← All images

loki

5 open findings · 3 with upstream fix available · 3 after VEX (2 suppressed)

Image: ghcr.io/rtvkiz/minimal-loki:latest  ·  Size: 147 MB  ·  Last rebuilt: 0d ago  ·  Updated: 2026-06-17 21:45 UTC

Author-asserted VEX statements (2)

GO-2022-0646 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). grafana/loki contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
GO-2022-0635 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). grafana/loki contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
PackageVersionSeverityCVEFixDescriptionVEX
github.com/prometheus/prometheusv0.311.2-0.20260410083055-07c6232d159bHIGHGHSA-8rm2-7qqf-34qm0.311.3Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
github.com/prometheus/prometheusv0.311.2-0.20260410083055-07c6232d159bHIGHGHSA-wg65-39gg-5wfj0.311.3Prometheus Azure AD remote write OAuth client secret exposed via config API
github.com/aws/aws-sdk-gov1.55.8MEDIUMGO-2022-0646A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without compuVEX
github.com/prometheus/prometheusv0.311.2-0.20260410083055-07c6232d159bMEDIUMGHSA-fw8g-cg8f-9j280.311.3Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
github.com/aws/aws-sdk-gov1.55.8LOWGO-2022-0635A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted buVEX