Fixing vulnerability CVE-2023-52425 and CVE-2024-25062

[yarongol]

Following is an updated report from an image scanner. You have replied here #2481 on CVE-2023-43787 but there are two new issues: CVE-2023-52425 and CVE-2024-25062.

Please advise if these effect the redoc product and/or help fix this.
Regards

trivy image redocly/redoc --severity HIGH,CRITICAL --ignore-unfixed
2024-02-19T16:47:30.062+0200 INFO Need to update DB
2024-02-19T16:47:30.062+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-19T16:47:30.062+0200 INFO Downloading DB...
43.01 MiB / 43.01 MiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10.54 MiB p/s 4.3s
2024-02-19T16:47:36.518+0200 INFO Vulnerability scanning is enabled
2024-02-19T16:47:36.518+0200 INFO Secret scanning is enabled
2024-02-19T16:47:36.518+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-19T16:47:36.518+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-19T16:47:41.278+0200 INFO Detected OS: alpine
2024-02-19T16:47:41.278+0200 INFO Detecting Alpine vulnerabilities...
2024-02-19T16:47:41.281+0200 INFO Number of language-specific files: 0

redocly/redoc (alpine 3.18.4)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libexpat │ CVE-2023-52425 │ HIGH │ fixed │ 2.5.0-r1 │ 2.6.0-r0 │ expat: parsing large tokens can trigger a denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-52425 │
├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libx11 │ CVE-2023-43787 │ │ │ 1.8.4-r4 │ 1.8.7-r0 │ libX11: integer overflow in XCreateImage() leading to a heap │
│ │ │ │ │ │ │ overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43787 │
├──────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2 │ CVE-2024-25062 │ │ │ 2.11.4-r0 │ 2.11.7-r0 │ libxml2: use-after-free in XMLReader │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-25062 │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[yarongol]

There are currently 4 HIGH vulnerabilities in redoc docker image:

Repository	CVE	Package	Current Version	Fixed in version
runai/redoc	CVE-2024-28757	libexpat	2.5.0-r1	2.6.2-r0
runai/redoc	CVE-2023-43787	libx11	1.8.4-r4	1.8.7-r0
runai/redoc	CVE-2024-25062	libxml2	2.11.4-r0	2.11.7-r0
runai/redoc	CVE-2023-52425	libexpat	2.5.0-r1	2.6.0-r0

[AlexVarchuk]

fixed #2445
I am wrong. It is not related to our code. it relates to alpine.

[yarongol]

So, is there a plan to patch the alpine version?