TrueChartsClone/charts/stable/shlink-web-client/security.md

24 KiB
Raw Blame History

hide
toc

Security Overview

Helm-Chart

Scan Results
Type Misconfiguration ID Check Severity Explaination Links
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv001
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/misconfig/ksv003
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv012
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/misconfig/ksv014
Kubernetes Security Check KSV017 Privileged container HIGH
Expand... Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.privileged' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/misconfig/ksv017
Kubernetes Security Check KSV020 Runs with low user ID LOW
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
Kubernetes Security Check KSV020 Runs with low user ID LOW
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv020
Kubernetes Security Check KSV021 Runs with low group ID LOW
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-shlink-web-client' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
Kubernetes Security Check KSV021 Runs with low group ID LOW
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-shlink-web-client' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/misconfig/ksv021
Kubernetes Security Check KSV030 Default Seccomp profile not set LOW
Expand... The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.


Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
Kubernetes Security Check KSV030 Default Seccomp profile not set LOW
Expand... The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.


Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv030
Kubernetes Security Check KSV105 Containers must not set runAsUser to 0 LOW
Expand... Containers should be forbidden from running with a root UID.


securityContext.runAsUser should be set to a value greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
Kubernetes Security Check KSV105 Containers must not set runAsUser to 0 LOW
Expand... Containers should be forbidden from running with a root UID.


securityContext.runAsUser should be set to a value greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv105
Kubernetes Security Check KSV106 Container capabilities must only include NET_BIND_SERVICE LOW
Expand... Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.


container should drop all
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106
Kubernetes Security Check KSV106 Container capabilities must only include NET_BIND_SERVICE LOW
Expand... Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.


container should drop all
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/misconfig/ksv106

Containers

Detected Containers
      tccr.io/truecharts/alpine:v3.16.0@sha256:16dc15f3d61a1e30b1df9f839e53636847b6097286b2b74c637b25fd8264f730
      tccr.io/truecharts/shlink-web-client:v3.7.1@sha256:6a99f97a4a9b1119444de62af77e54bb6bfee884e86455dfe8cc61f8aa69b7df
Scan Results

Container: tccr.io/truecharts/alpine:v3.16.0@sha256:16dc15f3d61a1e30b1df9f839e53636847b6097286b2b74c637b25fd8264f730 (alpine 3.16.0)

alpine

No Vulnerabilities found

alpine

Package Vulnerability Severity Installed Version Fixed Version Links
freetype CVE-2022-27405 HIGH 2.11.1-r1 2.11.1-r2
Expand...http://freetype.com
https://access.redhat.com/security/cve/CVE-2022-27405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27405
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
https://nvd.nist.gov/vuln/detail/CVE-2022-27405
freetype CVE-2022-27406 HIGH 2.11.1-r1 2.11.1-r2
Expand...http://freetype.com
https://access.redhat.com/security/cve/CVE-2022-27406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27406
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
https://nvd.nist.gov/vuln/detail/CVE-2022-27406
https://ubuntu.com/security/notices/USN-5453-1
pcre2 CVE-2022-1586 CRITICAL 10.39-r0 10.40-r0
Expand...https://access.redhat.com/security/cve/CVE-2022-1586
https://bugzilla.redhat.com/show_bug.cgi?id=2077976,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1586
https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a,
https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DWNG2NS3GINO6LQYUVC4BZLUQPJ3DYHA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXINO3KKI5DICQ45E2FKD6MKVMGJLEKJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAX7767BCUFC7JMDGP7GOQ5GIZCAUGBB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/
https://nvd.nist.gov/vuln/detail/CVE-2022-1586
pcre2 CVE-2022-1587 CRITICAL 10.39-r0 10.40-r0
Expand...https://access.redhat.com/security/cve/CVE-2022-1587
https://bugzilla.redhat.com/show_bug.cgi?id=2077983,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1587
https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DWNG2NS3GINO6LQYUVC4BZLUQPJ3DYHA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXINO3KKI5DICQ45E2FKD6MKVMGJLEKJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAX7767BCUFC7JMDGP7GOQ5GIZCAUGBB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/
https://nvd.nist.gov/vuln/detail/CVE-2022-1587