diff --git a/commands/scan/dockerscan.go b/commands/scan/dockerscan.go index ec619090..a2f23c42 100644 --- a/commands/scan/dockerscan.go +++ b/commands/scan/dockerscan.go @@ -87,7 +87,7 @@ func (dsc *DockerScanCommand) Run() (err error) { Pattern(imageTarPath). Target(dsc.targetRepoPath). BuildSpec()).SetThreads(1) - dsc.ScanCommand.SetRunJasScans(true) + dsc.ScanCommand.SetTargetNameOverride(dsc.imageTag).SetRunJasScans(true) err = dsc.setCredentialEnvsForIndexerApp() if err != nil { return errorutils.CheckError(err) @@ -102,9 +102,6 @@ func (dsc *DockerScanCommand) Run() (err error) { if scanResults == nil { return } - for _, scan := range scanResults.Targets { - scan.Name = dsc.imageTag - } dsc.analyticsMetricsService.UpdateGeneralEvent(dsc.analyticsMetricsService.CreateXscAnalyticsGeneralEventFinalizeFromAuditResults(scanResults)) return dsc.recordResults(scanResults) }) diff --git a/commands/scan/scan.go b/commands/scan/scan.go index e7335788..74292bb1 100644 --- a/commands/scan/scan.go +++ b/commands/scan/scan.go @@ -72,6 +72,7 @@ type ScanCommand struct { progress ioUtils.ProgressMgr // JAS is only supported for Docker images. commandSupportsJAS bool + targetNameOverride string analyticsMetricsService *xsc.AnalyticsMetricsService } @@ -90,6 +91,11 @@ func (scanCmd *ScanCommand) SetRunJasScans(run bool) *ScanCommand { return scanCmd } +func (scanCmd *ScanCommand) SetTargetNameOverride(targetName string) *ScanCommand { + scanCmd.targetNameOverride = targetName + return scanCmd +} + func (scanCmd *ScanCommand) SetProgress(progress ioUtils.ProgressMgr) { scanCmd.progress = progress } @@ -305,10 +311,6 @@ func (scanCmd *ScanCommand) RunAndRecordResults(cmdType utils.CommandType, recor err = errors.New("failed while trying to get Analyzer Manager: " + err.Error()) } - if err = recordResFunc(cmdResults); err != nil { - return err - } - if err = output.NewResultsWriter(cmdResults). SetOutputFormat(scanCmd.outputFormat). SetHasViolationContext(scanCmd.hasViolationContext()). @@ -320,6 +322,10 @@ func (scanCmd *ScanCommand) RunAndRecordResults(cmdType utils.CommandType, recor return } + if err = recordResFunc(cmdResults); err != nil { + return err + } + // If includeVulnerabilities is false it means that context was provided, so we need to check for build violations. // If user provided --fail=false, don't fail the build. if scanCmd.fail && !scanCmd.includeVulnerabilities { @@ -361,12 +367,19 @@ func (scanCmd *ScanCommand) prepareScanTasks(fileProducer, indexedFileProducer p }() } +func (scanCmd *ScanCommand) getBinaryTargetName(binaryPath string) string { + if scanCmd.targetNameOverride != "" { + return scanCmd.targetNameOverride + } + return filepath.Base(binaryPath) +} + func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults *results.SecurityCommandResults, indexedFileProducer parallel.Runner, jasFileProducerConsumer *utils.SecurityParallelRunner) FileContext { return func(filePath string) parallel.TaskFunc { return func(threadId int) (err error) { logMsgPrefix := clientutils.GetLogMsgPrefix(threadId, false) // Create a scan target for the file. - targetResults := cmdResults.NewScanResults(results.ScanTarget{Target: filePath, Name: filepath.Base(filePath)}) + targetResults := cmdResults.NewScanResults(results.ScanTarget{Target: filePath, Name: scanCmd.getBinaryTargetName(filePath)}) log.Info(logMsgPrefix+"Indexing file:", targetResults.Target) if scanCmd.progress != nil { scanCmd.progress.SetHeadlineMsg("Indexing file: " + targetResults.Name + " 🗄") diff --git a/jas/secrets/secretsscanner.go b/jas/secrets/secretsscanner.go index 347833e6..f744d5bd 100644 --- a/jas/secrets/secretsscanner.go +++ b/jas/secrets/secretsscanner.go @@ -127,7 +127,7 @@ func processSecretScanRuns(sarifRuns []*sarif.Run) []*sarif.Run { // Hide discovered secrets value for _, secretResult := range secretRun.Results { for _, location := range secretResult.Locations { - sarifutils.SetLocationSnippet(location, maskSecret(sarifutils.GetLocationSnippet(location))) + sarifutils.SetLocationSnippet(location, maskSecret(sarifutils.GetLocationSnippetText(location))) } } } diff --git a/tests/testdata/other/sast-scan/contains-sast-violations.sarif b/tests/testdata/other/sast-scan/contains-sast-violations.sarif index d8b3c02e..f6251a23 100644 --- a/tests/testdata/other/sast-scan/contains-sast-violations.sarif +++ b/tests/testdata/other/sast-scan/contains-sast-violations.sarif @@ -165,12 +165,12 @@ { "executionSuccessful": true, "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", + "/users/user/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", "scan", "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1693477603-3697552683/results.sarif" ], "workingDirectory": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat" + "uri": "file:///Users/user/proj" } } ], @@ -193,7 +193,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 28, @@ -216,7 +216,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 32, @@ -239,7 +239,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 44, @@ -262,7 +262,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 13, @@ -285,7 +285,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 31, @@ -308,7 +308,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 31, @@ -331,7 +331,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 10, @@ -354,7 +354,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 39, @@ -377,7 +377,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 19, @@ -400,7 +400,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 49, @@ -429,7 +429,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 49, @@ -463,7 +463,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 28, @@ -486,7 +486,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 32, @@ -509,7 +509,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 44, @@ -532,7 +532,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 13, @@ -555,7 +555,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 31, @@ -578,7 +578,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 31, @@ -601,7 +601,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 10, @@ -624,7 +624,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 39, @@ -647,7 +647,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 19, @@ -670,7 +670,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 49, @@ -699,7 +699,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/__init__.py" + "uri": "file:///Users/user/proj/flask_webgoat/__init__.py" }, "region": { "endColumn": 49, @@ -733,7 +733,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 23, @@ -756,7 +756,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 27, @@ -779,7 +779,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 34, @@ -802,7 +802,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 8, @@ -825,7 +825,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 29, @@ -854,7 +854,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/flask_webgoat/auth.py" + "uri": "file:///Users/user/proj/flask_webgoat/auth.py" }, "region": { "endColumn": 29, @@ -883,7 +883,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/flask-webgoat/run.py" + "uri": "file:///Users/user/proj/run.py" }, "region": { "endColumn": 24, diff --git a/tests/testdata/other/sast-scan/no-violations.sarif b/tests/testdata/other/sast-scan/no-violations.sarif index ed129e6e..f9534d60 100644 --- a/tests/testdata/other/sast-scan/no-violations.sarif +++ b/tests/testdata/other/sast-scan/no-violations.sarif @@ -11,12 +11,12 @@ { "executionSuccessful": true, "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", + "/users/user/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", "scan", "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1693477603-3697552683/results.sarif" ], "workingDirectory": { - "uri": "file:///Users/assafa/Documents/code/terraform" + "uri": "file:///Users/user/testdata/terraform" } } ], diff --git a/tests/testdata/output/audit/audit_results.json b/tests/testdata/output/audit/audit_results.json index e64adb15..65811aa2 100644 --- a/tests/testdata/output/audit/audit_results.json +++ b/tests/testdata/output/audit/audit_results.json @@ -66,7 +66,7 @@ "https://github.com/lodash/lodash/issues/4874", "https://github.com/lodash/lodash/wiki/Changelog#v41719" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-114089\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-114089\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Prototype pollution in lodash object merging and zipping functions leads to code injection.", "full_description": "[lodash](https://lodash.com/) is a JavaScript library which provides utility functions for common programming tasks.\n\nJavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions `mergeWith`, `merge` and `zipObjectDeep` are vulnerable to [prototype pollution](https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c) if one or more of the objects it receives as arguments are obtained from user input. \nAn attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as [Object.prototype](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes) from which all JavaScript objects inherit properties and methods. Any change on `Object.prototype` properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in [some cases](https://youtu.be/LUsiFV3dsK8?t=1152). \nAs an example for privilege escalation, consider a JavaScript application that has a `user` object which has a Boolean property of `user.isAdmin` which is used to decide which actions the user may take. If an attacker can modify or add the `isAdmin` property through prototype pollution, it can escalate the privileges of its own user to those of an admin. \nAs exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.", @@ -127,7 +127,7 @@ "https://security.netapp.com/advisory/ntap-20190919-0004/", "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-72918\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-72918\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" }, { "summary": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is `res.location()` but this is also called from within `res.redirect()`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", @@ -170,7 +170,7 @@ "https://nvd.nist.gov/vuln/detail/CVE-2024-29041", "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-594935\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-594935\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" }, { "summary": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", @@ -213,7 +213,7 @@ "https://security.netapp.com/advisory/ntap-20190919-0004", "https://hackerone.com/reports/380873" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-75300\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-75300\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Insufficient input validation in the Lodash library leads to prototype pollution.", "full_description": "The [Lodash](https://lodash.com/) library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices. \n\nThe `merge`, `mergeWith`, and `defaultsDeep` methods in Lodash are vulnerable to [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/). Attackers can exploit this vulnerability by specifying a crafted `sources` parameter to any of these methods, which can modify the prototype properties of the `Object`, `Function`, `Array`, `String`, `Number`, and `Boolean` objects. A public [exploit](https://hackerone.com/reports/380873) exists which performs the prototype pollution with an arbitrary key and value.\n\nThe library implementation has a bug in the `safeGet()` function in the `lodash.js` module that allows for adding or modifying `prototype` properties of various objects. The official [solution](https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad) fixes the bug by explicitly forbidding the addition or modification of `prototype` properties.\n\nA related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.", @@ -279,7 +279,7 @@ "https://github.com/mde/ejs", "https://security.netapp.com/advisory/ntap-20220804-0001/" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-209002\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-209002\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Insufficient input validation in EJS enables attackers to perform template injection when attacker can control the rendering options.", "full_description": "[Embedded JavaScript templates](https://github.com/mde/ejs), also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.\n\nWhen rendering views using EJS, it is possible to perform template injection on the `opts.outputFunctionName` variable, since the variable is injected into the template body without any escaping. Although it is unlikely that the attacker can directly control the `outputFunctionName` property, it is possible that it can be influenced in conjunction with a prototype pollution vulnerability.\n\nOnce template injection is achieved, the attacker can immediately perform remote code execution since the template engine (EJS) allows executing arbitrary JavaScript code.\n\nExample of a vulnerable Node.js application -\n```js\nconst express = require('express');\nconst bodyParser = require('body-parser');\nconst lodash = require('lodash');\nconst ejs = require('ejs');\n\nconst app = express();\n\napp\n .use(bodyParser.urlencoded({extended: true}))\n .use(bodyParser.json());\n\napp.set('views', './');\napp.set('view engine', 'ejs');\n\napp.get(\"/\", (req, res) =\u003e {\n res.render('index');\n});\n\napp.post(\"/\", (req, res) =\u003e {\n let data = {};\n let input = JSON.parse(req.body.content);\n lodash.defaultsDeep(data, input);\n res.json({message: \"OK\"});\n});\n\nlet server = app.listen(8086, '0.0.0.0', function() {\n console.log('Listening on port %d', server.address().port);\n});\n```\n\nExploiting the above example for RCE -\n`curl 127.0.0.1:8086 -v --data 'content={\"constructor\": {\"prototype\": {\"outputFunctionName\": \"a; return global.process.mainModule.constructor._load(\\\"child_process\\\").execSync(\\\"whoami\\\"); //\"}}}'\n`\n\nDue to the prototype pollution in the `lodash.defaultsDeep` call, an attacker can inject the `outputFunctionName` property with an arbitrary value. The chosen value executes an arbitrary process via the `child_process` module.", @@ -340,7 +340,7 @@ "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", "https://nvd.nist.gov/vuln/detail/CVE-2024-33883" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-599735\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-599735\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Insufficient input validation in EJS may lead to prototype pollution.", "full_description": "[Embedded JavaScript templates](https://github.com/mde/ejs), also known as `EJS`, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.\n\nA prototype pollution gadget within the EJS template engine could potentially be leveraged by attackers to achieve remote code execution or DoS via prototype pollution.\n\n```\nfunction Template(text, opts) {\n opts = opts || utils.createNullProtoObjWherePossible();\n```\n\nWhen checking for the presence of a property within an object variable, the lookup scope isn't explicitly defined. In JavaScript, the absence of a defined lookup scope prompts a search up to the root prototype (`Object.prototype`). This could potentially be under the control of an attacker if another prototype pollution vulnerability is present within the application.\n\nIf the application server is using the EJS as the backend template engine, and there is another prototype pollution vulnerability in the application, then the attacker could leverage the found gadgets in the EJS template engine to escalate the prototype pollution to remote code execution or DoS.\n\nThe following code will execute a command on the server by polluting `opts.escapeFunction`:\n \n```\nconst express = require('express');\nconst app = express();\nconst port = 8008;\nconst ejs = require('ejs');\n\n// Set EJS as the view engine\napp.set('view engine', 'ejs');\n\napp.get('/', (req, res) =\u003e {\n \n const data = {title: 'Welcome', message: 'Hello'};\n\n // Sample EJS template string\n const templateString = `\u003chtml\u003e\u003chead\u003e\u003ctitle\u003e\u003c%= title %\u003e\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003ch1\u003e\u003c%= message %\u003e\u003c/h1\u003e\u003c/body\u003e\u003c/html\u003e`;\n\n const { exec } = require('child_process');\n\n function myFunc() {\n exec('bash -c \"echo 123\"', (error, stdout, stderr) =\u003e {\n if (error) {\n console.error(`exec error: ${error}`);\n return;\n }\n if (stderr){\n console.log(`stderr : ${stderr}`);\n return;\n }\n // Handle success\n console.log(`Command executed successfully. Output: ${stdout}`);\n });\n }\n\n const options = {client:false};\n\n Object.prototype.escapeFunction = myFunc;\n \n const compiledTemplate = ejs.compile(templateString, options);\n const renderedHtml = compiledTemplate(data);\n res.send(renderedHtml);\n});\n\n// Start the server\napp.listen(port, () =\u003e {\n console.log(`Server is running on http://localhost:${port}`);\n});\n```", @@ -395,7 +395,7 @@ "https://github.com/mde/ejs/issues/720", "https://github.com/mde/ejs/blob/main/SECURITY.md#out-of-scope-vulnerabilities" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-520200\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-520200\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Insufficient input validation can lead to template injection in ejs when attackers can control both the rendered template and rendering options.", "full_description": "[Embedded JavaScript templates](https://github.com/mde/ejs), also known as EJS, is one of the most popular Node.js templating engines, which is compiled with the Express JS view system.\n\nWhen rendering views using EJS, it is possible to bypass ejs' template injection restrictions, by abusing the `closeDelimiter` rendering option, in the case when -\n1. The template itself can be partially controlled by the attacker\n2. The template rendering options can be fully controlled by the attacker\n\nThe vulnerability was **rightfully disputed** due to the fact that a vulnerable configuration is extremely unlikely to exist in any real-world setup. As such, the maintainers will not provide a fix for this (non-)issue.\n\nExample of a vulnerable application -\n```js\nconst express = require('express')\nconst app = express()\nconst port = 3000\n\napp.set('view engine', 'ejs');\n\napp.get('/page', (req,res) =\u003e {\n res.render('page', req.query); // OPTS (2nd parameter) IS ATTACKER-CONTROLLED\n})\n\napp.listen(port, () =\u003e {\n console.log(\"Example app listening on port ${port}\")\n})\n```\n\nContents of `page.ejs` (very unlikely to be attacker controlled) -\n```js\n%%1\");process.mainModule.require('child_process').execSync('calc');//\n```\n\nIn this case, sending `closeDelimiter` with the same malicious code that already exists at `page.ejs` will trigger the injection -\n`http://127.0.0.1:3000/page?settings[view%20options][closeDelimiter]=1\")%3bprocess.mainModule.require('child_process').execSync('calc')%3b//`", @@ -467,7 +467,7 @@ "https://github.com/advisories/GHSA-jf85-cpcp-j695", "https://nvd.nist.gov/vuln/detail/CVE-2019-10744" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-85679\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-85679\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.", "full_description": "[lodash](https://www.npmjs.com/package/lodash) is a modern JavaScript utility library delivering modularity, performance, \u0026 extras.\n\nThe function `defaultsDeep` was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input\n\nExample of code vulnerable to this issue - \n```js\nconst lodash = require('lodash'); \nconst evilsrc = {constructor: {prototype: {evilkey: \"evilvalue\"}}};\nlodash.defaultsDeep({}, evilsrc)\n```", @@ -532,7 +532,7 @@ "https://github.com/lodash/lodash/issues/3359", "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-85049\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-85049\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" }, { "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", @@ -586,7 +586,7 @@ "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-140562\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-140562\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "ReDoS in lodash could lead to a denial of service when handling untrusted strings.", "full_description": "JavaScript-based applications that use [lodash](https://github.com/lodash/lodash) and specifically the [_.toNumber](https://lodash.com/docs/4.17.15#toNumber), [_.trim](https://lodash.com/docs/4.17.15#trim) and [_.trimEnd](https://lodash.com/docs/4.17.15#trimEnd) functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces. \n\nOn a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code - \n\n```js\nvar untrusted_user_input_50k = \"a\" + ' '.repeat(50000) + \"z\"; // assume this is provided over the network\nlo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run\nvar untrusted_user_input_500k = \"a\" + ' '.repeat(500000) + \"z\"; // assume this is provided over the network\nlo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run\n```", @@ -657,7 +657,7 @@ "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-140575\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", + "ignore_url": "https://platform.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=711851ce-68c4-4dfd-7afb-c29737ebcb96\u0026issue_id=XRAY-140575\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", "extended_information": { "short_description": "Improper sanitization in the lodash template function leads to JavaScript code injection through the options argument.", "full_description": "JavaScript-based applications (both frontend and backend) that use the [template function](https://lodash.com/docs/4.17.15#template) -`_.template([string=''], [options={}])` from the [lodash](https://lodash.com/) utility library and provide the `options` argument (specifically the `variable` option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is [publicly available](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c#diff-a561630bb56b82342bc66697aee2ad96efddcbc9d150665abd6fb7ecb7c0ab2fR22303) in the fix tests that was introduced in version 4.17.21 - \n```js\nlodash.template('', { variable: '){console.log(process.env)}; with(obj' })()\n```", diff --git a/tests/testdata/output/dockerscan/docker_results.json b/tests/testdata/output/dockerscan/docker_results.json index e5958783..0ffdd2a0 100644 --- a/tests/testdata/output/dockerscan/docker_results.json +++ b/tests/testdata/output/dockerscan/docker_results.json @@ -1,16278 +1,909 @@ { - "xray_version": "3.104.8", - "jas_entitled": true, - "command_type": "docker_image", - "targets": [ - { - "target": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978503-2625964325/image.tar", - "name": "nginx:latest", - "technology": "oci", - "sca_scans": { - "xray_scan": [ - { - "scan_id": "f1ca2a08-1d7b-4194-72be-7b84afc51fac", - "violations": [ - { - "summary": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-522607", - "cves": [ - { - "cve": "CVE-2023-26965", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-26965", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security.netapp.com/advisory/ntap-20230706-0009/", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/472" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-522607\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Use after free in libtiff's Tiffcrop may lead to code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "Published PoC demonstrates crashing the tiffcrop CLI utility. Note that crashing tiffcrop has no security impact, since it is a forked CLI utility (will not crash parent process)." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although a crashing PoC is available, exploiting the vulnerability for remote code execution is currently only theoretically possible, and actual exploitation has not been demonstrated. Only some cases of use-after-free can be exploited for RCE.