Vulnerabilities by severity issues in OpenSearch/Dashboard 2.10.0 Image Version

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensource Opensearch/Dashboard {{ 2.10.0}}

Describe the issue:
I am scaning the Opensearch and Dashboard Images in our envirnamnet, in this time I got Vulnerabilities by severity errors.

Configuration:
Image procurement Jenkins Jobs failed due Vulnerabilities.

Relevant Logs or Screenshots:
Opensearch Vulnerabilities screenshot


Dashboard Vulnerabilities screenshot

Hello @bhanu1 - thank you for letting us know.
(cc @scrawfor @peternied @davelago )

Hello,

Thank you for your message about the CVEs reported in OpenSearch/OpenSearch Dashboards version 2.10. After a thorough review we have determined this version is not impacted by the following CVEs:

ALAS-2023-2287
ALAS-2023-2271
CVE-2020-36604

In addition, the following CVEs have been addressed by including updated versions of the relevant libraries and any necessary fixes in the 2.11 release, which was released October 16:

CVE-2023-43642
CVE-2023-4586
CVE-2023-42503
CVE-2023-32002
CVE-2023-32006
CVE-2023-32559
ALAS-2023-2287
ALAS-2023-2271
GHSA-xpw8-rcwv-8f8p

Finally, the following CVE will be addressed by including updated versions of the relevant libraries and any necessary fixes in the upcoming 2.12 release, with a tentative target release date of January 23, 2024:

CVE-2022-45146 ([Manual Backport 2.x] Bump org.bouncycastle:bc-fips from 1.0.2.3 to 1.0.2.4 in /distribution/tools/plugin-cli (#10297) by noCharger · Pull Request #10672 · opensearch-project/OpenSearch · GitHub)

1 Like