[BDSA-2022-0976][CVE-2022-28805] Lua5.1 High Blackduck Vulnerability
When carrying out a blackduck scan using knot resolver 5.7. Our Image was flagged with High Security
Docker image below....
FROM alpine:edge@sha256:3e44438281baf26907675b99c9a4a421c4d4a57c954120327e703aa8329086bd as TMP
RUN apk add --no-cache knot-resolver=5.7.0-r1 knot-resolver-mod-http=5.7.0-r1
The issue seems to be removed in Lua5.4 but this has compatibility issues with knot-resolver 5.7. Wondering what is the recommendation here?
Will knot 5.X versions will incorporate the latest Lua5.4 changes soon?
GH Issue https://github.com/CZ-NIC/knot-resolver/issues/100
Description from the Scan
CVE-2022-28805
Lua is vulnerable to denial-of-service (DoS) and information disclosure issues due to a missing luaK_exp2anyregup()
call.
An attacker could supply crafted input to a system that compiles untrusted Lua code in order to negatively impact stability or potentially read information from memory.