Back to all scenarios
Scenario #280
Security
Kubernetes v1.23, AWS

CVE Ignored in Base Image for Months

A known CVE affecting the base image used by multiple services remained unpatched due to no alerting.

Find this helpful?
What Happened

A vulnerability in glibc went unnoticed for months because there was no automated CVE scan or alerting. Security only discovered it during a quarterly audit.

Diagnosis Steps
  • 1Scanned container image layers manually.
  • 2Confirmed multiple CVEs, including critical ones.
  • 3Traced image origin to a legacy Dockerfile.
Root Cause

No vulnerability scanning in CI/CD.

Fix/Workaround
• Integrated Clair + Trivy scans into CI/CD pipelines.
• Setup Slack alerts for critical CVEs.
Lessons Learned

Continuous scanning is vital to security hygiene.

How to Avoid
  • 1Integrate image scanning into build pipelines.
  • 2Monitor CVE databases for base images regularly.
Previous ScenarioNext Scenario