged the team to tackle the issue. Just checked both but they don't seem to be major and also in Metabase these both should be pretty hard to hit
BTW: next time please report this to security@metabase.com , it's pretty explicit on our security policy Security Overview · metabase/metabase · GitHub
Thanks for the reply. Both of these issues are categorized as high priority by AWS inspector.
This is not a new vulnerability, as CVEs were reported more than 2 years ago, that's why I didn't contact security email. But I will do so next time.