Fixing Vulnerability CVE-2023-43787

[yarongol]

Describe the bug

Here is the reported vulnerability

trivy image redocly/redoc --severity=HIGH
2024-01-25T09:12:28.440Z INFO Vulnerability scanning is enabled
......
redocly/redoc (alpine 3.18.4)

Total: 1 (HIGH: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libx11 │ CVE-2023-43787 │ HIGH │ fixed │ 1.8.4-r4 │ 1.8.7-r0 │ libX11: integer overflow in XCreateImage() leading to a heap │
│ │ │ │ │ │ │ overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43787 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Please advise if redoc is sensitive to this vulnerability and when is the intended fix if relevant.
Thank you

[yarongol]

Any feedback on this? Thanks.

[RomanHotsiy]

Yes. We will take a look.

This vulnerability does not impact our docker container as this system function is not used by our code.

[yarongol]

The response I got from a security advisor is:

It is clear that once someone takeover the container, Person can call the method and exploited the vulnerability even during code normal flow it won't get executed. Hence, vulnerabilities exist and exploitable"