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to upload a crafted TIFF image, which will then be processed by the `tiffcrop` CLI tool, for example -\n```bash\ntiffcrop -z 12,50,12,99:112,150,112,199 -e divided attacker_image.tiff output.tiff\n```", - "is_positive": true - } - ] - } - }, - { - "summary": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589394", - "cves": [ - { - "cve": "CVE-2023-52355", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://gitlab.com/libtiff/libtiff/-/issues/621", - "https://security-tracker.debian.org/tracker/CVE-2023-52355", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251326", - "https://access.redhat.com/security/cve/CVE-2023-52355" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589394\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Unbounded resource consumption in libtiff may lead to denial of service when parsing a crafted tiff file.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "PoC is included in the git issue discussing the problem." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS attack complexity does not reflect the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To exploit the vulnerability, the attacker must be able to upload a tiff file whose size will get checked by the vulnerable `TIFFRasterScanlineSize64()` function, and allocate memory (without any limitations) based on the results.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nAs a workaround, users could implement checks, or use `TIFFOpenOptionsSetMaxSingleMemAlloc()`, to reject files that they consider to consume too many resources for their use case. For example -\n```\n// Allow 1MB single mem alloc\nTIFFOpenOptionsSetMaxSingleMemAlloc(\u0026opts, 1*1024*1024);\n```" - } - }, - { - "summary": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-604193", - "cves": [ - { - "cve": "CVE-2024-5171", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-5171", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", - "https://issues.chromium.org/issues/332382766" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-604193\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An integer overflow in libaom may lead to remote code execution when parsing malicious video data.", - "full_description": "[Libaom](https://aomedia.googlesource.com/aom/) is the reference encoder and decoder library for the `AV1` video codec. AV1 (AOMedia Video 1) is an open, royalty-free video coding format designed for video transmissions over the Internet. It was developed by the Alliance for Open Media (AOMedia), a consortium that includes firms like Google, Cisco, Microsoft, Mozilla, and Netflix.\nThe `aom` in libaom stands for `Alliance for Open Media`, and the library serves as a standard reference codebase that can be used to implement AV1 compression and decompression.\n\nProviding large values as the arguments to the `img_alloc_helper()` function, may lead to an integer overflow and a subsequent heap buffer overflow, which may lead to remote code execution.\n\n`img_alloc_helper()` function is an internal function that is used to allocate memory for an `aom_image_t` structure and its associated image data. This function is very useful when you need to manually create an image buffer that can then be used with the AOM codec for various operations like encoding or decoding.\n\nThe vulnerability cannot be exploited directly by calling `img_alloc_helper()` because it is an internal function. \n\nAlthough integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.\n\nTo exploit this vulnerability the following functions can be called with excessively large values as parameters:\n\n* `aom_img_alloc()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_wrap()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_alloc_with_border()` with a large value of the d_w, d_h, align, size_align, or border parameters.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The published exploit demonstrates DoS." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The highest potential impact of this issue is severe (Remote Code Execution). Although no such impact has been demonstrated in practice." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker would need to find input propagating into the libaom encoding or decoding operations.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nMake sure the following functions don't accept excessively large values as arguments to the following functions:\n\n* `aom_img_alloc()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_wrap()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_alloc_with_border()` with a large value of the d_w, d_h, align, size_align, or border parameters." - } - }, - { - "summary": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-607813", - "cves": [ - { - "cve": "CVE-2024-37371", - "cvss_v3_score": "9.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-37371", - "https://web.mit.edu/kerberos/www/advisories/", - "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-607813\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-427847", - "cves": [ - { - "cve": "CVE-2023-27102", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libde265/issues/393", - "https://security-tracker.debian.org/tracker/CVE-2023-27102", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-427847\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540355", - "cves": [ - { - "cve": "CVE-2023-49463", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libheif/issues/1042", - "https://github.com/strukturag/libheif", - "https://security-tracker.debian.org/tracker/CVE-2023-49463" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540355\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An integer overflow in libheif leads to denial of service.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation of this vulnerability.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published along with the vulnerability via (GitHub)[https://github.com/strukturag/libheif/issues/1042]." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable functions `modify_exif_tag_if_it_exists(unsigned char*, unsigned int, unsigned short, unsigned short)` or `read_exif_orientation_tag(unsigned char const*, unsigned int)`.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Successful exploitation of this vulnerability leads to denial of service." - } - ] - } - }, - { - "summary": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-537103", - "cves": [ - { - "cve": "CVE-2023-5981", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - "https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23", - "https://access.redhat.com/errata/RHSA-2024:0451", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://access.redhat.com/errata/RHSA-2024:0533", - "https://bugzilla.redhat.com/show_bug.cgi?id=2248445", - "https://access.redhat.com/errata/RHSA-2024:0319", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://access.redhat.com/errata/RHSA-2024:0399", - "https://security-tracker.debian.org/tracker/CVE-2023-5981", - "https://access.redhat.com/security/cve/CVE-2023-5981", - "https://access.redhat.com/errata/RHSA-2024:0155" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-537103\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1", - "full_path": "login:1:4.13+dfsg1-1+b1" - } - ] - ] - }, - "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1", - "full_path": "passwd:1:4.13+dfsg1-1+b1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-529509", - "cves": [ - { - "cve": "CVE-2023-4641", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-4641", - "https://access.redhat.com/errata/RHSA-2024:2577", - "https://access.redhat.com/security/cve/CVE-2023-4641", - "https://access.redhat.com/errata/RHSA-2023:6632", - "https://bugzilla.redhat.com/show_bug.cgi?id=2215945", - "https://access.redhat.com/errata/RHSA-2024:0417", - "https://access.redhat.com/errata/RHSA-2023:7112" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-529509\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] + "xray_version": "3.104.8", + "jas_entitled": true, + "command_type": "docker_image", + "targets": [ + { + "target": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar", + "name": "platform.jfrog.io/swamp-docker/swamp:latest", + "technology": "oci", + "sca_scans": { + "xray_scan": [ + { + "scan_id": "27da9106-88ea-416b-799b-bc7d15783473", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2024-6119" + } + ], + "summary": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "severity": "Unknown", + "components": { + "deb://debian:bookworm:libssl3:3.0.13-1~deb12u1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" + }, + { + "component_id": "generic://sha256:f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595/sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "full_path": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + }, + { + "component_id": "deb://debian:bookworm:libssl3:3.0.13-1~deb12u1", + "full_path": "libssl3:3.0.13-1~deb12u1" + } ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540358", - "cves": [ - { - "cve": "CVE-2023-49468", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html", - "https://security-tracker.debian.org/tracker/CVE-2023-49468", - "https://github.com/strukturag/libde265/issues/432" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540358\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A buffer overflow (in a global variable) in libde265 causes memory corruption leading to DoS and possibly code execution, when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The provided PoC demonstrates a crash." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "The impact of this vulnerability depends on the implementation of the vulnerable library. Substantial research has to be conducted to determine the exact impact this vulnerability could have. Code execution is not always achievable through a buffer overflow in a global variable.", - "is_positive": true - } ] - } - }, - { - "summary": "A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-588549", - "cves": [ - { - "cve": "CVE-2024-0553", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - "https://access.redhat.com/errata/RHSA-2024:2094", - "https://access.redhat.com/errata/RHSA-2024:0627", - "https://gitlab.com/gnutls/gnutls/-/issues/1522", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://access.redhat.com/errata/RHSA-2024:0796", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://security.netapp.com/advisory/ntap-20240202-0011/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html", - "https://access.redhat.com/errata/RHSA-2024:1108", - "https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html", - "https://access.redhat.com/security/cve/CVE-2024-0553", - "https://access.redhat.com/errata/RHSA-2024:0533", - "https://access.redhat.com/errata/RHSA-2024:1082", - "https://bugzilla.redhat.com/show_bug.cgi?id=2258412", - "https://security-tracker.debian.org/tracker/CVE-2024-0553" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-588549\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A design problem in GnuTLS may lead to RSA key brute force when attackers can cause many decryption operations.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue can be exploited by attackers over the network", - "description": "This vulnerability does not rely on timing to exploit, but rather on the server informing the client that decryption failed, hence it can be exploited remotely, completely disregarding latency issues." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take the context required to exploit the vulnerability into account.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "This CVE is only exploitable when all of the following conditions are met:\n\n1. The server must use `RSA` for key exchange.\n2. The server encrypts/decrypts `RSA` with `PKCS#1 v1.5` padding.\n3. The server informs the client when decryption fails.\n4. An attacker is on the same subnet, hijacks a session between the client and the server and manipulates the client data.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "A successful attack would compromise the server's private RSA key, allowing the attacker to decrypt any sniffed TLS traffic sent to or from the server from any host." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although Bleichenbacher's Attack is well documented today, a high technical understanding of cryptography is required to exploit it.", - "is_positive": true - } + "deb://debian:bookworm:openssl:3.0.13-1~deb12u1": { + "fixed_versions": [ + "[3.0.14-1~deb12u2]" ], - "remediation": "##### Development mitigations\n\n- When choosing a key exchange for your server, avoid using `RSA` and instead opt for the `Diffie-Hellman` key exchange, which provides forward secrecy.\nThis can be done by generating an ECDH key using OpenSSL:\n`openssl ecparam -name prime256v1 -genkey -noout -out mykey-prime256v1.pem`\nAnd giving the filepath of the keyfile to the `gnutls_certificate_set_x509_key_file` function - \n```c\ngnutls_certificate_set_x509_key_file(res, certfile, \"mykey-prime256v1.pem\", GNUTLS_X509_FMT_PEM);\n```\n\n- When using `RSA` for key exchange, use the `OAEP` padding scheme instead of `PKCS#1 v1.5`.\n\n- When using `RSA` and `PKCS#1` for key exchange, avoid informing the client of decryption failure." - } - }, - { - "summary": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u7]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-617171", - "cves": [ - { - "cve": "CVE-2024-7264", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://hackerone.com/reports/2629968", - "https://security-tracker.debian.org/tracker/CVE-2024-7264", - "https://curl.se/docs/CVE-2024-7264.json", - "http://www.openwall.com/lists/oss-security/2024/07/31/1", - "https://curl.se/docs/CVE-2024-7264.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-617171\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-585747", - "cves": [ - { - "cve": "CVE-2023-6879", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/", - "https://crbug.com/aomedia/3491", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/", - "https://security-tracker.debian.org/tracker/CVE-2023-6879" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-585747\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Heap buffer overread in the av1 module of the aom library can lead to denial of service when resizing frames under special conditions.", - "full_description": "AOM (Alliance for Open Media) is an open-source, royalty-free video codec library implemented in C, developed by the Alliance for Open Media, a consortium of technology companies and research institutions. The AOM library supports the AV1, VP9, and Thor video formats, providing high-quality video compression and is used for a variety of applications, including video streaming, video conferencing, and video editing.\nThe AV1 codec, developed by the Alliance for Open Media, is a state-of-the-art video compression technology that achieves exceptional efficiency while preserving high visual quality. The AOM library provides a comprehensive toolkit for working with AV1-encoded video streams, offering encoding, decoding, and manipulation capabilities.\n\nA vulnerability was found when using the `aom_codec_destroy()` function to clean up memory after resizing AV1 frames, specifically when:\n\n- Using AV1 codec (`aom_codec_av1_cx()`)\n- Utilizing multiple threads\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```\n\nUnder these conditions, a Denial of Service (DoS) vulnerability emerges, manifesting as a heap buffer overread during object destruction.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A public example of vulnerable AOM code exists, which shows how a DoS might be triggered." - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Under normal circumstances, the attacker cannot supply input which will trigger this vulnerability (either the vulnerable code exists or does not exist).", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability triggers under the following conditions -\n- use of the AV1 codec (`aom_codec_av1_cx()`)\n- use of more than 1 thread:\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```\n- cleaning the memory at the end of the encoding process (`aom_codec_destroy()`)", - "is_positive": true - } - ] - } - }, - { - "summary": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" + }, + { + "component_id": "generic://sha256:f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595/sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "full_path": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + }, + { + "component_id": "deb://debian:bookworm:openssl:3.0.13-1~deb12u1", + "full_path": "openssl:3.0.13-1~deb12u1" + } ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589897", - "cves": [ - { - "cve": "CVE-2024-25062", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-25062", - "https://gitlab.gnome.org/GNOME/libxml2/-/tags", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589897\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A use-after-free in libxml2 may lead to denial of service when parsing a crafted XML document with specific parser arguments.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "Exploiting this issue using static XML requires that the `XML_PARSE_XINCLUDE` (--xinclude) and the `XML_PARSE_VALIDATE` (--valid) flags are used.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploiting the vulnerability may lead to denial of service." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not take into account the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A PoC that triggers the use-after-free is available in the Git issue." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to control an XML file that is getting parsed by `xmlTextReaderRead()` with the xinclude and DTD validation options enabled. This can be achieved by passing both the `XML_PARSE_XINCLUDE` (--xinclude) and `XML_PARSE_VALIDATE` (--valid) flags when parsing the document.", - "is_positive": true - } ] } }, - { - "summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-414609", - "cves": [ - { - "cve": "CVE-2022-3636", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://git.kernel.org/pub/scm/linux/kernel/git/pabeni/net-next.git/commit/?id=17a5f6a78dc7b8db385de346092d7d9f9dc24df6", - "https://vuldb.com/?id.211935", - "https://www.debian.org/security/2023/dsa-5333", - "https://security-tracker.debian.org/tracker/CVE-2022-3636" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-414609\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-539830", - "cves": [ - { - "cve": "CVE-2023-6277", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://gitlab.com/libtiff/libtiff/-/issues/614", - "https://support.apple.com/kb/HT214123", - "https://support.apple.com/kb/HT214118", - "https://support.apple.com/kb/HT214122", - "https://support.apple.com/kb/HT214120", - "http://seclists.org/fulldisclosure/2024/Jul/21", - "http://seclists.org/fulldisclosure/2024/Jul/19", - "https://support.apple.com/kb/HT214117", - "http://seclists.org/fulldisclosure/2024/Jul/20", - "http://seclists.org/fulldisclosure/2024/Jul/23", - "https://support.apple.com/kb/HT214116", - "http://seclists.org/fulldisclosure/2024/Jul/16", - "https://support.apple.com/kb/HT214119", - "https://support.apple.com/kb/HT214124", - "http://seclists.org/fulldisclosure/2024/Jul/17", - "http://seclists.org/fulldisclosure/2024/Jul/22", - "http://seclists.org/fulldisclosure/2024/Jul/18", - "https://security.netapp.com/advisory/ntap-20240119-0002/", - "https://access.redhat.com/security/cve/CVE-2023-6277", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251311", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7ZGN2MZXJ6E57W3L4YBM3ZPAU3T7T5C/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJIN6DTSL3VODZUGWEUXLEL5DR53EZMV/", - "https://security-tracker.debian.org/tracker/CVE-2023-6277", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/545" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-539830\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-607812", - "cves": [ - { - "cve": "CVE-2024-37370", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-37370", - "https://web.mit.edu/kerberos/www/advisories/", - "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-607812\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-590537", - "cves": [ - { - "cve": "CVE-2023-50387", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security.netapp.com/advisory/ntap-20240307-0007/", - "http://www.openwall.com/lists/oss-security/2024/02/16/2", - "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", - "https://news.ycombinator.com/item?id=39367411", - "https://www.athene-center.de/aktuelles/key-trap", - "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", - "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", - "https://www.isc.org/blogs/2024-bind-security-release/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", - "https://bugzilla.suse.com/show_bug.cgi?id=1219823", - "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", - "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", - "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", - "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", - "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", - "https://security-tracker.debian.org/tracker/CVE-2023-50387", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", - "https://kb.isc.org/docs/cve-2023-50387", - "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", - "https://news.ycombinator.com/item?id=39372384", - "http://www.openwall.com/lists/oss-security/2024/02/16/3", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", - "https://access.redhat.com/security/cve/CVE-2023-50387" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-590537\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Unbounded resource consumption in the DNSSEC extension of the DNS protocol may lead to denial of service when resolving a malicious domain.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "To exploit the vulnerability, an attacker needs to make the victim resolver validate his malicious domain.\nNote - This flaw is derived from the DNSSEC standard, thus every implementation of DNSSEC that follows the standard is vulnerable." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "The attacker needs to send a DNS query to the target resolver, requesting his malicious domain. The attack occurs when the resolver tries to validate the response from the DNS server." - }, - { - "name": "The issue has an exploit published", - "description": "A PoC was published, demonstrating denial of service." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploitation of the vulnerability causes high resource consumption, which leads to denial of service." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technically detailed writeup of this vulnerability (under the name \"keytrap\") was published by the research team, ATHENE-RESEARC." - } - ], - "remediation": "##### Deployment mitigations\n\nSince the vulnerability affects many different DNS resolvers, remediation is on a case-by-case basis." - } - }, - { - "summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-522650", - "cves": [ - { - "cve": "CVE-2023-26966", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security-tracker.debian.org/tracker/CVE-2023-26966", - "https://gitlab.com/libtiff/libtiff/-/issues/530", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/473" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-522650\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libdav1d6:1.0.0-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libdav1d6:1.0.0-2", - "full_path": "libdav1d6:1.0.0-2" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-519404", - "cves": [ - { - "cve": "CVE-2023-32570", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WGSO7UMOF4MVLQ5H6KIV7OG6ONS377B/", - "https://security-tracker.debian.org/tracker/CVE-2023-32570", - "https://code.videolan.org/videolan/dav1d/-/tags/1.2.0", - "https://code.videolan.org/videolan/dav1d/-/commit/cf617fdae0b9bfabd27282854c8e81450d955efa", - "https://security.gentoo.org/glsa/202310-05", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXZ6CUNJFDJLCFOZHY2TIGMCAEITLCRP/" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-519404\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540356", - "cves": [ - { - "cve": "CVE-2023-49464", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libheif/issues/1044", - "https://security-tracker.debian.org/tracker/CVE-2023-49464" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540356\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A use-after-free in libheif leads to denial of service and possibly remote code execution.