There are a few security vulnerabilities in the Debian based image.
These can be solved by updating curl/libcurl4 to the latest version.
nginx:1.19.9 (debian 10.9)
==========================
Total: 16 (UNKNOWN: 0, LOW: 4, MEDIUM: 2, HIGH: 10, CRITICAL: 0)
+----------+------------------+----------+-------------------+------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+------------------+---------------------------------------+
| curl | CVE-2020-8169 | HIGH | 7.64.0-4+deb10u1 | 7.64.0-4+deb10u2 | libcurl: partial password |
| | | | | | leak over DNS on HTTP redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8169 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8177 | | | | curl: Incorrect argument |
| | | | | | check can allow remote servers |
| | | | | | to overwrite local files... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8177 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8231 | | | | curl: Expired pointer |
| | | | | | dereference via multi API with |
| | | | | | `CURLOPT_CONNECT_ONLY` option set |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8231 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8285 | | | | curl: malicious FTP server can |
| | | | | | trigger stack overflow when |
| | | | | | CURLOPT_CHUNK_BGN_FUNCTION |
| | | | | | is used... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8286 | | | | curl: inferior OCSP verification |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2021-22876 | MEDIUM | | | curl: Leak of authentication |
| | | | | | credentials in URL |
| | | | | | via automatic Referer |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2020-8284 | LOW | | | curl: dangerous nature |
| | | | | | of PASV command could |
| | | | | | be used to make curl... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-22890 | | | | curl: TLS 1.3 session ticket |
| | | | | | mix-up with HTTPS proxy host |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 |
+----------+------------------+----------+ + +---------------------------------------+
| libcurl4 | CVE-2020-8169 | HIGH | | | libcurl: partial password |
| | | | | | leak over DNS on HTTP redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8169 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8177 | | | | curl: Incorrect argument |
| | | | | | check can allow remote servers |
| | | | | | to overwrite local files... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8177 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8231 | | | | curl: Expired pointer |
| | | | | | dereference via multi API with |
| | | | | | `CURLOPT_CONNECT_ONLY` option set |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8231 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8285 | | | | curl: malicious FTP server can |
| | | | | | trigger stack overflow when |
| | | | | | CURLOPT_CHUNK_BGN_FUNCTION |
| | | | | | is used... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2020-8286 | | | | curl: inferior OCSP verification |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2021-22876 | MEDIUM | | | curl: Leak of authentication |
| | | | | | credentials in URL |
| | | | | | via automatic Referer |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 |
+ +------------------+----------+ + +---------------------------------------+
| | CVE-2020-8284 | LOW | | | curl: dangerous nature |
| | | | | | of PASV command could |
| | | | | | be used to make curl... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-22890 | | | | curl: TLS 1.3 session ticket |
| | | | | | mix-up with HTTPS proxy host |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 |
+----------+------------------+----------+-------------------+------------------+---------------------------------------+
Thanks for the report @lucacome !
We don't have much control over the rebuilds at docker hub so I'm not sure about the timeline it can get fixed for 1.19.9.
However we're planning to release nginx 1.19.10 next Tuesday, so hopefully 1.19.10-based images will arrive around Wednesday 13th and they will have a fixed curl version installed.
Thanks to great folk over at docker-library, nginx:1.19.9 now ships with an updated libcurl/curl, so this can be closed:
$ docker run -ti --rm nginx:1.19.9 dpkg -l curl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-=======================================================
ii curl 7.64.0-4+deb10u2 amd64 command line tool for transferring data with URL syntax
Most helpful comment
Thanks to great folk over at docker-library,
nginx:1.19.9now ships with an updated libcurl/curl, so this can be closed: