CVE
CVE
Breadcrumbs

BASE-2394: Vulnerability of eptos Docker Images caused by a Pinpoint dependency

🔍 Overview

The application performance monitoring tool Pinpoint , is a third party open source component, which is not part of the eptos software delivery.

eptos Base Module allows as a deployment option to connect to a Pinpoint server for delivering performance data by using pinpoint client libraries (“pinpoint agent”) as part of the eptos base module deployment.

The pinpoint client libraries show the following known vulnerabilities

  • CVE-2019-20444

  • CVE-2019-20445

  • GHSA-cqqj-4p63-rrmm

  • CVE-2022-1471

which are reported as vulnerabilities of the eptos images. These vulnerabilities are impacting all eptos modules containing pinpoint client libraries.

Internal analysis shows that this vulnerability originates from a dependency included via Pinpoint which was part of the container image build.

Summary

Vulnerability caused by a Pinpoint dependency included in the Docker image build.

Advisory Release Date

2.6.2026

Products

all eptos images

Affected Releases

prior to eptos 6.8

Fixed Releases

eptos 6.8

CVE ID

  • CVE-2022-1471

  • CVE-2019-20444

  • CVE-2019-20445

  • GHSA-cqqj-4p63-rrmm

Issue ID

BASE-2394

Further information

  • The vulnerability originates from Pinpoint dependency included in the Docker images

  • It is not part of core eptos logic, but introduced via build/runtime environment

  • The affected component:

    • SnakeYAML (used indirectly by Pinpoint)

    • netty

Summary

There are vulnerability identified in the eptos docker images, originating from a third-party dependency Pinpoint included in the Docker images.

  • CVE-2019-20444

  • CVE-2019-20445

  • GHSA-cqqj-4p63-rrmm

  • CVE-2022-1471

The vulnerability does not affect core eptos functionality directly, but results from an auxiliary component included in the container image.

The vulnerability can been resolved by:

  • deploying eptos docker images without Pinpoint client component contained

The fix is available starting with:

  • eptos 6.8 (or by retrieving updated docker images for earlier versions)


Software Fixes

  • eptos releases 6.4 - 6.7 : pinpoint client libraries are contained in the eptos docker images as default, what makes these vulnerable. A fix can be provided to remove the pinpoint client libraries from the docker images upon request. Please contact your solution manager for access.

  • Starting eptos release 6.8 the default delivery of pinpoint client images has been changed, the eptos docker images are delivered without pinpoint client libraries contained. However, we are delivering docker image versions containing pinpoint client libraries on demand. Please contact your solution manager for access.

  • Starting eptos release 7.0 there will be no pinpoint support anymore.

What you need to do

  • If there is no evident need for pinpoint, check if you are using docker images containing pinpoint client libraries. If contained, we recommend installing eptos docker images not containing pinpoint client libraries. For eptos releases prior to 6.8 please check back with your solution manager to get images not containing pinpoint client libraries and deploy these.

  • By upgrading to eptos 6.8 or later the eptos images do not contain pinpoint client libraries as default anymore and no action is needed.

Mitigation

Deploy eptos docker images not containing pinpoint client libraries.

See also

Support

If you have questions or concerns regarding this advisory, check back with support (at) paradine,at.