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score given to this CVE does not take into account the unlikely prerequisites for applicability of this vulnerability and the context required to exploit it.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "The fixing PR contains a denial of service PoC" - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker needs to find a remote input that propagates into the function `UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci`.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For this vulnerability to be applicable, `libheif1` needs to be compiled with the flag `-DWITH_UNCOMPRESSED_CODEC=ON`.\n\nWe found that this setting is enabled only in some package managers by default, but not all of them. In vanilla compilations, this flag is disabled by default.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Exploitation requires triggering a use-after-free beyond the scope of a single function. The use-after-free has not been proven to be able to cause code execution.", - "is_positive": true - } - ] - } - }, - { - "summary": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-632611", - "cves": [ - { - "cve": "CVE-2024-45491", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-45491", - "https://github.com/libexpat/libexpat/pull/891", - "https://github.com/libexpat/libexpat/issues/888" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-632611\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u5]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540279", - "cves": [ - { - "cve": "CVE-2023-46218", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" - } - ], - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", - "https://security-tracker.debian.org/tracker/CVE-2023-46218", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html", - "https://curl.se/docs/CVE-2023-46218.html", - "https://hackerone.com/reports/2212193", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", - "https://security.netapp.com/advisory/ntap-20240125-0007/", - "https://www.debian.org/security/2023/dsa-5587" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540279\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:nginx:1.25.2-1~bookworm": { - "fixed_versions": [ - "[1.26.0-2]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:nginx:1.25.2-1~bookworm", - "full_path": "nginx:1.25.2-1~bookworm" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-619023", - "cves": [ - { - "cve": "CVE-2024-7347", - "cvss_v3_score": "4.7", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-7347", - "https://my.f5.com/manage/s/article/K000140529" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-619023\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are...", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.11-1~deb12u2]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-534361", - "cves": [ - { - "cve": "CVE-2023-5363", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - "https://security.netapp.com/advisory/ntap-20231027-0010/", - "https://www.openssl.org/news/secadv/20231024.txt", - "https://security-tracker.debian.org/tracker/CVE-2023-5363", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d", - "https://www.debian.org/security/2023/dsa-5532", - "https://security.netapp.com/advisory/ntap-20240201-0004/", - "http://www.openwall.com/lists/oss-security/2023/10/24/1", - "https://security.netapp.com/advisory/ntap-20240201-0003/" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-534361\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A design problem in OpenSSL 3.x may lead to data leakage when processing cipher parameters.", - "full_description": "OpenSSL is an open-source cryptographic library and toolset that provides a wide range of protocol supported and functions for secure communication, data encryption, digital certificates, and other cryptographic operations, widely used in various software applications and systems.\nIn cryptography, a block cipher is a symmetric key algorithm that encrypts fixed-size blocks of data, typically 64 or 128 bits, transforming each block into a corresponding ciphertext block using a key-specific permutation.\n\nA major problem with block ciphers, is that equal plaintext blocks get transformed to equal ciphertexts. This can be used for a known-plaintext attack, where an adversary possesses both the plaintext and its corresponding encrypted form, aiming to deduce the encryption key or gain insights into the encryption algorithm.\n\nTo counter this, we use an Initialization vector (IV), which is a random or unique input to a cryptographic algorithm used to alter the first block of the cipher, ensuring equal plaintext blocks won’t be transformed to equal ciphertexts.\n\nA vulnerability was found in OpenSSL 3.x, in certain situations, parameters such as key length or IV length, will be processed after the key and IV have been established, hence they will not take effect as intended, potentially causing truncation or overreading of these values, impacting the confidentiality of the encryption.\n\nWhen calling the functions `EVP_CipherInit_ex2`, `EVP_EncryptInit_ex2, or `EVP_DecryptInit_ex2` with an `OSSL_PARAM` array, changes to the `keylen` or `ivlen` parameters will only be processed after the IV and the key have been established.\n\nNote this impacts the following ciphers: RC2, RC4, RC5, and the following cipher modes: CCM, GCM, OCB.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability is only applicable if the vulnerable functions `EVP_CipherInit_ex2`, `EVP_EncryptInit_ex2, or `EVP_DecryptInit_ex2` is called directly or indirectly with an `OSSL_PARAM` array that alters the `ivlen` and `keylen` parameters. Moreover, it only impacts the following ciphers: RC2, RC4, RC5, and the following cipher modes: CCM, GCM, OCB.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "Changing the key or IV lengths is not considered a popular operation. Furthermore, the API only affects OpenSSL 3.x and it is likely the app developers have discovered the problem during testing, as it would have caused the decryption to fail.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take into account the unlikely prerequisites and the context required to exploit this CVE.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "In the case that this vulnerability is exploited successfully, an attacker can read sensitive data as plaintext, breaking the encryption." - } - ] - } - }, - { - "summary": "The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-515010", - "cves": [ - { - "cve": "CVE-2011-0283", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" - } - ], - "references": [ - "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt", - "http://www.securityfocus.com/bid/46272", - "http://securityreason.com/securityalert/8073", - "http://www.vupen.com/english/advisories/2011/0330", - "http://secunia.com/advisories/43260", - "http://www.securitytracker.com/id?1025037", - "http://www.securityfocus.com/archive/1/516299/100/0/threaded", - "https://security-tracker.debian.org/tracker/CVE-2011-0283" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-515010\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-427848", - "cves": [ - { - "cve": "CVE-2023-27103", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-27103", - "https://github.com/strukturag/libde265/issues/394", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-427848\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-588550", - "cves": [ - { - "cve": "CVE-2024-0567", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://access.redhat.com/errata/RHSA-2024:2094", - "https://access.redhat.com/security/cve/CVE-2024-0567", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2258544", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://security.netapp.com/advisory/ntap-20240202-0011/", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html", - "https://access.redhat.com/errata/RHSA-2024:1082", - "https://security-tracker.debian.org/tracker/CVE-2024-0567", - "https://gitlab.com/gnutls/gnutls/-/issues/1521", - "https://access.redhat.com/errata/RHSA-2024:0533" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-588550\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A design problem in GnuTLS may lead to denial of service when parsing a crafted certificate chain.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take into account the prerequisites and context required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability is only exploitable if a GnuTLS client or server calls any of the following functions with externally-supplied input -\n\n- `gnutls_pcert_import_x509_list`\n\n- `gnutls_certificate_set_x509_key`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_mem`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_file`\n\n- `gnutls_privkey_import_url`\n\n- `gnutls_privkey_import_pkcs11_url`\n\n- `gnutls_read_key_file`\n\n- `gnutls_certificate_set_rawpk_key_file`\n\n- `gnutls_certificate_set_x509_key_file2`\n\n- `gnutls_certificate_set_x509_key_file`\n\n- `gnutls_pcert_list_import_x509_file`\n\n- `gnutls_certificate_set_x509_key_mem2`\n\n- `gnutls_certificate_set_x509_key_mem`\n\n- `gnutls_x509_crt_list_import`\n\n- `gnutls_pcert_list_import_x509_raw`\n\n- `gnutls_session_channel_binding`\n\n- `gnutls_x509_crt_list_import2`\n\n- `gnutls_x509_trust_list_add_trust_mem`\n\n- `gnutls_x509_trust_list_add_system_trust`\n\n- `gnutls_certificate_set_x509_system_trust`\n\n- `gnutls_certificate_set_x509_crl_mem`\n\n- `gnutls_certificate_set_x509_trust_mem`\n\n- `gnutls_x509_trust_list_add_trust_file`\n\n- `gnutls_certificate_set_x509_crl_file`\n\n- `gnutls_certificate_set_x509_trust_file`\n\n- `gnutls_x509_trust_list_add_trust_dir`\n\n- `gnutls_certificate_set_x509_trust_dir`\n\n- `gnutls_x509_trust_list_remove_trust_mem`\n\n- `gnutls_x509_trust_list_remove_trust_file`\n\n- `gnutls_x509_trust_list_verify_crt2`\n\n- `gnutls_x509_cert_verify_peers`\n\n- `gnutls_certificate_verify_peers`\n\n- `gnutls_certificate_verify_peers2`\n\n- `gnutls_certificate_verify_peers3`\n\n- `gnutls_pkcs7_verify`\n\n- `gnutls_ocsp_resp_verify`\n\n- `gnutls_x509_trust_list_verify_crt`", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "is_positive": true - } - ] - } - }, - { - "summary": "When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u5]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540277", - "cves": [ - { - "cve": "CVE-2023-46219", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" - } - ], - "references": [ - "https://www.debian.org/security/2023/dsa-5587", - "https://security.netapp.com/advisory/ntap-20240119-0007/", - "https://hackerone.com/reports/2236133", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", - "https://curl.se/docs/CVE-2023-46219.html", - "https://security-tracker.debian.org/tracker/CVE-2023-46219" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540277\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-523034", - "cves": [ - { - "cve": "CVE-2023-25433", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://gitlab.com/libtiff/libtiff/-/merge_requests/467", - "https://security-tracker.debian.org/tracker/CVE-2023-25433", - "https://gitlab.com/libtiff/libtiff/-/issues/520", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-523034\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-617888", - "cves": [ - { - "cve": "CVE-2024-7006", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-7006", - "https://access.redhat.com/security/cve/CVE-2024-7006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2302996", - "https://access.redhat.com/errata/RHSA-2024:6360" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-617888\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589898", - "cves": [ - { - "cve": "CVE-2023-52425", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "http://www.openwall.com/lists/oss-security/2024/03/20/5", - "https://security.netapp.com/advisory/ntap-20240614-0003/", - "https://github.com/libexpat/libexpat/pull/789", - "https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/", - "https://security-tracker.debian.org/tracker/CVE-2023-52425" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589898\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A design problem in libexpat may lead to denial of service when parsing a crafted XML document with large tokens.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A PoC demonstrating denial-of-service can be found in Expat's tests." - }, - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "The issue doesn't require any in-depth knowledge to trigger as a proof-of-concept exists in the official fix commit." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploitation of the vulnerability leads to high resource consumption which may lead to denial of service." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "Exploitation requires passing user-controlled input to an XML parsing function such as `XML_Parse`.", - "is_positive": true - } - ] - } - }, - { - "summary": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-533060", - "cves": [ - { - "cve": "CVE-2023-45322", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/583", - "http://www.openwall.com/lists/oss-security/2023/10/06/5", - "https://security-tracker.debian.org/tracker/CVE-2023-45322", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/344" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-533060\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-535129", - "cves": [ - { - "cve": "CVE-2023-5678", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" - } - ], - "references": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", - "https://security.netapp.com/advisory/ntap-20231130-0010/", - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://security-tracker.debian.org/tracker/CVE-2023-5678", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", - "https://www.openssl.org/news/secadv/20231106.txt", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-535129\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:zlib1g:1:1.2.13.dfsg-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:zlib1g:1:1.2.13.dfsg-1", - "full_path": "zlib1g:1:1.2.13.dfsg-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-533715", - "cves": [ - { - "cve": "CVE-2023-45853", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "http://www.openwall.com/lists/oss-security/2024/01/24/10", - "http://www.openwall.com/lists/oss-security/2023/10/20/9", - "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", - "https://www.winimage.com/zLibDll/minizip.html", - "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", - "https://pypi.org/project/pyminizip/#history", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", - "https://security.gentoo.org/glsa/202401-18", - "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", - "https://github.com/madler/zlib/pull/843", - "https://security.netapp.com/advisory/ntap-20231130-0009/", - "https://security-tracker.debian.org/tracker/CVE-2023-45853" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-533715\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A heap buffer overflow in zlib may lead to remote code execution when parsing a malicious archive.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "PoC demonstrates a heap overflow that crashes the application. Although not demonstrated, it is likely that an RCE exploit could be developed, since zip-processing may allow many heap-shaping primitives needed for a full RCE exploit." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "An attacker could compromise a server that is using the `zlib` library to zip or unzip any files." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context-dependent nature of this vulnerability.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Remote code execution." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker must find a way to upload a crafted zip archive, that is subsequently processed by the vulnerable `zipOpenNewFileInZip4_64` function.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nMake sure that files with names larger than 65536 characters are not parsed using `zlib`.\n\nAlso, a fix currently exists in the `develop` branch of `zlib` and can be deployed manually." - } - }, - { - "summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtinfo6:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libtinfo6:6.4-4", - "full_path": "libtinfo6:6.4-4" - } - ] - ] - }, - "deb://debian:bookworm:ncurses-base:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:ncurses-base:6.4-4", - "full_path": "ncurses-base:6.4-4" - } - ] - ] - }, - "deb://debian:bookworm:ncurses-bin:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:ncurses-bin:6.4-4", - "full_path": "ncurses-bin:6.4-4" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540521", - "cves": [ - { - "cve": "CVE-2023-50495", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", - "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", - "https://security.netapp.com/advisory/ntap-20240119-0008/", - "https://security-tracker.debian.org/tracker/CVE-2023-50495", - "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540521\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-529113", - "cves": [ - { - "cve": "CVE-2023-41175", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", - "https://access.redhat.com/errata/RHSA-2024:2289", - "https://security-tracker.debian.org/tracker/CVE-2023-41175", - "https://access.redhat.com/security/cve/CVE-2023-41175" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-529113\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An integer overflow in libtiff's raw2tiff may lead to remote code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For an attacker to exploit this vulnerability, `raw2tiff` has to be invoked with the `-l`, `-b` and `-w` flags. In addition to this, the attacker has to be able to supply a crafted TIFF file as input.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "PoC was published along with the git issue." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The vulnerability leads to denial of service and possibly remote code execution." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - } - ] - } - }, - { - "summary": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-520865", - "cves": [ - { - "cve": "CVE-2023-2953", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "http://seclists.org/fulldisclosure/2023/Jul/48", - "https://support.apple.com/kb/HT213845", - "http://seclists.org/fulldisclosure/2023/Jul/47", - "https://bugs.openldap.org/show_bug.cgi?id=9904", - "https://security-tracker.debian.org/tracker/CVE-2023-2953", - "https://support.apple.com/kb/HT213844", - "https://access.redhat.com/security/cve/CVE-2023-2953", - "https://security.netapp.com/advisory/ntap-20230703-0005/", - "http://seclists.org/fulldisclosure/2023/Jul/52", - "https://support.apple.com/kb/HT213843" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-520865\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-632612", - "cves": [ - { - "cve": "CVE-2024-45492", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/libexpat/libexpat/issues/889", - "https://security-tracker.debian.org/tracker/CVE-2024-45492", - "https://github.com/libexpat/libexpat/pull/892" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-632612\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", - "severity": "Critical", - "type": "security", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-632613", - "cves": [ - { - "cve": "CVE-2024-45490", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/libexpat/libexpat/issues/887", - "https://security-tracker.debian.org/tracker/CVE-2024-45490", - "https://github.com/libexpat/libexpat/pull/890" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-632613\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-529332", - "cves": [ - { - "cve": "CVE-2023-39615", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-39615", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/535" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-529332\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589396", - "cves": [ - { - "cve": "CVE-2024-0727", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", - "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", - "https://security-tracker.debian.org/tracker/CVE-2024-0727", - "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", - "https://www.openssl.org/news/secadv/20240125.txt", - "https://security.netapp.com/advisory/ntap-20240208-0006/", - "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", - "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", - "http://www.openwall.com/lists/oss-security/2024/03/11/1" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589396\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-523187", - "cves": [ - { - "cve": "CVE-2023-3618", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-3618", - "https://support.apple.com/kb/HT214036", - "https://bugzilla.redhat.com/show_bug.cgi?id=2215865", - "https://security.netapp.com/advisory/ntap-20230824-0012/", - "https://access.redhat.com/security/cve/CVE-2023-3618", - "https://support.apple.com/kb/HT214037", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://support.apple.com/kb/HT214038" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-523187\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-36369", - "cves": [ - { - "cve": "CVE-2010-4665", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P" - } - ], - "references": [ - "http://www.securityfocus.com/bid/47338", - "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058478.html", - "http://www.debian.org/security/2012/dsa-2552", - "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html", - "https://security-tracker.debian.org/tracker/CVE-2010-4665", - "http://security.gentoo.org/glsa/glsa-201209-02.xml", - "http://secunia.com/advisories/44271", - "http://ubuntu.com/usn/usn-1416-1", - "http://bugzilla.maptools.org/show_bug.cgi?id=2218", - "https://bugzilla.redhat.com/show_bug.cgi?id=695887", - "http://www.remotesensing.org/libtiff/v3.9.5.html", - "http://secunia.com/advisories/50726", - "http://openwall.com/lists/oss-security/2011/04/12/10" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-36369\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-529506", - "cves": [ - { - "cve": "CVE-2023-39616", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3", - "https://security-tracker.debian.org/tracker/CVE-2023-39616" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-529506\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Invalid pointer dereference in libaom leads to denial of service when encoding crafted video data with nondefault configuration options set.