Temporal ui image scanning security vulnerabilities

Hello

Looks like temporal ui component 2.12.0 and 2.13.0 docker images have below security vulnerabilities:

  Type:            VULNERABILITY
  Name:            CVE-2022-42915
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.. Impacted Image File(s): 

  Type:            VULNERABILITY
  Name:            CVE-2022-32221
  CVSS Score v3:   9.8
  Severity:        critical
  Description:     When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.. Impacted Image File(s): 

Are there going to be any new releases that addresses these or is there any other recommended version?

Hi @kenand,

I can confirm the aforementioned two critical vulnerabilities are patched in both the repo v2.13.1 and docker image 2.13.3

Thank you so much.