GitLab 15.8.1 (Helm Chart 6.8.1) version: Third party images vulnerabilities fixing

Hi Team,

We have deployed GitLab 15.8.1 (Chart version: 6.8.1) on our Open Shift Container Platform (4.10.45) cluster and used the Prisma tool to scan the GitLab namespace and discovered a lot of vulnerabilities in the following third-parties images.

  1. bitnami/postgres-exporter:0.8.0-debian-10-r99
    CRITICAL CVEs : CVE-2022-1664, CVE-2022-1292, CVE-2022-2068, CVE-2022-32221, CVE-2022-29155, CVE-2022-37434, CVE-2022-23218, CVE-2022-23219

    HIGH CVEs : CVE-2022-1271, CVE-2022-0778, CVE-2022-27781, CVE-2022-22576, CVE-2022-27782, CVE-2021-22946, CVE-2021-27212, CVE-2018-25032, ,CVE-2021-36222

  2. bitnami/postgresql:12.7.0
    CRITICAL CVEs : CVE-2022-1664, CVE-2022-29155, CVE-2022-32221, CVE-2022-23218, CVE-2022-23219, CVE-2022-1292, CVE-2022-2068, CVE-2022-37434, CVE-2021-38297, CVE-2022-23806,

    HIGH CVEs : CVE-2022-23308, CVE-2022-40303, CVE-2022-40304, CVE-2022-1271, CVE-2022-24407, CVE-2022-29458, CVE-2022-42898, CVE-2020-35525, CVE-2022-0778, CVE-2022-2509, CVE-2022-2879, CVE-2022-41715, CVE-2022-23773, CVE-2022-24675, CVE-2022-30580, CVE-2022-30631, CVE-2022-28131, CVE-2021-29923, CVE-2021-39293, CVE-2022-28327, CVE-2022-27664,

  3. bitnami/redis:6.0.9-debian-10-r0
    CRITICAL CVEs : CVE-2022-1664, CVE-2021-46848, CVE-2022-23218, CVE-2022-23219, CVE-2022-29155, CVE-2021-3711, CVE-2022-1292, CVE-2022-2068, CVE-2022-37434, CVE-2021-20231, CVE-2021-20232, CVE-2022-32221, CVE-2021-38297, CVE-2022-23806

    HIGH CVEs : CVE-2022-1271, CVE-2022-0778, CVE-2022-42898, CVE-2021-43618, CVE-2018-25032, CVE-2020-24659, CVE-2022-2509, CVE-2022-24407, CVE-2022-27781, CVE-2022-22576, CVE-2022-27782, CVE-2021-22946, CVE-2022-23773, CVE-2022-2879, CVE-2022-41715, CVE-2022-24675, CVE-2022-30580, CVE-2022-30631, CVE-2021-33194, CVE-2022-28327, CVE-2022-27664, CVE-2022-30630, CVE-2022-23772, CVE-2022-24921, CVE-2022-30635, CVE-2022-32189, CVE-2022-2880

  4. bitnami/redis-exporter:1.12.1-debian-10-r11
    CRITICAL CVEs : CVE-2022-1664, CVE-2021-46848, CVE-2021-20231, CVE-2021-20232, CVE-2021-3520, CVE-2022-29155, CVE-2022-23218, CVE-2022-23219, CVE-2021-33574, CVE-2021-35942, CVE-2022-32221, CVE-2022-37434, CVE-2021-3711, CVE-2022-1292, CVE-2022-2068, CVE-2021-38297, CVE-2022-23806

  5. jimmidyson/configmap-reload:v0.5.0
    CRITICAL CVEs : CVE-2021-42377, CVE-2021-38297, CVE-2022-23806

    HIGH CVEs : CVE-2021-42382, CVE-2022-28391, CVE-2022-30633, CVE-2022-30632, CVE-2021-33194, CVE-2022-30580, CVE-2022-30631, CVE-2022-28131, CVE-2021-29923, CVE-2021-39293, CVE-2022-28327, CVE-2021-33198, CVE-2021-33196

  6. prom/prometheus:v2.31.1
    CRITICAL CVEs : CVE-2021-42377, CVE-2022-23806

    HIGH CVEs : CVE-2021-43816, CVE-2022-23648, CVE-2022-28391, CVE-2021-42382, CVE-2021-42381, CVE-2022-24675, CVE-2022-30580, CVE-2022-32189, CVE-2022-2880, CVE-2021-44716, CVE-2022-30633, CVE-2022-30632, CVE-2022-23773, CVE-2022-2879,CVE-2022-41715

Could you please let us know how we can fix all these vulnerabilities?

After going to each image and tag, it seems that these are not the latest images and latest images versions are available for each image.
Like following:

Please let us know why GitLab community are not using the latest third party images? Can we use it with the Gitla Helm Chart 6.8.1? After using it, will gitlab be functional or not?

Hi team,
Please give your valuable reply on this, as we are stuck at this point.

I think you’ll get a better response by opening an issue here so that Gitlab devs can look at it: Issues · / GitLab · GitLab

1 Like

Thank you very much. I will open new issue.