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The published exploit demonstrates DoS" - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The issue can be exploited by the `aomenc` CLI tool when called on arbitrary input file with the flag `--drop-frame=1` - \n`aomenc --passes=1 -h 1 -w 1 --drop-frame=1 --end-usage=cbr --buf-sz=1 -o /dev/null poc`\n \n\nAlternatively, the issue can be exploited through `libaom` when calling `aom_codec_enc_init` where the 3rd arg (`config`) has `dropframe_thresh == 1` + calling `aom_codec_encode` with external input to the 2nd arg (`img`)", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Exploiting the DoS via invocation of the `aomenc` CLI tool has minimal security impact, since exploitation will cause the `aomenc` forked utiliy process to crash (crashing a forked process has minimal security impact)\n\nThe issue can also be exploited via specific calls to `libaom`, however the configuration needed is extremely rare and crashing a video encoder usually does not have a high security impact.\n\nDebian classified this CVE as a \"minor issue\"", - "is_positive": true - } - ] - } - }, - { - "summary": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589627", - "cves": [ - { - "cve": "CVE-2023-6246", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "https://security.netapp.com/advisory/ntap-20240216-0007/", - "https://security-tracker.debian.org/tracker/CVE-2023-6246", - "https://access.redhat.com/security/cve/CVE-2023-6246", - "http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html", - "http://seclists.org/fulldisclosure/2024/Feb/5", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=2249053", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://security.gentoo.org/glsa/202402-01", - "http://seclists.org/fulldisclosure/2024/Feb/3" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589627\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A heap buffer overflow in glibc may lead to local privilege escalation.", - "full_description": "[glibc](https://www.gnu.org/software/libc/) is the GNU C Library, a widely-used implementation of the C standard library.\n\nA vulnerability was identified in __vsyslog_internal(), which is called by the API functions `syslog()` and `vsyslog()` of glibc syslog functionality. Unprivileged users could gain full root access by manipulating syslog inputs.\n\nThe initial prerequisite for exploiting this local privilege escalation is a local SUID executable that contains calls to one of the vulnerable functions `syslog()` and `vsyslog()`. In order to exploit this, the attacker needs to control either argv[0], which typically holds the name of the program being executed, or the `openlog()` ident argument. \n\nAs explained in [Qualys’s research](https://qualys.com/2024/01/30/cve-2023-6246/syslog.txt), the identification string (LogTag) being NULL is essential for exploiting this issue. Thus, the `openlog()` function would need to either not be called, or called with NULL for the ident param for successful exploitation. \n\nIn Qualys’s research, they utilized a code path in the `su` program that doesn’t reach `openlog()`. Meaning the default user-controlled, argv[0] was used. Keep in mind another attack vector is possible in a different scenario when the user can control the ident arg of `openlog()`.\n\nSeeing as argv[0] is the name (path) of the running program, it is highly likely for a local attacker to be able to abuse this CVE for a local privilege escalation and unlikely that a remote attacker will have control over this argument for an RCE attack.\n\nQualys demonstrated a successful LPE exploit on Fedora. While no other public exploits are yet known, the threat landscape could evolve. It is likely possible to exploit this on other Linux distributions as well.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has multiple mentions in general media", - "description": "The vulnerability received extensive media coverage." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "This vulnerability has a through technical writeup, which also details an exploit." - }, - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "As explained in the summary, the requirements to trigger the vulnerability are highly likely on default Linux machines that use a vulnerable version of glibc." - }, - { - "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", - "description": "This vulnerability requires local access to exploit. It is unlikely to be exploitable in remote scenarios as explained in the summary.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This is a local privilege escalation vulnerability that could enable a local attacker to execute code as a root user." - } - ] - } - }, - { - "summary": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589395", - "cves": [ - { - "cve": "CVE-2023-52356", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://access.redhat.com/errata/RHSA-2024:5079", - "https://support.apple.com/kb/HT214123", - "https://support.apple.com/kb/HT214118", - "http://seclists.org/fulldisclosure/2024/Jul/21", - "https://support.apple.com/kb/HT214122", - "https://support.apple.com/kb/HT214117", - "http://seclists.org/fulldisclosure/2024/Jul/20", - "http://seclists.org/fulldisclosure/2024/Jul/23", - "https://support.apple.com/kb/HT214116", - "http://seclists.org/fulldisclosure/2024/Jul/16", - "https://support.apple.com/kb/HT214119", - "https://support.apple.com/kb/HT214124", - "http://seclists.org/fulldisclosure/2024/Jul/17", - "https://support.apple.com/kb/HT214120", - "http://seclists.org/fulldisclosure/2024/Jul/19", - "http://seclists.org/fulldisclosure/2024/Jul/22", - "http://seclists.org/fulldisclosure/2024/Jul/18", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html", - "https://gitlab.com/libtiff/libtiff/-/issues/622", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/546", - "https://security-tracker.debian.org/tracker/CVE-2023-52356", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251344", - "https://access.redhat.com/security/cve/CVE-2023-52356" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589395\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A heap buffer overflow in libtiff may lead to denial of service when parsing a crafted tiff image.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To exploit the vulnerability, the attacker must be able to upload a maliciously crafted tiff image which will be parsed by the victim.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - } - ] - } - }, - { - "summary": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589628", - "cves": [ - { - "cve": "CVE-2023-6780", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" - } - ], - "references": [ - "http://seclists.org/fulldisclosure/2024/Feb/3", - "https://security.gentoo.org/glsa/202402-01", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "https://access.redhat.com/security/cve/CVE-2023-6780", - "https://security-tracker.debian.org/tracker/CVE-2023-6780", - "https://bugzilla.redhat.com/show_bug.cgi?id=2254396" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589628\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540353", - "cves": [ - { - "cve": "CVE-2023-49460", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-49460", - "https://github.com/strukturag/libheif/issues/1046" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540353\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A NULL pointer dereference in libheif may lead to denial of service when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published in the report's GitHub Issue." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable `UncompressedImageCodec::decode_uncompressed_image` function.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation and impact of this vulnerability.", - "is_positive": true - } - ] - } - }, - { - "summary": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-522698", - "cves": [ - { - "cve": "CVE-2023-2908", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-2908", - "https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/479", - "https://security.netapp.com/advisory/ntap-20230731-0004/", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security-tracker.debian.org/tracker/CVE-2023-2908", - "https://bugzilla.redhat.com/show_bug.cgi?id=2218830" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-522698\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-192416", - "cves": [ - { - "cve": "CVE-2012-2131", - "cvss_v2_score": "7.5", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" - } - ], - "references": [ - "http://www.openwall.com/lists/oss-security/2012/04/24/1", - "http://secunia.com/advisories/48956", - "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", - "http://www.ubuntu.com/usn/USN-1428-1", - "http://secunia.com/advisories/48895", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564", - "http://www.mandriva.com/security/advisories?name=MDVSA-2012:064", - "http://www.debian.org/security/2012/dsa-2454", - "http://www.openssl.org/news/secadv_20120424.txt", - "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00014.html", - "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00007.html", - "http://www.securitytracker.com/id?1026957", - "http://secunia.com/advisories/57353", - "http://marc.info/?l=bugtraq\u0026m=134039053214295\u0026w=2", - "https://security-tracker.debian.org/tracker/CVE-2012-2131", - "http://cvs.openssl.org/chngview?cn=22479", - "http://marc.info/?l=bugtraq\u0026m=133728068926468\u0026w=2", - "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10673", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/75099", - "http://www.securityfocus.com/bid/53212", - "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00015.html", - "http://support.apple.com/kb/HT5784" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-192416\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-519184", - "cves": [ - { - "cve": "CVE-2023-29659", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ/", - "https://github.com/strukturag/libheif/issues/794", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L/", - "https://security-tracker.debian.org/tracker/CVE-2023-29659" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-519184\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-515823", - "cves": [ - { - "cve": "CVE-2023-31484", - "cvss_v3_score": "8.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "http://www.openwall.com/lists/oss-security/2023/04/29/1", - "https://security.netapp.com/advisory/ntap-20240621-0007/", - "http://www.openwall.com/lists/oss-security/2023/05/03/5", - "http://www.openwall.com/lists/oss-security/2023/05/03/3", - "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", - "http://www.openwall.com/lists/oss-security/2023/05/07/2", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", - "https://metacpan.org/dist/CPAN/changes", - "https://security-tracker.debian.org/tracker/CVE-2023-31484", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", - "https://github.com/andk/cpanpm/pull/175", - "https://www.openwall.com/lists/oss-security/2023/04/18/14" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-515823\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "Missing TLS check in CPAN.pm allows man-in-the-middle attacks when downloading packages and may lead to code execution.", - "full_description": "[CPAN.pm](https://metacpan.org/pod/CPAN) is a Perl module and command-line tool that provides an automated and standardized way to download, install, and manage Perl modules and their dependencies from the Comprehensive Perl Archive Network (CPAN).\n[HTTP::Tiny](https://metacpan.org/pod/HTTP::Tiny) is an HTTP client in Perl and a standalone CPAN module. By default, it does not verify TLS certificates. To enable it, the `verify_SSL=\u003e1` flag should be specified when initializing the `HTTP::Tiny` object. The problem identified in `HTTP::Tiny` has been assigned the CVE identifier `CVE-2023-31486` and serves as the underlying cause for the problem in `CPAN.pm`.\n\n`CPAN.pm` downloads and executes code through the `install` command followed by the package name.\nAlthough `CPAN.pm` downloads from `https://cpan.org`, it does not enable TLS certificate verification while using `HTTP::Tiny`, which could potentially allow an attacker to perform a man-in-the-middle attack by injecting malicious data that could be executed by CPAN.pm.\n\nExample of a vulnerable code:\n```\nuse CPAN;\ninstall DateTime\n```\n\nExample of a vulnerable command-line:\n```\ncpan install DateTime\n```", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "Exploitation only requires an attacker to perform a man-in-the-middle attack (which is extensively documented) and provide the victim with a malicious package instead of the legitimate one." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technical write-up exists." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker should be in the network to perform a man-in-the-middle attack, and then provide a malicious package when the victim installs a new CPAN.pm package.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This issue may lead to code execution." - }, - { - "name": "The issue can be exploited by attackers over the network" - } - ] - } - }, - { - "summary": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-585478", - "cves": [ - { - "cve": "CVE-2023-7008", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" - } - ], - "references": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", - "https://github.com/systemd/systemd/issues/25676", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", - "https://access.redhat.com/errata/RHSA-2024:2463", - "https://access.redhat.com/security/cve/CVE-2023-7008", - "https://security-tracker.debian.org/tracker/CVE-2023-7008", - "https://access.redhat.com/errata/RHSA-2024:3203", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-585478\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-588102", - "cves": [ - { - "cve": "CVE-2023-6129", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" - } - ], - "references": [ - "https://security.netapp.com/advisory/ntap-20240426-0008/", - "https://security.netapp.com/advisory/ntap-20240426-0013/", - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", - "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", - "https://security.netapp.com/advisory/ntap-20240216-0009/", - "https://www.openssl.org/news/secadv/20240109.txt", - "https://security-tracker.debian.org/tracker/CVE-2023-6129", - "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", - "https://security.netapp.com/advisory/ntap-20240503-0011/" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-588102\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540366", - "cves": [ - { - "cve": "CVE-2023-49465", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libde265/issues/435", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html", - "https://security-tracker.debian.org/tracker/CVE-2023-49465" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540366\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "A non-proven heap buffer overflow in libde265 may lead to remote code execution when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.\nThe exploit only works on a small percent of executions, since the impact of parsing a malicious Atari DEGAS Elite bitmap file is contingent on the current heap state.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although a PoC was linked to the issue, the maintainer was not able to reproduce the corruption. In addition, the heap buffer overflow was not proven to be able to cause remote code execution.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS does not take into account the non-trivial exploitation.", - "is_positive": true - } - ] - } - }, - { - "summary": "Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-538327", - "cves": [ - { - "cve": "CVE-2023-43887", - "cvss_v3_score": "8.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H" - } - ], - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html", - "https://security-tracker.debian.org/tracker/CVE-2023-43887", - "https://github.com/strukturag/libde265/issues/418", - "https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-538327\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An out of bounds read in libde265 may lead to denial of service or data leakage when decoding attacker-supplied data in a non-default configuration.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker has to be able to decode crafted H.265 files with the non-default dump headers option enabled. For example - `./dec265 -d attacker_input`", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "The Github issue has a linked PoC." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "The Github issue carefully explains the vulnerability." - } - ] - } - }, - { - "summary": "**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:gcc-12-base:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:gcc-12-base:12.2.0-14", - "full_path": "gcc-12-base:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libgcc-s1:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgcc-s1:12.2.0-14", - "full_path": "libgcc-s1:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libstdc++6:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libstdc++6:12.2.0-14", - "full_path": "libstdc++6:12.2.0-14" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-531779", - "cves": [ - { - "cve": "CVE-2023-4039", - "cvss_v3_score": "4.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" - } - ], - "references": [ - "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", - "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", - "https://security-tracker.debian.org/tracker/CVE-2023-4039" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-531779\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-537162", - "cves": [ - { - "cve": "CVE-2023-47471", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7", - "https://security-tracker.debian.org/tracker/CVE-2023-47471", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html", - "https://github.com/strukturag/libde265/issues/426" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-537162\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-532917", - "cves": [ - { - "cve": "CVE-2023-3576", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-3576", - "https://access.redhat.com/errata/RHSA-2023:6575", - "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html", - "https://security-tracker.debian.org/tracker/CVE-2023-3576" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-532917\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-529112", - "cves": [ - { - "cve": "CVE-2023-40745", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-40745", - "https://access.redhat.com/errata/RHSA-2024:2289", - "https://security-tracker.debian.org/tracker/CVE-2023-40745", - "https://security.netapp.com/advisory/ntap-20231110-0005/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-529112\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An integer overflow in libtiff’s tiffcp may lead to remote code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For an attacker to exploit this vulnerability, `tiffcp` has to be invoked with the `-m` flag with an attacker-controlled value. In addition to this, the attacker has to be able to supply a crafted TIFF file as input.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A PoC which demonstrates denial of service was published along with the git issue." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The vulnerability leads to denial of service and possibly remote code execution." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - } - ] - } - }, - { - "summary": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", - "severity": "Medium", - "type": "security", - "components": { - "deb://debian:bookworm:libpam-modules-bin:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-modules-bin:1.5.2-6+deb12u1", - "full_path": "libpam-modules-bin:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam-modules:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-modules:1.5.2-6+deb12u1", - "full_path": "libpam-modules:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam-runtime:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-runtime:1.5.2-6+deb12u1", - "full_path": "libpam-runtime:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam0g:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam0g:1.5.2-6+deb12u1", - "full_path": "libpam0g:1.5.2-6+deb12u1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-588807", - "cves": [ - { - "cve": "CVE-2024-22365", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "https://github.com/linux-pam/linux-pam", - "http://www.openwall.com/lists/oss-security/2024/01/18/3", - "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", - "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", - "https://security-tracker.debian.org/tracker/CVE-2024-22365" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-588807\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-589629", - "cves": [ - { - "cve": "CVE-2023-6779", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - "http://seclists.org/fulldisclosure/2024/Feb/3", - "https://security.netapp.com/advisory/ntap-20240223-0006/", - "https://access.redhat.com/security/cve/CVE-2023-6779", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "https://security-tracker.debian.org/tracker/CVE-2023-6779", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2254395", - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://security.gentoo.org/glsa/202402-01", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-589629\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1" - }, - { - "summary": "Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540357", - "cves": [ - { - "cve": "CVE-2023-49467", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libde265/issues/434", - "https://security-tracker.debian.org/tracker/CVE-2023-49467", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540357\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An infinite loop in libde265 leads to DoS when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS does not take into account the non-trivial exploitation prerequisites. In addition, the CVSS alludes that remote code execution is possible, while in reality the worst impact of exploiting this issue is denial of service.", - "is_positive": true - }, - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.", - "is_positive": true - } - ] - } - }, - { - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-540354", - "cves": [ - { - "cve": "CVE-2023-49462", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://github.com/strukturag/libheif/issues/1043", - "https://security-tracker.debian.org/tracker/CVE-2023-49462" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-540354\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "An integer overflow in libheif leads to denial of service.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published along with the vulnerability via (GitHub)[https://github.com/strukturag/libheif/issues/1043]." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation of this vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable functions `modify_exif_tag_if_it_exists(unsigned char*, unsigned int, unsigned short, unsigned short)` or `read_exif_orientation_tag(unsigned char const*, unsigned int)`.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Successful exploitation of this vulnerability leads to denial of service." - } - ] - } - }, - { - "summary": "A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.", - "severity": "High", - "type": "security", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "watch_name": "Security_watch_1", - "issue_id": "XRAY-539839", - "cves": [ - { - "cve": "CVE-2023-47038", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "references": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746", - "https://access.redhat.com/errata/RHSA-2024:3128", - "https://access.redhat.com/security/cve/CVE-2023-47038", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/", - "https://security-tracker.debian.org/tracker/CVE-2023-47038", - "https://bugzilla.redhat.com/show_bug.cgi?id=2249523", - "https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property", - "https://access.redhat.com/errata/RHSA-2024:2228" - ], - "ignore_url": "https://tokyoshiftleft.jfrog.io/ui/admin/xray/policiesGovernance/ignore-rules?graph_scan_id=f1ca2a08-1d7b-4194-72be-7b84afc51fac\u0026issue_id=XRAY-539839\u0026on_demand_scanning=true\u0026show_popup=true\u0026type=security\u0026watch_name=Security_watch_1", - "extended_information": { - "short_description": "(non-issue) A heap buffer overflow in Perl leads to no impact when parsing a crafted regular expression.