Apologies if this is a rookie question, but I keep wondering what the vulnerabilities section on DockerHub is trying to tell me. Take nextcloud images for instance: The most current images seem to list 3 critical and 22 severe vulnerabilities. Does that mean those vulns are part of the image? If so, why would anyone want to run this?
That’s not a rookie question at all, and actually shows you’re paying attention to what you are deploying on your server…which is what you should be doing. In addition to what others have said so far, images like Nextcloud are often updated quickly, but scans lag in reality. A critical label reflects known vulnerabilities in a version, but not necessarily ‘this instance is definitely compromised.’