MSR 2.8.13 is the final patch release for MSR 2.8.x as that version of the software reached end of life (EOL) status on 2022-05-27. In correlation, Mirantis has halted maintenance of the MSR 2.8.x documentation set.


Bug fixes

  • (FIELD-4718) Fixed a pagination issue in the MSR API GET /api/v0/imagescan/scansummary/cve/{cve} endpoint. The fix requires that you upgrade MSR to 2.8.13 and that you take certain manual steps using the database CLI (contact Mirantis Support for the steps). Note that the manual CLI steps are not required for fresh MSR installations.

  • (ENGDTR-3184) Fixed an issue wherein Ubuntu 22.04 based images could not be successfully scanned for vulnerabilities.


  • Resolved CVEs, as detailed:






Prior to 1.2.12, zlib allows memory corruption when deflating when the input has many distant matches.



BusyBox up through version 1.35.0 allows remote attackers to execute arbitrary code when netstat is used to print the value of a DNS PTR record to a VT-compatible terminal. Alternatively, attackers can choose to change the colors of the terminal.



Prior to 1.9.10, GORM permits SQL injection through incomplete parentheses. Note that misusing GORM by passing untrusted user input when GORM expects trusted SQL fragments is not a vulnerability in GORM but in the application.


Resolved/False Positive

Prior to 4.0.0-preview1, jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"], which is allowed according to the specification. The value of aud is “” because the type assertion fails. This is a security problem if the JWT token is presented to a service that lacks its own audience check.



A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 in which containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.


Not Vulnerable

The CVE is present in the JobRunner image, however while it is a required dependency of a component running in JobRunner, its functionality is never excercised.

In OpenLDAP 2.x prior to 2.5.12 and in 2.6.x prior to 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.


False Positive

Though Alpine Linux contains the affected OpenSSL version, the c_rehash script has been replaced by a C binary.

The c_rehash script does not properly sanitize shell metacharacters to prevent command injection. Some operating systems distribute this script in a manner in which it is automatically executed, in which case attackers can execute arbitrary commands with the privileges of the script. Use of this script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. The vulernability is fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and in OpenSSL 1.0.2ze.


False Positive

All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.

NumPy 1.16.0 and earlier use the pickle Python module in an unsafe manner that allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. Note that third parties dispute the issue as, for example, it is a behavior that can have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.

  • All CVEs reported in OpenJDK 1.8.0u302 have been resolved by removal of the component.

  • All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.

  • Upgraded Synopsys scanner to version 2022.3.1.