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A test case is given, and is included in the Debian advisory:\n`perl -e 'qr/\\p{utf8::_perl_surrogate}/'`" - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "If the attacker can execute arbitrary Perl code, exploiting the vulnerability would offer no additional security impact.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS impact does not reflect the prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "The attacker must be able to run Perl code which the victim executes.", - "is_positive": true - } - ] - } - } - ], - "vulnerabilities": [ - { - "cves": [ - { - "cve": "CVE-2019-3815", - "cvss_v2_score": "2.1", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "3.3", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "cwe": [ - "CWE-401" - ], - "cwe_details": { - "CWE-401": { - "name": "Missing Release of Memory after Effective Lifetime", - "description": "The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory." - } - } - } - ], - "summary": "A memory leak was discovered in the backport of fixes for CVE-2018-16864 in Red Hat Enterprise Linux. Function dispatch_message_real() in journald-server.c does not free the memory allocated by set_iovec_field_free() to store the `_CMDLINE=` entry. A local attacker may use this flaw to make systemd-journald crash. This issue only affects versions shipped with Red Hat Enterprise since v219-62.2.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-74739", - "references": [ - "https://access.redhat.com/errata/RHSA-2019:0201", - "https://lists.debian.org/debian-lts-announce/2019/03/msg00013.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3815", - "https://security-tracker.debian.org/tracker/CVE-2019-3815", - "https://access.redhat.com/errata/RHBA-2019:0327", - "http://www.securityfocus.com/bid/106632" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-50387", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-770" - ], - "cwe_details": { - "CWE-770": { - "name": "Allocation of Resources Without Limits or Throttling", - "description": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." - } - } - } - ], - "summary": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", - "severity": "High", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-590537", - "references": [ - "https://security.netapp.com/advisory/ntap-20240307-0007/", - "http://www.openwall.com/lists/oss-security/2024/02/16/2", - "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/", - "https://news.ycombinator.com/item?id=39367411", - "https://www.athene-center.de/aktuelles/key-trap", - "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", - "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", - "https://www.isc.org/blogs/2024-bind-security-release/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/", - "https://bugzilla.suse.com/show_bug.cgi?id=1219823", - "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/", - "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", - "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", - "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", - "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/", - "https://security-tracker.debian.org/tracker/CVE-2023-50387", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/", - "https://kb.isc.org/docs/cve-2023-50387", - "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", - "https://news.ycombinator.com/item?id=39372384", - "http://www.openwall.com/lists/oss-security/2024/02/16/3", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/", - "https://access.redhat.com/security/cve/CVE-2023-50387" - ], - "extended_information": { - "short_description": "Unbounded resource consumption in the DNSSEC extension of the DNS protocol may lead to denial of service when resolving a malicious domain.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "To exploit the vulnerability, an attacker needs to make the victim resolver validate his malicious domain.\nNote - This flaw is derived from the DNSSEC standard, thus every implementation of DNSSEC that follows the standard is vulnerable." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "The attacker needs to send a DNS query to the target resolver, requesting his malicious domain. The attack occurs when the resolver tries to validate the response from the DNS server." - }, - { - "name": "The issue has an exploit published", - "description": "A PoC was published, demonstrating denial of service." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploitation of the vulnerability causes high resource consumption, which leads to denial of service." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technically detailed writeup of this vulnerability (under the name \"keytrap\") was published by the research team, ATHENE-RESEARC." - } - ], - "remediation": "##### Deployment mitigations\n\nSince the vulnerability affects many different DNS resolvers, remediation is on a case-by-case basis." - } - }, - { - "cves": [ - { - "cve": "CVE-2023-31437", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-354" - ], - "cwe_details": { - "CWE-354": { - "name": "Improper Validation of Integrity Check Value", - "description": "The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." - } - } - } - ], - "summary": "An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", - "severity": "Low", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-522311", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-31437", - "https://github.com/systemd/systemd/releases", - "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", - "https://github.com/kastel-security/Journald" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-31439", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-354" - ], - "cwe_details": { - "CWE-354": { - "name": "Improper Validation of Integrity Check Value", - "description": "The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." - } - } - } - ], - "summary": "An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", - "severity": "Low", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-522310", - "references": [ - "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", - "https://github.com/systemd/systemd/releases", - "https://github.com/systemd/systemd/pull/28885", - "https://security-tracker.debian.org/tracker/CVE-2023-31439", - "https://github.com/kastel-security/Journald" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-7008", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cwe": [ - "NVD-CWE-Other" - ] - } - ], - "summary": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-585478", - "references": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=2222672", - "https://github.com/systemd/systemd/issues/25676", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/", - "https://access.redhat.com/errata/RHSA-2024:2463", - "https://access.redhat.com/security/cve/CVE-2023-7008", - "https://security-tracker.debian.org/tracker/CVE-2023-7008", - "https://access.redhat.com/errata/RHSA-2024:3203", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" - ] - }, - { - "cves": [ - { - "cve": "CVE-2013-4392", - "cvss_v2_score": "3.3", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:N", - "cwe": [ - "CWE-59" - ], - "cwe_details": { - "CWE-59": { - "name": "Improper Link Resolution Before File Access ('Link Following')", - "description": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource." - } - } - } - ], - "summary": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-32874", - "references": [ - "http://www.openwall.com/lists/oss-security/2013/10/01/9", - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357", - "https://security-tracker.debian.org/tracker/CVE-2013-4392", - "https://bugzilla.redhat.com/show_bug.cgi?id=859060" - ], - "extended_information": { - "short_description": "Improper update of SELinux labels in systemd allows root users to bypass SELinux via mount commands.", - "full_description": "[`systemd`](https://systemd.io) is a Linux software suite that provides numerous tools and system components, mainly a system and service manager, who runs on system startup.\n`systemd` before 239 improperly performs [`SELinux`](https://selinuxproject.org/) label updates when mounting drives, which makes it vulnerable to symlink attacks that may result in local privilege escalation. \n\n`SELinux` labels are used for access control, and help manage the access to resources based on user privilege. When `systemd` is required to mount user-specified drives or directories, it recursively updates the `SELinux` labels of the files inside the mounted directory tree, granting privileges to the mounting user to use those files. A vulnerability in `systemd`'s `label_fix` function allows an attacker to perform a symlink attack, in which a symlink to a sensitive resource exists in the mounted directory tree. This would result in the update of the `SELinux` label of the file pointed by the symlink, granting the mounting user privileges to use that resource, effectively bypassing SELinux.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "The issue affects many distributions by default, when SELinux is enabled" - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Bypass of SELinux by root users", - "is_positive": true - }, - { - "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", - "description": "A local attacker must create symbolic links and perform mount commands", - "is_positive": true - }, - { - "name": "The issue can only be exploited by an attacker with high privileges", - "description": "Mounting requires root privileges", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-31438", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-354" - ], - "cwe_details": { - "CWE-354": { - "name": "Improper Validation of Integrity Check Value", - "description": "The product does not validate or incorrectly validates the integrity check values or checksums of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." - } - } - } - ], - "summary": "An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", - "severity": "Low", - "components": { - "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsystemd0:252.17-1~deb12u1", - "full_path": "libsystemd0:252.17-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libudev1:252.17-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libudev1:252.17-1~deb12u1", - "full_path": "libudev1:252.17-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-522309", - "references": [ - "https://github.com/kastel-security/Journald", - "https://github.com/systemd/systemd/releases", - "https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf", - "https://security-tracker.debian.org/tracker/CVE-2023-31438", - "https://github.com/systemd/systemd/pull/28886" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-50495", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtinfo6:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libtinfo6:6.4-4", - "full_path": "libtinfo6:6.4-4" - } - ] - ] - }, - "deb://debian:bookworm:ncurses-base:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:ncurses-base:6.4-4", - "full_path": "ncurses-base:6.4-4" - } - ] - ] - }, - "deb://debian:bookworm:ncurses-bin:6.4-4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:ncurses-bin:6.4-4", - "full_path": "ncurses-bin:6.4-4" - } - ] - ] - } - }, - "issue_id": "XRAY-540521", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", - "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", - "https://security.netapp.com/advisory/ntap-20240119-0008/", - "https://security-tracker.debian.org/tracker/CVE-2023-50495", - "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-2379" - } - ], - "summary": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.", - "severity": "Low", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[8.7.1-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "issue_id": "XRAY-596170", - "references": [ - "https://curl.se/docs/CVE-2024-2379.html", - "https://support.apple.com/kb/HT214120", - "https://support.apple.com/kb/HT214118", - "http://seclists.org/fulldisclosure/2024/Jul/19", - "https://support.apple.com/kb/HT214119", - "http://seclists.org/fulldisclosure/2024/Jul/18", - "http://seclists.org/fulldisclosure/2024/Jul/20", - "http://www.openwall.com/lists/oss-security/2024/03/27/2", - "https://hackerone.com/reports/2410774", - "https://security.netapp.com/advisory/ntap-20240531-0001/", - "https://security-tracker.debian.org/tracker/CVE-2024-2379", - "https://curl.se/docs/CVE-2024-2379.json" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-46219", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-311" - ], - "cwe_details": { - "CWE-311": { - "name": "Missing Encryption of Sensitive Data", - "description": "The product does not encrypt sensitive or critical information before storage or transmission." - } - } - } - ], - "summary": "When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u5]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "issue_id": "XRAY-540277", - "references": [ - "https://www.debian.org/security/2023/dsa-5587", - "https://security.netapp.com/advisory/ntap-20240119-0007/", - "https://hackerone.com/reports/2236133", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", - "https://curl.se/docs/CVE-2023-46219.html", - "https://security-tracker.debian.org/tracker/CVE-2023-46219" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-7264", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u7]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "issue_id": "XRAY-617171", - "references": [ - "https://hackerone.com/reports/2629968", - "https://security-tracker.debian.org/tracker/CVE-2024-7264", - "https://curl.se/docs/CVE-2024-7264.json", - "http://www.openwall.com/lists/oss-security/2024/07/31/1", - "https://curl.se/docs/CVE-2024-7264.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-46218", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:curl:7.88.1-10+deb12u4": { - "fixed_versions": [ - "[7.88.1-10+deb12u5]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:curl:7.88.1-10+deb12u4", - "full_path": "curl:7.88.1-10+deb12u4" - } - ] - ] - }, - "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libcurl4:7.88.1-10+deb12u4", - "full_path": "libcurl4:7.88.1-10+deb12u4" - } - ] - ] - } - }, - "issue_id": "XRAY-540279", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", - "https://security-tracker.debian.org/tracker/CVE-2023-46218", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html", - "https://curl.se/docs/CVE-2023-46218.html", - "https://hackerone.com/reports/2212193", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", - "https://security.netapp.com/advisory/ntap-20240125-0007/", - "https://www.debian.org/security/2023/dsa-5587" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-3618", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-523187", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-3618", - "https://support.apple.com/kb/HT214036", - "https://bugzilla.redhat.com/show_bug.cgi?id=2215865", - "https://security.netapp.com/advisory/ntap-20230824-0012/", - "https://access.redhat.com/security/cve/CVE-2023-3618", - "https://support.apple.com/kb/HT214037", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://support.apple.com/kb/HT214038" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-26965", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-522607", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-26965", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security.netapp.com/advisory/ntap-20230706-0009/", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/472" - ], - "extended_information": { - "short_description": "Use after free in libtiff's Tiffcrop may lead to code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "Published PoC demonstrates crashing the tiffcrop CLI utility. Note that crashing tiffcrop has no security impact, since it is a forked CLI utility (will not crash parent process)." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although a crashing PoC is available, exploiting the vulnerability for remote code execution is currently only theoretically possible, and actual exploitation has not been demonstrated. Only some cases of use-after-free can be exploited for RCE.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to upload a crafted TIFF image, which will then be processed by the `tiffcrop` CLI tool, for example -\n```bash\ntiffcrop -z 12,50,12,99:112,150,112,199 -e divided attacker_image.tiff output.tiff\n```", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2022-3636", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "A vulnerability, which was classified as critical, was found in Linux Kernel. This affects the function __mtk_ppe_check_skb of the file drivers/net/ethernet/mediatek/mtk_ppe.c of the component Ethernet Handler. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211935.", - "severity": "High", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-414609", - "references": [ - "https://git.kernel.org/pub/scm/linux/kernel/git/pabeni/net-next.git/commit/?id=17a5f6a78dc7b8db385de346092d7d9f9dc24df6", - "https://vuldb.com/?id.211935", - "https://www.debian.org/security/2023/dsa-5333", - "https://security-tracker.debian.org/tracker/CVE-2022-3636" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6277", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-400" - ], - "cwe_details": { - "CWE-400": { - "name": "Uncontrolled Resource Consumption", - "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." - } - } - } - ], - "summary": "An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-539830", - "references": [ - "https://gitlab.com/libtiff/libtiff/-/issues/614", - "https://support.apple.com/kb/HT214123", - "https://support.apple.com/kb/HT214118", - "https://support.apple.com/kb/HT214122", - "https://support.apple.com/kb/HT214120", - "http://seclists.org/fulldisclosure/2024/Jul/21", - "http://seclists.org/fulldisclosure/2024/Jul/19", - "https://support.apple.com/kb/HT214117", - "http://seclists.org/fulldisclosure/2024/Jul/20", - "http://seclists.org/fulldisclosure/2024/Jul/23", - "https://support.apple.com/kb/HT214116", - "http://seclists.org/fulldisclosure/2024/Jul/16", - "https://support.apple.com/kb/HT214119", - "https://support.apple.com/kb/HT214124", - "http://seclists.org/fulldisclosure/2024/Jul/17", - "http://seclists.org/fulldisclosure/2024/Jul/22", - "http://seclists.org/fulldisclosure/2024/Jul/18", - "https://security.netapp.com/advisory/ntap-20240119-0002/", - "https://access.redhat.com/security/cve/CVE-2023-6277", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251311", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7ZGN2MZXJ6E57W3L4YBM3ZPAU3T7T5C/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJIN6DTSL3VODZUGWEUXLEL5DR53EZMV/", - "https://security-tracker.debian.org/tracker/CVE-2023-6277", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/545" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-16232", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-772" - ], - "cwe_details": { - "CWE-772": { - "name": "Missing Release of Resource after Effective Lifetime", - "description": "The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed." - } - } - } - ], - "summary": "LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-59579", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2017-16232", - "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html", - "http://www.securityfocus.com/bid/101696", - "http://seclists.org/fulldisclosure/2018/Dec/47", - "http://www.openwall.com/lists/oss-security/2017/11/01/7", - "http://seclists.org/fulldisclosure/2018/Dec/32", - "http://www.openwall.com/lists/oss-security/2017/11/01/3", - "http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html", - "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html", - "http://www.openwall.com/lists/oss-security/2017/11/01/8", - "http://www.openwall.com/lists/oss-security/2017/11/01/11" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-2908", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-476" - ], - "cwe_details": { - "CWE-476": { - "name": "NULL Pointer Dereference", - "description": "A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "12" - } - ] - } - } - } - ], - "summary": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-522698", - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-2908", - "https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/479", - "https://security.netapp.com/advisory/ntap-20230731-0004/", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security-tracker.debian.org/tracker/CVE-2023-2908", - "https://bugzilla.redhat.com/show_bug.cgi?id=2218830" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-26966", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-522650", - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html", - "https://security-tracker.debian.org/tracker/CVE-2023-26966", - "https://gitlab.com/libtiff/libtiff/-/issues/530", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/473" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-17973", - "cvss_v2_score": "6.8", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-416" - ], - "cwe_details": { - "CWE-416": { - "name": "Use After Free", - "description": "Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "4" - } - ] - } - } - } - ], - "summary": "In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-60516", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2017-17973", - "https://bugzilla.novell.com/show_bug.cgi?id=1074318", - "http://www.securityfocus.com/bid/102331", - "https://bugzilla.redhat.com/show_bug.cgi?id=1530912", - "http://bugzilla.maptools.org/show_bug.cgi?id=2769" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-52355", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.", - "severity": "High", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-589394", - "references": [ - "https://gitlab.com/libtiff/libtiff/-/issues/621", - "https://security-tracker.debian.org/tracker/CVE-2023-52355", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251326", - "https://access.redhat.com/security/cve/CVE-2023-52355" - ], - "extended_information": { - "short_description": "Unbounded resource consumption in libtiff may lead to denial of service when parsing a crafted tiff file.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "PoC is included in the git issue discussing the problem." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS attack complexity does not reflect the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To exploit the vulnerability, the attacker must be able to upload a tiff file whose size will get checked by the vulnerable `TIFFRasterScanlineSize64()` function, and allocate memory (without any limitations) based on the results.