CVE-2022-28366, CVE-2022-29546 in metabase/metabase image

I am deploying metabase/metabase image to AWS and AWS inspector picked up two high severity CVEs:

I don't do anything to modify the image, my Dockerfile is the following:

FROM metabase/metabase:v0.49.2

I don't see any references to the libraries from CVE in metabase github repository. Does anyone have any idea why these CVEs are picked up by AWS Inspector? Can metabase remove these dependencies from the image?

Hi, seems that it's our CSSBox dependency: security: avoid CVE-2022-28366 and CVE-2022-28366 / use org.htmlunit:neko-htmlunit@3.6.0 by miurahr · Pull Request #81 · radkovo/CSSBox · GitHub. I just pinged the team to tackle the issue. Just checked both but they don't seem to be major and also in Metabase these both should be pretty hard to hit

BTW: next time please report this to, it's pretty explicit on our security policy Security Overview · metabase/metabase · GitHub

Thanks for the reply. Both of these issues are categorized as high priority by AWS inspector.

This is not a new vulnerability, as CVEs were reported more than 2 years ago, that's why I didn't contact security email. But I will do so next time.