← All images

prometheus

4 open findings · 0 with upstream fix available · 0 after VEX (4 suppressed)

Image: ghcr.io/rtvkiz/minimal-prometheus:latest  ·  Size: 305 MB  ·  Last rebuilt: 0d ago  ·  Updated: 2026-06-17 21:45 UTC

Author-asserted VEX statements (2)

GO-2022-0646 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). prometheus/prometheus contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
GO-2022-0635 · not_affected · vulnerable_code_not_present
The advisory affects only aws-sdk-go v1's S3 encryption client (service/s3/s3crypto). prometheus/prometheus contains zero references to s3crypto, and Go links only imported packages into the binary, so the vulnerable code is not present. No fixed aws-sdk-go v1 release exists or is planned (fixed only in aws-sdk-go-v2).
PackageVersionSeverityCVEFixDescriptionVEX
github.com/aws/aws-sdk-gov1.55.8MEDIUMGO-2022-0646A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without compuVEX
github.com/aws/aws-sdk-gov1.55.8MEDIUMGO-2022-0646A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without compuVEX
github.com/aws/aws-sdk-gov1.55.8LOWGO-2022-0635A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted buVEX
github.com/aws/aws-sdk-gov1.55.8LOWGO-2022-0635A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted buVEX