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nAs a workaround, users could implement checks, or use `TIFFOpenOptionsSetMaxSingleMemAlloc()`, to reject files that they consider to consume too many resources for their use case. For example -\n```\n// Allow 1MB single mem alloc\nTIFFOpenOptionsSetMaxSingleMemAlloc(\u0026opts, 1*1024*1024);\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2023-25433", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-523034", - "references": [ - "https://gitlab.com/libtiff/libtiff/-/merge_requests/467", - "https://security-tracker.debian.org/tracker/CVE-2023-25433", - "https://gitlab.com/libtiff/libtiff/-/issues/520", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6228", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-539705", - "references": [ - "https://access.redhat.com/errata/RHSA-2024:5079", - "https://access.redhat.com/errata/RHSA-2024:2289", - "https://security-tracker.debian.org/tracker/CVE-2023-6228", - "https://access.redhat.com/security/cve/CVE-2023-6228", - "https://bugzilla.redhat.com/show_bug.cgi?id=2240995" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-52356", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.", - "severity": "High", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-589395", - "references": [ - "https://access.redhat.com/errata/RHSA-2024:5079", - "https://support.apple.com/kb/HT214123", - "https://support.apple.com/kb/HT214118", - "http://seclists.org/fulldisclosure/2024/Jul/21", - "https://support.apple.com/kb/HT214122", - "https://support.apple.com/kb/HT214117", - "http://seclists.org/fulldisclosure/2024/Jul/20", - "http://seclists.org/fulldisclosure/2024/Jul/23", - "https://support.apple.com/kb/HT214116", - "http://seclists.org/fulldisclosure/2024/Jul/16", - "https://support.apple.com/kb/HT214119", - "https://support.apple.com/kb/HT214124", - "http://seclists.org/fulldisclosure/2024/Jul/17", - "https://support.apple.com/kb/HT214120", - "http://seclists.org/fulldisclosure/2024/Jul/19", - "http://seclists.org/fulldisclosure/2024/Jul/22", - "http://seclists.org/fulldisclosure/2024/Jul/18", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html", - "https://gitlab.com/libtiff/libtiff/-/issues/622", - "https://gitlab.com/libtiff/libtiff/-/merge_requests/546", - "https://security-tracker.debian.org/tracker/CVE-2023-52356", - "https://bugzilla.redhat.com/show_bug.cgi?id=2251344", - "https://access.redhat.com/security/cve/CVE-2023-52356" - ], - "extended_information": { - "short_description": "A heap buffer overflow in libtiff may lead to denial of service when parsing a crafted tiff image.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To exploit the vulnerability, the attacker must be able to upload a maliciously crafted tiff image which will be parsed by the victim.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-1916", - "cvss_v3_score": "6.1", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-513433", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-1916", - "https://gitlab.com/libtiff/libtiff/-/issues/536", - "https://gitlab.com/libtiff/libtiff/-/issues/537", - "https://gitlab.com/libtiff/libtiff/-/issues/536%2C", - "https://support.apple.com/kb/HT213844" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-9117", - "cvss_v2_score": "7.5", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-54208", - "references": [ - "http://www.securityfocus.com/bid/98581", - "http://bugzilla.maptools.org/show_bug.cgi?id=2690", - "https://security-tracker.debian.org/tracker/CVE-2017-9117", - "https://usn.ubuntu.com/3606-1/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2010-4665", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", - "cwe": [ - "CWE-189" - ] - } - ], - "summary": "Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-36369", - "references": [ - "http://www.securityfocus.com/bid/47338", - "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058478.html", - "http://www.debian.org/security/2012/dsa-2552", - "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html", - "https://security-tracker.debian.org/tracker/CVE-2010-4665", - "http://security.gentoo.org/glsa/glsa-201209-02.xml", - "http://secunia.com/advisories/44271", - "http://ubuntu.com/usn/usn-1416-1", - "http://bugzilla.maptools.org/show_bug.cgi?id=2218", - "https://bugzilla.redhat.com/show_bug.cgi?id=695887", - "http://www.remotesensing.org/libtiff/v3.9.5.html", - "http://secunia.com/advisories/50726", - "http://openwall.com/lists/oss-security/2011/04/12/10" - ] - }, - { - "cves": [ - { - "cve": "CVE-2022-1210", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-404" - ], - "cwe_details": { - "CWE-404": { - "name": "Improper Resource Shutdown or Release", - "description": "The product does not release or incorrectly releases a resource before it is made available for re-use." - } - } - } - ], - "summary": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-203004", - "references": [ - "https://vuldb.com/?id.196363", - "https://security.netapp.com/advisory/ntap-20220513-0005/", - "https://security-tracker.debian.org/tracker/CVE-2022-1210", - "https://security.gentoo.org/glsa/202210-10", - "https://gitlab.com/libtiff/libtiff/-/issues/402", - "https://gitlab.com/libtiff/libtiff/uploads/c3da94e53cf1e1e8e6d4d3780dc8c42f/example.tiff" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-3576", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-401" - ], - "cwe_details": { - "CWE-401": { - "name": "Missing Release of Memory after Effective Lifetime", - "description": "The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory." - } - } - } - ], - "summary": "A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-532917", - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-3576", - "https://access.redhat.com/errata/RHSA-2023:6575", - "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html", - "https://security-tracker.debian.org/tracker/CVE-2023-3576" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-3164", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-521552", - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-3164", - "https://security-tracker.debian.org/tracker/CVE-2023-3164", - "https://gitlab.com/libtiff/libtiff/-/issues/542", - "https://bugzilla.redhat.com/show_bug.cgi?id=2213531" - ], - "extended_information": { - "short_description": "A heap buffer overflow in the tiffcrop utility in libtiff possibly leads to remote code execution when parsing a crafted TIFF file.", - "full_description": "[libTIFF](http://www.simplesystems.org/libtiff/) is a popular library which provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. One of the utilities that can be provided with libtiff is tiffcrop, which is most often used to extract portions of an image for processing.\n\n`tiffcrop` can be run with one or more flags. These flags include, but are not limited to:\n\n* `-S`: With the `-S` flag, `tiffcrop` will divide each image to equal columns and rows.\n* `-R`: With the `-R` flag, the provided TIFF image will be rotated.\n* `-e`: With the `-e` flag, the user can specify the export mode for images and selections from input images.\n\nWhen running `tiffcrop` with the `-e` flag set to `divided`, `multiple` or `separate`, with the `-S` flag and also with the `-R` flag, an attacker can provide a crafted TIFF file which will cause a heap overflow in the `processCropSelections()` function.\n\nAlthough the heap overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For an attacker to exploit this vulnerability, `tiffcrop` has to be invoked with specific `-e`, '-S' and `-R` flags. In addition to this, the attacker has to be able to supply a crafted TIFF file as input.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The vulnerability may lead to remote code execution." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although heap overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A crafted TIFF file is publicly available that demonstrates crashing `libtiff`." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2018-10126", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-476" - ], - "cwe_details": { - "CWE-476": { - "name": "NULL Pointer Dereference", - "description": "A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "12" - } - ] - } - } - } - ], - "summary": "ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-67637", - "references": [ - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", - "https://security-tracker.debian.org/tracker/CVE-2018-10126", - "https://gitlab.com/libtiff/libtiff/-/issues/128", - "http://bugzilla.maptools.org/show_bug.cgi?id=2786" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-41175", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-529113", - "references": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", - "https://access.redhat.com/errata/RHSA-2024:2289", - "https://security-tracker.debian.org/tracker/CVE-2023-41175", - "https://access.redhat.com/security/cve/CVE-2023-41175" - ], - "extended_information": { - "short_description": "An integer overflow in libtiff's raw2tiff may lead to remote code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For an attacker to exploit this vulnerability, `raw2tiff` has to be invoked with the `-l`, `-b` and `-w` flags. In addition to this, the attacker has to be able to supply a crafted TIFF file as input.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "PoC was published along with the git issue." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The vulnerability leads to denial of service and possibly remote code execution." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2017-5563", - "cvss_v2_score": "6.8", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-46608", - "references": [ - "https://security.gentoo.org/glsa/201709-27", - "http://bugzilla.maptools.org/show_bug.cgi?id=2664", - "https://usn.ubuntu.com/3606-1/", - "http://www.securityfocus.com/bid/95705", - "https://security-tracker.debian.org/tracker/CVE-2017-5563" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-7006", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-476" - ], - "cwe_details": { - "CWE-476": { - "name": "NULL Pointer Dereference", - "description": "A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "12" - } - ] - } - } - } - ], - "summary": "A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.", - "severity": "High", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-617888", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-7006", - "https://access.redhat.com/security/cve/CVE-2024-7006", - "https://bugzilla.redhat.com/show_bug.cgi?id=2302996", - "https://access.redhat.com/errata/RHSA-2024:6360" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-40745", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libtiff6:4.5.0-6": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libtiff6:4.5.0-6", - "full_path": "libtiff6:4.5.0-6" - } - ] - ] - } - }, - "issue_id": "XRAY-529112", - "references": [ - "https://access.redhat.com/security/cve/CVE-2023-40745", - "https://access.redhat.com/errata/RHSA-2024:2289", - "https://security-tracker.debian.org/tracker/CVE-2023-40745", - "https://security.netapp.com/advisory/ntap-20231110-0005/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" - ], - "extended_information": { - "short_description": "An integer overflow in libtiff’s tiffcp may lead to remote code execution when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For an attacker to exploit this vulnerability, `tiffcp` has to be invoked with the `-m` flag with an attacker-controlled value. In addition to this, the attacker has to be able to supply a crafted TIFF file as input.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A PoC which demonstrates denial of service was published along with the git issue." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The vulnerability leads to denial of service and possibly remote code execution." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-2953", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-476" - ], - "cwe_details": { - "CWE-476": { - "name": "NULL Pointer Dereference", - "description": "A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "12" - } - ] - } - } - } - ], - "summary": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", - "severity": "High", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "issue_id": "XRAY-520865", - "references": [ - "http://seclists.org/fulldisclosure/2023/Jul/48", - "https://support.apple.com/kb/HT213845", - "http://seclists.org/fulldisclosure/2023/Jul/47", - "https://bugs.openldap.org/show_bug.cgi?id=9904", - "https://security-tracker.debian.org/tracker/CVE-2023-2953", - "https://support.apple.com/kb/HT213844", - "https://access.redhat.com/security/cve/CVE-2023-2953", - "https://security.netapp.com/advisory/ntap-20230703-0005/", - "http://seclists.org/fulldisclosure/2023/Jul/52", - "https://support.apple.com/kb/HT213843" - ] - }, - { - "cves": [ - { - "cve": "CVE-2020-15719", - "cvss_v2_score": "4.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N", - "cvss_v3_score": "4.2", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", - "cwe": [ - "CWE-295" - ], - "cwe_details": { - "CWE-295": { - "name": "Improper Certificate Validation", - "description": "The product does not validate, or incorrectly validates, a certificate." - } - } - } - ], - "summary": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "issue_id": "XRAY-113528", - "references": [ - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html", - "https://security-tracker.debian.org/tracker/CVE-2020-15719", - "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1740070", - "https://bugs.openldap.org/show_bug.cgi?id=9266", - "https://access.redhat.com/errata/RHBA-2019:3674" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-14159", - "cvss_v2_score": "1.9", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "4.7", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-665" - ], - "cwe_details": { - "CWE-665": { - "name": "Improper Initialization", - "description": "The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used." - } - } - } - ], - "summary": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "issue_id": "XRAY-58392", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2017-14159", - "http://www.openldap.org/its/index.cgi?findid=8703", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2015-3276", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "issue_id": "XRAY-37126", - "references": [ - "http://rhn.redhat.com/errata/RHSA-2015-2131.html", - "http://www.securitytracker.com/id/1034221", - "https://security-tracker.debian.org/tracker/CVE-2015-3276", - "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1238322" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-17740", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libldap-2.5-0:2.5.13+dfsg-5", - "full_path": "libldap-2.5-0:2.5.13+dfsg-5" - } - ] - ] - } - }, - "issue_id": "XRAY-60510", - "references": [ - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html", - "https://security-tracker.debian.org/tracker/CVE-2017-17740", - "http://www.openldap.org/its/index.cgi/Incoming?id=8759", - "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", - "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-22365", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libpam-modules-bin:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-modules-bin:1.5.2-6+deb12u1", - "full_path": "libpam-modules-bin:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam-modules:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-modules:1.5.2-6+deb12u1", - "full_path": "libpam-modules:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam-runtime:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam-runtime:1.5.2-6+deb12u1", - "full_path": "libpam-runtime:1.5.2-6+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libpam0g:1.5.2-6+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libpam0g:1.5.2-6+deb12u1", - "full_path": "libpam0g:1.5.2-6+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-588807", - "references": [ - "https://github.com/linux-pam/linux-pam", - "http://www.openwall.com/lists/oss-security/2024/01/18/3", - "https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb", - "https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0", - "https://security-tracker.debian.org/tracker/CVE-2024-22365" - ] - }, - { - "cves": [ - { - "cve": "CVE-2015-9019", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cwe": [ - "CWE-330" - ], - "cwe_details": { - "CWE-330": { - "name": "Use of Insufficiently Random Values", - "description": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers." - } - } - } - ], - "summary": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libxslt1.1:1.1.35-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxslt1.1:1.1.35-1", - "full_path": "libxslt1.1:1.1.35-1" - } - ] - ] - } - }, - "issue_id": "XRAY-52917", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2015-9019", - "https://bugzilla.gnome.org/show_bug.cgi?id=758400", - "https://bugzilla.suse.com/show_bug.cgi?id=934119" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-5171", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-604193", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-5171", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/", - "https://issues.chromium.org/issues/332382766" - ], - "extended_information": { - "short_description": "An integer overflow in libaom may lead to remote code execution when parsing malicious video data.", - "full_description": "[Libaom](https://aomedia.googlesource.com/aom/) is the reference encoder and decoder library for the `AV1` video codec. AV1 (AOMedia Video 1) is an open, royalty-free video coding format designed for video transmissions over the Internet. It was developed by the Alliance for Open Media (AOMedia), a consortium that includes firms like Google, Cisco, Microsoft, Mozilla, and Netflix.\nThe `aom` in libaom stands for `Alliance for Open Media`, and the library serves as a standard reference codebase that can be used to implement AV1 compression and decompression.\n\nProviding large values as the arguments to the `img_alloc_helper()` function, may lead to an integer overflow and a subsequent heap buffer overflow, which may lead to remote code execution.\n\n`img_alloc_helper()` function is an internal function that is used to allocate memory for an `aom_image_t` structure and its associated image data. This function is very useful when you need to manually create an image buffer that can then be used with the AOM codec for various operations like encoding or decoding.\n\nThe vulnerability cannot be exploited directly by calling `img_alloc_helper()` because it is an internal function. \n\nAlthough integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.\n\nTo exploit this vulnerability the following functions can be called with excessively large values as parameters:\n\n* `aom_img_alloc()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_wrap()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_alloc_with_border()` with a large value of the d_w, d_h, align, size_align, or border parameters.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The published exploit demonstrates DoS." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although integer overflow could potentially lead to RCE, no exploit or technical writeup suggested such an impact for this issue.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "The highest potential impact of this issue is severe (Remote Code Execution). Although no such impact has been demonstrated in practice." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker would need to find input propagating into the libaom encoding or decoding operations.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nMake sure the following functions don't accept excessively large values as arguments to the following functions:\n\n* `aom_img_alloc()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_wrap()` with a large value of the d_w, d_h, or align parameters.\n\n* `aom_img_alloc_with_border()` with a large value of the d_w, d_h, align, size_align, or border parameters." - } - }, - { - "cves": [ - { - "cve": "CVE-2023-39616", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memory access via the component assign_frame_buffer_p in av1/common/av1_common_int.h.", - "severity": "High", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-529506", - "references": [ - "https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3", - "https://security-tracker.debian.org/tracker/CVE-2023-39616" - ], - "extended_information": { - "short_description": "Invalid pointer dereference in libaom leads to denial of service when encoding crafted video data with nondefault configuration options set.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The published exploit demonstrates DoS" - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The issue can be exploited by the `aomenc` CLI tool when called on arbitrary input file with the flag `--drop-frame=1` - \n`aomenc --passes=1 -h 1 -w 1 --drop-frame=1 --end-usage=cbr --buf-sz=1 -o /dev/null poc`\n \n\nAlternatively, the issue can be exploited through `libaom` when calling `aom_codec_enc_init` where the 3rd arg (`config`) has `dropframe_thresh == 1` + calling `aom_codec_encode` with external input to the 2nd arg (`img`)", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Exploiting the DoS via invocation of the `aomenc` CLI tool has minimal security impact, since exploitation will cause the `aomenc` forked utiliy process to crash (crashing a forked process has minimal security impact)\n\nThe issue can also be exploited via specific calls to `libaom`, however the configuration needed is extremely rare and crashing a video encoder usually does not have a high security impact.\n\nDebian classified this CVE as a \"minor issue\"", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-6879", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libaom3:3.6.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libaom3:3.6.0-1", - "full_path": "libaom3:3.6.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-585747", - "references": [ - "https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/", - "https://crbug.com/aomedia/3491", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/", - "https://security-tracker.debian.org/tracker/CVE-2023-6879" - ], - "extended_information": { - "short_description": "Heap buffer overread in the av1 module of the aom library can lead to denial of service when resizing frames under special conditions.", - "full_description": "AOM (Alliance for Open Media) is an open-source, royalty-free video codec library implemented in C, developed by the Alliance for Open Media, a consortium of technology companies and research institutions. The AOM library supports the AV1, VP9, and Thor video formats, providing high-quality video compression and is used for a variety of applications, including video streaming, video conferencing, and video editing.\nThe AV1 codec, developed by the Alliance for Open Media, is a state-of-the-art video compression technology that achieves exceptional efficiency while preserving high visual quality. The AOM library provides a comprehensive toolkit for working with AV1-encoded video streams, offering encoding, decoding, and manipulation capabilities.\n\nA vulnerability was found when using the `aom_codec_destroy()` function to clean up memory after resizing AV1 frames, specifically when:\n\n- Using AV1 codec (`aom_codec_av1_cx()`)\n- Utilizing multiple threads\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```\n\nUnder these conditions, a Denial of Service (DoS) vulnerability emerges, manifesting as a heap buffer overread during object destruction.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A public example of vulnerable AOM code exists, which shows how a DoS might be triggered." - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Under normal circumstances, the attacker cannot supply input which will trigger this vulnerability (either the vulnerable code exists or does not exist).", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability triggers under the following conditions -\n- use of the AV1 codec (`aom_codec_av1_cx()`)\n- use of more than 1 thread:\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```\n- cleaning the memory at the end of the encoding process (`aom_codec_destroy()`)", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2024-28757" - } - ], - "summary": "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", - "severity": "Low", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-593447", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/", - "http://www.openwall.com/lists/oss-security/2024/03/15/1", - "https://github.com/libexpat/libexpat/issues/839", - "https://github.com/libexpat/libexpat/pull/842", - "https://security.netapp.com/advisory/ntap-20240322-0001/", - "https://security-tracker.debian.org/tracker/CVE-2024-28757" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-45492", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-632612", - "references": [ - "https://github.com/libexpat/libexpat/issues/889", - "https://security-tracker.debian.org/tracker/CVE-2024-45492", - "https://github.com/libexpat/libexpat/pull/892" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-52426", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-776" - ], - "cwe_details": { - "CWE-776": { - "name": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "description": "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities." - } - } - } - ], - "summary": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-589896", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/", - "https://security-tracker.debian.org/tracker/CVE-2023-52426", - "https://cwe.mitre.org/data/definitions/776.