⚠️ This issue respects the following points: ⚠️
Bug description
Hello,
Trivy detects that nextcloud third party components contain an outdated guzzlehttp/psr7 library that is vulnerable.
I know a pull request is there to update the library here: nextcloud/3rdparty#1013
But it's not clear to me what priority it has, nor is there an impact analysis from the nextcloud team regarding CVE-2022-24775.
perhaps nextcloud is not vulnerable ?
Steps to reproduce
trivy image nextcloud:23
usr/src/nextcloud/3rdparty/composer.lock (composer)
===================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| guzzlehttp/psr7 | CVE-2022-24775 | HIGH | 1.8.2 | 2.1.1, 1.8.4 | guzzlehttp/psr7 is a PSR-7 |
| | | | | | HTTP message library. |
| | | | | | Versions prior to 1.8 ...... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-24775 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
Expected behavior
clarity on vulnerability status of nextcloud for CVE-2022-24775 or an update plan for nextcloud to fix the cve.
Installation method
Official Docker image
Operating system
Other
PHP engine version
PHP 8.0
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
.
Bug description
Hello,
Trivy detects that nextcloud third party components contain an outdated guzzlehttp/psr7 library that is vulnerable.
I know a pull request is there to update the library here: nextcloud/3rdparty#1013
But it's not clear to me what priority it has, nor is there an impact analysis from the nextcloud team regarding CVE-2022-24775.
perhaps nextcloud is not vulnerable ?
Steps to reproduce
Expected behavior
clarity on vulnerability status of nextcloud for CVE-2022-24775 or an update plan for nextcloud to fix the cve.
Installation method
Official Docker image
Operating system
Other
PHP engine version
PHP 8.0
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
Configuration report
.List of activated Apps
.Nextcloud Signing status
.Nextcloud Logs
.Additional info
.