kube-arangodb 1.2.47 - Security Vulnerabilities

[nnaik25]

We are seeing below vulnerabilities reported for kube-arangodb 1.2.47

[7.4] [CVE-2024-10963] [libpam-modules-bin] [1.5.3-5ubuntu5.1]
[7.5] [CVE-2016-20013] [libc6] [2.39-0ubuntu8.4]
[7.5] [CVE-2024-41996] [libssl3t64] [3.0.13-0ubuntu3.5]
[7.4] [CVE-2024-10963] [libpam0g] [1.5.3-5ubuntu5.1]
[4.7] [CVE-2024-10041] [libpam0g] [1.5.3-5ubuntu5.1]
[7.4] [CVE-2024-10963] [libpam-modules] [1.5.3-5ubuntu5.1]
[7.4] [CVE-2024-10963] [libpam-runtime] [1.5.3-5ubuntu5.1]
[7.5] [CVE-2016-20013] [libc-bin] [2.39-0ubuntu8.4]
[5.9] [CVE-2024-2236] [libgcrypt20] [1.10.3-2build1]
[5.9] [CVE-2024-2236] [libgcrypt20] [1.10.3-2build1]
[6.5] [CVE-2016-2781] [coreutils] [9.4-3ubuntu6]
[CVE-2024-45336] [stdlib] [1.22.10]
[4.4] [CVE-2025-22870] [golang.org/x/net] [v0.23.0]

Tool used is aqua scan

We are using below docker image

https://hub.docker.com/r/arangodb/kube-arangodb/tags

docker pull arangodb/kube-arangodb:1.2.47

Can you please comment on what is the plan to address these vulnerabilities and timeline for the same

Let me know if any more info is required. Will update this ticket accordingly

[ajanikow]

Hello @nnaik25 !

The above issues are related to the base image used by the Operator and there is no fix for them in Ubuntu (we are always getting the latest security updates during the release).

In this case, it is quite impossible to fix them.

Best Regards,
Adam.

[nnaik25]

Thanks @ajanikow for quick response

Not now, but would you be fixing them in future release provided you get the Ubuntu base image fixes

[ajanikow]

Hello @nnaik25 !

Yes, it is always a step in our release process - we update all dependencies for each build.

It includes Go and System dependencies published at the time of build.

Best Regards,
Adam.