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/", - "https://security.netapp.com/advisory/ntap-20240307-0005/", - "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", - "https://github.com/libexpat/libexpat/pull/777" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-45491", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-632611", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-45491", - "https://github.com/libexpat/libexpat/pull/891", - "https://github.com/libexpat/libexpat/issues/888" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-45490", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-611" - ], - "cwe_details": { - "CWE-611": { - "name": "Improper Restriction of XML External Entity Reference", - "description": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output." - } - } - } - ], - "summary": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-632613", - "references": [ - "https://github.com/libexpat/libexpat/issues/887", - "https://security-tracker.debian.org/tracker/CVE-2024-45490", - "https://github.com/libexpat/libexpat/pull/890" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-52425", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-400" - ], - "cwe_details": { - "CWE-400": { - "name": "Uncontrolled Resource Consumption", - "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." - } - } - } - ], - "summary": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", - "severity": "High", - "components": { - "deb://debian:bookworm:libexpat1:2.5.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", - "full_path": "libexpat1:2.5.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-589898", - "references": [ - "http://www.openwall.com/lists/oss-security/2024/03/20/5", - "https://security.netapp.com/advisory/ntap-20240614-0003/", - "https://github.com/libexpat/libexpat/pull/789", - "https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/", - "https://security-tracker.debian.org/tracker/CVE-2023-52425" - ], - "extended_information": { - "short_description": "A design problem in libexpat may lead to denial of service when parsing a crafted XML document with large tokens.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A PoC demonstrating denial-of-service can be found in Expat's tests." - }, - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "The issue doesn't require any in-depth knowledge to trigger as a proof-of-concept exists in the official fix commit." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploitation of the vulnerability leads to high resource consumption which may lead to denial of service." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "Exploitation requires passing user-controlled input to an XML parsing function such as `XML_Parse`.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2013-0337", - "cvss_v2_score": "7.5", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", - "cwe": [ - "CWE-264" - ] - } - ], - "summary": "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.", - "severity": "Low", - "components": { - "deb://debian:bookworm:nginx:1.25.2-1~bookworm": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:nginx:1.25.2-1~bookworm", - "full_path": "nginx:1.25.2-1~bookworm" - } - ] - ] - } - }, - "issue_id": "XRAY-32935", - "references": [ - "http://security.gentoo.org/glsa/glsa-201310-04.xml", - "http://www.openwall.com/lists/oss-security/2013/02/24/1", - "http://secunia.com/advisories/55181", - "http://www.openwall.com/lists/oss-security/2013/02/22/1", - "https://security-tracker.debian.org/tracker/CVE-2013-0337", - "http://www.openwall.com/lists/oss-security/2013/02/21/15" - ] - }, - { - "cves": [ - { - "cve": "CVE-2009-4487", - "cvss_v2_score": "6.8", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", - "severity": "Low", - "components": { - "deb://debian:bookworm:nginx:1.25.2-1~bookworm": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:nginx:1.25.2-1~bookworm", - "full_path": "nginx:1.25.2-1~bookworm" - } - ] - ] - } - }, - "issue_id": "XRAY-34279", - "references": [ - "http://www.securityfocus.com/bid/37711", - "http://www.ush.it/team/ush/hack_httpd_escape/adv.txt", - "https://security-tracker.debian.org/tracker/CVE-2009-4487", - "http://www.securityfocus.com/archive/1/508830/100/0/threaded" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-7347", - "cvss_v3_score": "4.7", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:nginx:1.25.2-1~bookworm": { - "fixed_versions": [ - "[1.26.0-2]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:nginx:1.25.2-1~bookworm", - "full_path": "nginx:1.25.2-1~bookworm" - } - ] - ] - } - }, - "issue_id": "XRAY-619023", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-7347", - "https://my.f5.com/manage/s/article/K000140529" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-1580" - } - ], - "summary": "An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libdav1d6:1.0.0-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libdav1d6:1.0.0-2", - "full_path": "libdav1d6:1.0.0-2" - } - ] - ] - } - }, - "issue_id": "XRAY-590844", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-1580", - "http://seclists.org/fulldisclosure/2024/Mar/38", - "https://support.apple.com/kb/HT214093", - "https://code.videolan.org/videolan/dav1d/-/releases/1.4.0", - "http://seclists.org/fulldisclosure/2024/Mar/41", - "http://seclists.org/fulldisclosure/2024/Mar/39", - "https://support.apple.com/kb/HT214098", - "http://seclists.org/fulldisclosure/2024/Mar/40", - "http://seclists.org/fulldisclosure/2024/Mar/36", - "https://support.apple.com/kb/HT214096", - "https://support.apple.com/kb/HT214095", - "http://seclists.org/fulldisclosure/2024/Mar/37", - "https://support.apple.com/kb/HT214097", - "https://support.apple.com/kb/HT214094", - "https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-32570", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-362" - ], - "cwe_details": { - "CWE-362": { - "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", - "description": "The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "21" - } - ] - } - } - } - ], - "summary": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libdav1d6:1.0.0-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libdav1d6:1.0.0-2", - "full_path": "libdav1d6:1.0.0-2" - } - ] - ] - } - }, - "issue_id": "XRAY-519404", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WGSO7UMOF4MVLQ5H6KIV7OG6ONS377B/", - "https://security-tracker.debian.org/tracker/CVE-2023-32570", - "https://code.videolan.org/videolan/dav1d/-/tags/1.2.0", - "https://code.videolan.org/videolan/dav1d/-/commit/cf617fdae0b9bfabd27282854c8e81450d955efa", - "https://security.gentoo.org/glsa/202310-05", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LXZ6CUNJFDJLCFOZHY2TIGMCAEITLCRP/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2016-2781", - "cvss_v2_score": "2.1", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", - "cwe": [ - "CWE-20" - ], - "cwe_details": { - "CWE-20": { - "name": "Improper Input Validation", - "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "6" - } - ] - } - } - } - ], - "summary": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "severity": "Low", - "components": { - "deb://debian:bookworm:coreutils:9.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:coreutils:9.1-1", - "full_path": "coreutils:9.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-28549", - "references": [ - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", - "https://security-tracker.debian.org/tracker/CVE-2016-2781", - "http://www.openwall.com/lists/oss-security/2016/02/28/2", - "http://www.openwall.com/lists/oss-security/2016/02/28/3" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-18018", - "cvss_v2_score": "1.9", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "4.7", - "cvss_v3_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", - "cwe": [ - "CWE-362" - ], - "cwe_details": { - "CWE-362": { - "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", - "description": "The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "21" - } - ] - } - } - } - ], - "summary": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "severity": "Low", - "components": { - "deb://debian:bookworm:coreutils:9.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:coreutils:9.1-1", - "full_path": "coreutils:9.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-60415", - "references": [ - "http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html", - "https://security-tracker.debian.org/tracker/CVE-2017-18018" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-28085" - } - ], - "summary": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:bsdutils:1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:bsdutils:1:2.38.1-5+b1", - "full_path": "bsdutils:1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libblkid1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libblkid1:2.38.1-5+b1", - "full_path": "libblkid1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libmount1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libmount1:2.38.1-5+b1", - "full_path": "libmount1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libsmartcols1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsmartcols1:2.38.1-5+b1", - "full_path": "libsmartcols1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libuuid1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libuuid1:2.38.1-5+b1", - "full_path": "libuuid1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:mount:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:mount:2.38.1-5+b1", - "full_path": "mount:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:util-linux-extra:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:util-linux-extra:2.38.1-5+b1", - "full_path": "util-linux-extra:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:util-linux:2.38.1-5+b1": { - "fixed_versions": [ - "[2.38.1-5+deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:util-linux:2.38.1-5+b1", - "full_path": "util-linux:2.38.1-5+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-596193", - "references": [ - "http://www.openwall.com/lists/oss-security/2024/03/27/8", - "http://www.openwall.com/lists/oss-security/2024/03/28/2", - "http://www.openwall.com/lists/oss-security/2024/03/27/9", - "http://www.openwall.com/lists/oss-security/2024/03/28/3", - "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html", - "https://www.openwall.com/lists/oss-security/2024/03/27/5", - "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/", - "https://security.netapp.com/advisory/ntap-20240531-0003/", - "https://github.com/util-linux/util-linux/security/advisories/GHSA-xv2h-c6ww-mrjq", - "https://security-tracker.debian.org/tracker/CVE-2024-28085", - "http://www.openwall.com/lists/oss-security/2024/03/27/5", - "http://www.openwall.com/lists/oss-security/2024/03/28/1", - "https://github.com/skyler-ferrante/CVE-2024-28085", - "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt", - "http://www.openwall.com/lists/oss-security/2024/03/27/7", - "http://www.openwall.com/lists/oss-security/2024/03/27/6" - ], - "extended_information": { - "short_description": "Escape character injection in util-linux wall may allow for data leakage by local attackers in specific scenarios", - "full_description": "[util-linux](https://github.com/util-linux/util-linux) is a random collection of Linux utilities. \nwall (write all) allows a user to send a text message to all other users (terminals) in the system.\nIt was discovered that wall does not filter escape sequences from command line arguments, allowing a local user to inject escape characters into other users' terminals.\n\nThis vulnerability can be used in a per-target social engineering attack, where the local attacker injects seemingly innocent text to other users' terminals, making them write sensitive information (ex. their password) which can subsequently be leaked to local files, depending on the exact scenario.\n\nWhile an example PoC demonstrated the possibility to leak user passwords when the victim uses `sudo`, in reality exploitation of this issue requires the attacker to deeply research the affected system and requires the victim's interaction, making it difficult to exploit even in low volumes.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The `wall` executable must have `setgid` permissions in order to be vulnerable. In addition, the victim's terminal must accept messages from other terminals (controlled via the `mesg` utility).", - "is_positive": true - }, - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The injected escape characters may allow the local attacker to social engineer a victim on the same machine. The impact of exploiting the vulnerability depends on what actions are performed by the victim user, but in most cases will lead to local privilege escalation of the attacker.", - "is_positive": true - }, - { - "name": "Exploiting the issue requires the user to interact with the vulnerable software", - "description": "The victim must interact with the injected escape characters in some way to cause code execution or data leakage. The injected escape characters cannot cause any harm on their own, only assist the attacker with social engineering.", - "is_positive": true - }, - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "A local attacker can simply call `exec` with `wall`, supplying escape characters in `argv` -\n```c\nexecve(\"/usr/bin/wall\", argv, envp);\n```" - } - ], - "remediation": "##### Deployment mitigations\n\nDisable write access of other users to your terminal -\n```bash\nmesg n\n```\n\n##### Deployment mitigations\n\nRemove the setgid permissions from wall -\n```bash\nsudo chmod g-s `which wall`\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2022-0563", - "cvss_v2_score": "1.9", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "CWE-209" - ], - "cwe_details": { - "CWE-209": { - "name": "Generation of Error Message Containing Sensitive Information", - "description": "The product generates an error message that includes sensitive information about its environment, users, or associated data." - } - } - } - ], - "summary": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "severity": "Low", - "components": { - "deb://debian:bookworm:bsdutils:1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:bsdutils:1:2.38.1-5+b1", - "full_path": "bsdutils:1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libblkid1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libblkid1:2.38.1-5+b1", - "full_path": "libblkid1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libmount1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libmount1:2.38.1-5+b1", - "full_path": "libmount1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libsmartcols1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libsmartcols1:2.38.1-5+b1", - "full_path": "libsmartcols1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:libuuid1:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libuuid1:2.38.1-5+b1", - "full_path": "libuuid1:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:mount:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:mount:2.38.1-5+b1", - "full_path": "mount:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:util-linux-extra:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:util-linux-extra:2.38.1-5+b1", - "full_path": "util-linux-extra:2.38.1-5+b1" - } - ] - ] - }, - "deb://debian:bookworm:util-linux:2.38.1-5+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:util-linux:2.38.1-5+b1", - "full_path": "util-linux:2.38.1-5+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-198072", - "references": [ - "https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u", - "https://security.netapp.com/advisory/ntap-20220331-0002/", - "https://security-tracker.debian.org/tracker/CVE-2022-0563", - "https://security.gentoo.org/glsa/202401-08" - ], - "extended_information": { - "short_description": "Improper file-read in util-linux chsh and chfn tools can lead to sensitive data leakage when an attacker controls the INPUTRC environment variable.", - "full_description": "[util-linux](https://github.com/util-linux/util-linux) is a random collection of Linux utilities.\n`chsh` is used to change the login shell. `chfn` is used to change finger information.\n\nThe [GNU Readline library](https://tiswww.case.edu/php/chet/readline/rltop.html) provides a set of functions for use by applications that allow users to edit command lines as they are typed in. The Readline library is loads a library configuration file, passed via the `INPUTRC` environment variable.\n\nWhen the `chsh` and `chfn` are compiled with the `readline` library, and the `INPUTRC` environment variable is defined to a non-valid library config file, it will print an error message and leak some data from the malformed config file. \n\nThe major Linux distributions: Alpine, Debian and Ubuntu don’t use the `util-linux` package to compile `chsh` and `chfn` - instead they use the `shadow` package which isn’t vulnerable to this issue.\n\nAlso, Red Hat compiles `util-linux` without linking the vulnerable `readline` library.\n\nSince both of these tools have root-`setuid` permissions by default, a local attacker can in theory leak partial data from arbitrary (root-owned) files in the system by running them with an arbitrary `INPUTRC` environment variable.\n\nBut, when manually compiling `util-linux` from a vulnerable source, and installing this version on the system, the utilities lose their `setuid` flag. This is a feature of Linux systems that removes the `setuid` after a file has been modified. It must be manually enabled again using `chmod u+s` to read root-owned files.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "All the major Linux distributions don’t use a vulnerable version of the tools. Also, when manually compiling the tools from the source, the `setuid` flag is removed from the tools, thus losing access to leak the contents from root-owned files.", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Partial file data leakage", - "is_positive": true - }, - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "A local attacker may set the `INPUTRC` environment variable to an arbitrary file that should be leaked" - } - ], - "remediation": "##### Deployment mitigations\n\nIf a vulnerable version of `util-linux` was compiled manually, remove the SUID bit from the `chsh` and `chfn` tools using the `chmod u-s` command on them." - } - }, - { - "cves": [ - { - "cve": "CVE-2022-3219", - "cvss_v3_score": "3.3", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", - "severity": "Low", - "components": { - "deb://debian:bookworm:gpgv:2.2.40-1.1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:gpgv:2.2.40-1.1", - "full_path": "gpgv:2.2.40-1.1" - } - ] - ] - } - }, - "issue_id": "XRAY-425648", - "references": [ - "https://marc.info/?l=oss-security\u0026m=165696590211434\u0026w=4", - "https://security-tracker.debian.org/tracker/CVE-2022-3219", - "https://dev.gnupg.org/D556", - "https://security.netapp.com/advisory/ntap-20230324-0001/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2127010", - "https://dev.gnupg.org/T5993", - "https://access.redhat.com/security/cve/CVE-2022-3219" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-39804" - } - ], - "summary": "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:tar:1.34+dfsg-1.2": { - "fixed_versions": [ - "[1.34+dfsg-1.2+deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:tar:1.34+dfsg-1.2", - "full_path": "tar:1.34+dfsg-1.2" - } - ] - ] - } - }, - "issue_id": "XRAY-540509", - "references": [ - "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4", - "https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723", - "https://security-tracker.debian.org/tracker/CVE-2023-39804", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079" - ] - }, - { - "cves": [ - { - "cve": "CVE-2005-2541", - "cvss_v2_score": "10.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", - "cwe": [ - "NVD-CWE-Other" - ] - } - ], - "summary": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "severity": "Low", - "components": { - "deb://debian:bookworm:tar:1.34+dfsg-1.2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:tar:1.34+dfsg-1.2", - "full_path": "tar:1.34+dfsg-1.2" - } - ] - ] - } - }, - "issue_id": "XRAY-28223", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2005-2541", - "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E", - "http://marc.info/?l=bugtraq\u0026m=112327628230258\u0026w=2" - ], - "extended_information": { - "short_description": "Preserving SETUID/SETGID bits when extracting with tar may lead to privilege escalation.", - "full_description": "When running as the \"root\" user, tar will restore by default the original permissions to any extracted files (this can be controlled via the `-p` argument). One of the restored permission bits are the SETUID/SETGID bits which make the extracted executable automatically elevate to \"root\" privileges, regardless of the user that ran the executable.\n\nThis behavior could be an issue when the root user extracts a crafted tar archive, which contains a SUID-enabled malicious executable, that allows privilege escalation.\nDe-facto, this behavior is widely known, documented and accepted behavior, and as such this issue did not receive a fix.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "Exploiting the issue requires the user to interact with the vulnerable software", - "description": "A root user must extract the \"affected\" tar archive", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must find a vulnerability in the extracted SETUID program in order to run arbitrary code, or alternatively make the root user extract an attacker-crafted tar archive", - "is_positive": true - }, - { - "name": "The issue cannot be exploited on its own, and can only be used as part of an attack chain", - "description": "Simply preserving the SETUID/SETGID bits will not lead to privilege escalation. The extracted program must still have a vulnerability that will allow the unprivileged user to achieve arbitrary (local) code execution", - "is_positive": true - }, - { - "name": "The issue has been disputed by the vendor", - "description": "Both Red Hat and Debian security trackers disputed the issue, citing \"This is the documented and expected behaviour of tar.