Critical vulnerability with pip:23.2.1 in Xray Scan

388 views Asked by At

There is a critical vulnerability with our Docker image where we are not using Python at all

FROM alpine:3.18.4

RUN apk add nfs-utils
RUN rc-update add nfsmount

Python is a dependency which is added as part of nfs-unit in our Docker image

When Xray scans the Docker image we see that there is a critical vulnerability.

We tried adding and installing pip in version 23.3 using

RUN apk --no-cache  --latest upgrade py3-pip

But, the same vulnerability is still reported.

How do we solve it?

Reference: https://access.redhat.com/security/cve/cve-2018-20225

1

There are 1 answers

4
Dor Tambour On

CVE-2018-20225 is affecting all pip versions and will not be fixed as its an intended behavior by pip (The vulnerability is disputed by NVD)

Xray finds it as part of pip and this will not be changed but there is an improvement soon to better display disputed vulnerabilities.

If you don't --extra-index-url inside your docker project, As mentioned in the vulnerability description, you will not be affected and can create an ignore rule for this vulnerability on all pip versions.