\"", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2022-48303", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-125" - ], - "cwe_details": { - "CWE-125": { - "name": "Out-of-bounds Read", - "description": "The product reads data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "7" - } - ] - } - } - } - ], - "summary": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "severity": "Low", - "components": { - "deb://debian:bookworm:tar:1.34+dfsg-1.2": { - "fixed_versions": [ - "[1.34+dfsg-1.2+deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:tar:1.34+dfsg-1.2", - "full_path": "tar:1.34+dfsg-1.2" - } - ] - ] - } - }, - "issue_id": "XRAY-414652", - "references": [ - "https://savannah.gnu.org/bugs/?62387", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/", - "https://security-tracker.debian.org/tracker/CVE-2022-48303", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/", - "https://savannah.gnu.org/patch/?10307" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-25062", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-416" - ], - "cwe_details": { - "CWE-416": { - "name": "Use After Free", - "description": "Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "4" - } - ] - } - } - } - ], - "summary": "An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.", - "severity": "High", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-589897", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-25062", - "https://gitlab.gnome.org/GNOME/libxml2/-/tags", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" - ], - "extended_information": { - "short_description": "A use-after-free in libxml2 may lead to denial of service when parsing a crafted XML document with specific parser arguments.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "Exploiting this issue using static XML requires that the `XML_PARSE_XINCLUDE` (--xinclude) and the `XML_PARSE_VALIDATE` (--valid) flags are used.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Exploiting the vulnerability may lead to denial of service." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not take into account the contextual prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A PoC that triggers the use-after-free is available in the Git issue." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to control an XML file that is getting parsed by `xmlTextReaderRead()` with the xinclude and DTD validation options enabled. This can be achieved by passing both the `XML_PARSE_XINCLUDE` (--xinclude) and `XML_PARSE_VALIDATE` (--valid) flags when parsing the document.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-45322", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-416" - ], - "cwe_details": { - "CWE-416": { - "name": "Use After Free", - "description": "Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "4" - } - ] - } - } - } - ], - "summary": "libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is \"I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail.\"", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-533060", - "references": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/583", - "http://www.openwall.com/lists/oss-security/2023/10/06/5", - "https://security-tracker.debian.org/tracker/CVE-2023-45322", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/344" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-34459" - } - ], - "summary": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-601044", - "references": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://security-tracker.debian.org/tracker/CVE-2024-34459", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-39615", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1": { - "fixed_versions": [ - "[2.12.7+dfsg-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libxml2:2.9.14+dfsg-1.3~deb12u1", - "full_path": "libxml2:2.9.14+dfsg-1.3~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-529332", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-39615", - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/535" - ] - }, - { - "cves": [ - { - "cve": "CVE-2019-19882", - "cvss_v2_score": "6.9", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:C/I:C/A:C", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-732" - ], - "cwe_details": { - "CWE-732": { - "name": "Incorrect Permission Assignment for Critical Resource", - "description": "The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors." - } - } - } - ], - "summary": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "severity": "Low", - "components": { - "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1", - "full_path": "login:1:4.13+dfsg1-1+b1" - } - ] - ] - }, - "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1", - "full_path": "passwd:1:4.13+dfsg1-1+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-93202", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2019-19882", - "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", - "https://bugs.gentoo.org/702252", - "https://security.gentoo.org/glsa/202008-09", - "https://github.com/shadow-maint/shadow/pull/199", - "https://bugs.archlinux.org/task/64836", - "https://github.com/void-linux/void-packages/pull/17580" - ] - }, - { - "cves": [ - { - "cve": "CVE-2007-5686", - "cvss_v2_score": "4.9", - "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:N/A:N", - "cwe": [ - "CWE-264" - ] - } - ], - "summary": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "severity": "Low", - "components": { - "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1", - "full_path": "login:1:4.13+dfsg1-1+b1" - } - ] - ] - }, - "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1", - "full_path": "passwd:1:4.13+dfsg1-1+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-37289", - "references": [ - "http://www.securityfocus.com/archive/1/482857/100/0/threaded", - "http://www.securityfocus.com/archive/1/482129/100/100/threaded", - "http://www.securityfocus.com/bid/26048", - "http://www.vupen.com/english/advisories/2007/3474", - "https://security-tracker.debian.org/tracker/CVE-2007-5686", - "https://issues.rpath.com/browse/RPL-1825", - "http://secunia.com/advisories/27215" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-4641", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "CWE-287" - ], - "cwe_details": { - "CWE-287": { - "name": "Improper Authentication", - "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "13" - } - ] - } - } - } - ], - "summary": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1", - "full_path": "login:1:4.13+dfsg1-1+b1" - } - ] - ] - }, - "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1", - "full_path": "passwd:1:4.13+dfsg1-1+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-529509", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-4641", - "https://access.redhat.com/errata/RHSA-2024:2577", - "https://access.redhat.com/security/cve/CVE-2023-4641", - "https://access.redhat.com/errata/RHSA-2023:6632", - "https://bugzilla.redhat.com/show_bug.cgi?id=2215945", - "https://access.redhat.com/errata/RHSA-2024:0417", - "https://access.redhat.com/errata/RHSA-2023:7112" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-29383", - "cvss_v3_score": "3.3", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-74" - ], - "cwe_details": { - "CWE-74": { - "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", - "description": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component." - } - } - } - ], - "summary": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", - "severity": "Low", - "components": { - "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:login:1:4.13+dfsg1-1+b1", - "full_path": "login:1:4.13+dfsg1-1+b1" - } - ] - ] - }, - "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:passwd:1:4.13+dfsg1-1+b1", - "full_path": "passwd:1:4.13+dfsg1-1+b1" - } - ] - ] - } - }, - "issue_id": "XRAY-513968", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-29383", - "https://github.com/shadow-maint/shadow/pull/687", - "https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/", - "https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797" - ] - }, - { - "cves": [ - { - "cve": "CVE-2017-9937", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libjbig0:2.1-6.1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libjbig0:2.1-6.1", - "full_path": "libjbig0:2.1-6.1" - } - ] - ] - } - }, - "issue_id": "XRAY-56874", - "references": [ - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", - "http://bugzilla.maptools.org/show_bug.cgi?id=2707", - "https://security-tracker.debian.org/tracker/CVE-2017-9937", - "http://www.securityfocus.com/bid/99304" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-2511" - } - ], - "summary": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.14-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-597548", - "references": [ - "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08", - "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce", - "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640", - "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d", - "https://security-tracker.debian.org/tracker/CVE-2024-2511", - "https://www.openssl.org/news/secadv/20240408.txt", - "http://www.openwall.com/lists/oss-security/2024/04/08/5", - "https://security.netapp.com/advisory/ntap-20240503-0013/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6129", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-588102", - "references": [ - "https://security.netapp.com/advisory/ntap-20240426-0008/", - "https://security.netapp.com/advisory/ntap-20240426-0013/", - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015", - "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35", - "https://security.netapp.com/advisory/ntap-20240216-0009/", - "https://www.openssl.org/news/secadv/20240109.txt", - "https://security-tracker.debian.org/tracker/CVE-2023-6129", - "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04", - "https://security.netapp.com/advisory/ntap-20240503-0011/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-6119" - } - ], - "summary": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.14-1~deb12u2]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-632747", - "references": [ - "https://openssl-library.org/news/secadv/20240903.txt", - "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2", - "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f", - "https://security-tracker.debian.org/tracker/CVE-2024-6119", - "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6", - "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0" - ], - "extended_information": { - "short_description": "Out of bounds read in OpenSSL clients can lead to denial of service when using non-default TLS verification options and connecting to malicious TLS servers", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The fix commit contains PoC certificates that trigger the denial of service issue" - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "The attacker must make the victim client connect to their malicious TLS server, in order to serve the malformed TLS certificate. The victim client must use OpenSSL and must enable non-default certificate verification options, either -\n\n* DNS verification - by using `X509_VERIFY_PARAM_set1_host` or `X509_check_host`\n* Email verification - by using ` X509_VERIFY_PARAM_set1_email` or `X509_check_email`", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Denial of service of a TLS clients only. This out of bounds read cannot lead to data disclosure.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-5363", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are...", - "severity": "High", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.11-1~deb12u2]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-534361", - "references": [ - "https://security.netapp.com/advisory/ntap-20231027-0010/", - "https://www.openssl.org/news/secadv/20231024.txt", - "https://security-tracker.debian.org/tracker/CVE-2023-5363", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d", - "https://www.debian.org/security/2023/dsa-5532", - "https://security.netapp.com/advisory/ntap-20240201-0004/", - "http://www.openwall.com/lists/oss-security/2023/10/24/1", - "https://security.netapp.com/advisory/ntap-20240201-0003/" - ], - "extended_information": { - "short_description": "A design problem in OpenSSL 3.x may lead to data leakage when processing cipher parameters.", - "full_description": "OpenSSL is an open-source cryptographic library and toolset that provides a wide range of protocol supported and functions for secure communication, data encryption, digital certificates, and other cryptographic operations, widely used in various software applications and systems.\nIn cryptography, a block cipher is a symmetric key algorithm that encrypts fixed-size blocks of data, typically 64 or 128 bits, transforming each block into a corresponding ciphertext block using a key-specific permutation.\n\nA major problem with block ciphers, is that equal plaintext blocks get transformed to equal ciphertexts. This can be used for a known-plaintext attack, where an adversary possesses both the plaintext and its corresponding encrypted form, aiming to deduce the encryption key or gain insights into the encryption algorithm.\n\nTo counter this, we use an Initialization vector (IV), which is a random or unique input to a cryptographic algorithm used to alter the first block of the cipher, ensuring equal plaintext blocks won’t be transformed to equal ciphertexts.\n\nA vulnerability was found in OpenSSL 3.x, in certain situations, parameters such as key length or IV length, will be processed after the key and IV have been established, hence they will not take effect as intended, potentially causing truncation or overreading of these values, impacting the confidentiality of the encryption.\n\nWhen calling the functions `EVP_CipherInit_ex2`, `EVP_EncryptInit_ex2, or `EVP_DecryptInit_ex2` with an `OSSL_PARAM` array, changes to the `keylen` or `ivlen` parameters will only be processed after the IV and the key have been established.\n\nNote this impacts the following ciphers: RC2, RC4, RC5, and the following cipher modes: CCM, GCM, OCB.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability is only applicable if the vulnerable functions `EVP_CipherInit_ex2`, `EVP_EncryptInit_ex2, or `EVP_DecryptInit_ex2` is called directly or indirectly with an `OSSL_PARAM` array that alters the `ivlen` and `keylen` parameters. Moreover, it only impacts the following ciphers: RC2, RC4, RC5, and the following cipher modes: CCM, GCM, OCB.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "Changing the key or IV lengths is not considered a popular operation. Furthermore, the API only affects OpenSSL 3.x and it is likely the app developers have discovered the problem during testing, as it would have caused the decryption to fail.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take into account the unlikely prerequisites and the context required to exploit this CVE.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "In the case that this vulnerability is exploited successfully, an attacker can read sensitive data as plaintext, breaking the encryption." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2024-4603" - } - ], - "summary": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.14-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-601418", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-4603", - "https://security.netapp.com/advisory/ntap-20240621-0001/", - "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e", - "http://www.openwall.com/lists/oss-security/2024/05/16/2", - "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397", - "https://www.openssl.org/news/secadv/20240516.txt", - "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740", - "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-0727", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-589396", - "references": [ - "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c", - "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8", - "https://security-tracker.debian.org/tracker/CVE-2024-0727", - "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539", - "https://www.openssl.org/news/secadv/20240125.txt", - "https://security.netapp.com/advisory/ntap-20240208-0006/", - "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a", - "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2", - "http://www.openwall.com/lists/oss-security/2024/03/11/1" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6237" - } - ], - "summary": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-588469", - "references": [ - "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294", - "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a", - "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d", - "https://security.netapp.com/advisory/ntap-20240531-0007/", - "https://www.openssl.org/news/secadv/20240115.txt", - "https://security-tracker.debian.org/tracker/CVE-2023-6237", - "http://www.openwall.com/lists/oss-security/2024/03/11/1" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-4741" - } - ], - "summary": "CVE-2024-4741", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.14-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-603657", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-4741" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-5678", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cwe": [ - "CWE-754" - ], - "cwe_details": { - "CWE-754": { - "name": "Improper Check for Unusual or Exceptional Conditions", - "description": "The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product." - } - } - } - ], - "summary": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.0.13-1~deb12u1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-535129", - "references": [ - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055", - "https://security.netapp.com/advisory/ntap-20231130-0010/", - "http://www.openwall.com/lists/oss-security/2024/03/11/1", - "https://security-tracker.debian.org/tracker/CVE-2023-5678", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017", - "https://www.openssl.org/news/secadv/20231106.txt", - "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-5535" - } - ], - "summary": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of ...", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "fixed_versions": [ - "[3.3.2-1]" - ], - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-607811", - "references": [ - "https://security.netapp.com/advisory/ntap-20240712-0005/", - "https://www.openssl.org/news/secadv/20240627.txt", - "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c", - "https://security-tracker.debian.org/tracker/CVE-2024-5535", - "http://www.openwall.com/lists/oss-security/2024/06/28/4", - "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e", - "http://www.openwall.com/lists/oss-security/2024/06/27/1", - "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87", - "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c", - "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37", - "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" - ] - }, - { - "cves": [ - { - "cve": "CVE-2012-2131", - "cvss_v2_score": "7.5", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", - "cwe": [ - "CWE-189" - ] - } - ], - "summary": "Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.", - "severity": "High", - "components": { - "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libssl3:3.0.11-1~deb12u1", - "full_path": "libssl3:3.0.11-1~deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:openssl:3.0.11-1~deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:openssl:3.0.11-1~deb12u1", - "full_path": "openssl:3.0.11-1~deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-192416", - "references": [ - "http://www.openwall.com/lists/oss-security/2012/04/24/1", - "http://secunia.com/advisories/48956", - "http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html", - "http://www.ubuntu.com/usn/USN-1428-1", - "http://secunia.com/advisories/48895", - "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564", - "http://www.mandriva.com/security/advisories?name=MDVSA-2012:064", - "http://www.debian.org/security/2012/dsa-2454", - "http://www.openssl.org/news/secadv_20120424.txt", - "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00014.html", - "http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00007.html", - "http://www.securitytracker.com/id?1026957", - "http://secunia.com/advisories/57353", - "http://marc.info/?l=bugtraq\u0026m=134039053214295\u0026w=2", - "https://security-tracker.debian.org/tracker/CVE-2012-2131", - "http://cvs.openssl.org/chngview?cn=22479", - "http://marc.info/?l=bugtraq\u0026m=133728068926468\u0026w=2", - "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10673", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/75099", - "http://www.securityfocus.com/bid/53212", - "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00015.html", - "http://support.apple.com/kb/HT5784" - ] - }, - { - "cves": [ - { - "cve": "CVE-2011-3374", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "3.7", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", - "cwe": [ - "CWE-347" - ], - "cwe_details": { - "CWE-347": { - "name": "Improper Verification of Cryptographic Signature", - "description": "The product does not verify, or incorrectly verifies, the cryptographic signature for data." - } - } - } - ], - "summary": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "severity": "Low", - "components": { - "deb://debian:bookworm:apt:2.6.1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:apt:2.6.1", - "full_path": "apt:2.6.1" - } - ] - ] - }, - "deb://debian:bookworm:libapt-pkg6.0:2.6.1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libapt-pkg6.0:2.6.1", - "full_path": "libapt-pkg6.0:2.6.1" - } - ] - ] - } - }, - "issue_id": "XRAY-34417", - "references": [ - "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", - "https://seclists.org/fulldisclosure/2011/Sep/221", - "https://ubuntu.com/security/CVE-2011-3374", - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", - "https://access.redhat.com/security/cve/cve-2011-3374", - "https://snyk.io/vuln/SNYK-LINUX-APT-116518", - "https://security-tracker.debian.org/tracker/CVE-2011-3374" - ], - "extended_information": { - "short_description": "Improper signature validation in apt-key may enable Man-in-the-Middle attacks and result in code execution.", - "full_description": "`apt-key` is [`apt`](https://github.com/Debian/apt)'s key management utility, and is used to manage the keys that are used by `apt` to authenticate packages.\n\nA vulnerability in `apt-key`'s `net-update` function exists, in which [`GPG`](https://www.gnupg.org/) keys, that are used for signing packages and validating their authenticity, aren't validated correctly. The `net-update` function pulls the signing keys that should be added from an insecure location (`http://...`), exposing it to a Man-in-the-Middle attack in which malicious signing keys could be added to the system's keyring. This issue happens due to a vulnerability in the `add_keys_with_veirfy_against_master_keyring()` function, which allows adding signing keys without proper signature validation. \n\nThis vulnerability then potentially allows a malicious actor to perform a Man-in-the-Middle attack on a target, by making it validate malicious packages that were signed with the `GPG` signing key used by the attacker. Effectively, this means that `apt` can be duped to install malicious services and daemons with root privileges.\n\nThe conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man In The Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from [python-apt](https://pypi.org/project/python-apt/) Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.\n\nDo note that `apt-key` is **deprecated** and shouldn't be used, and in most Debian versions `ARCHIVE_KEYRING_URI` is not defined, making this vulnerability unexploitable in most Debian systems.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the python-apt Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", - "is_positive": true - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "This vulnerability is remotely exploitable when the applicability conditions apply." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Remote code execution is possible when the applicability conditions apply." - }, - { - "name": "The issue has an exploit published", - "description": "The reporter of this issue has provided a GPG key that can be used for an actual attack, as well as a simple PoC example." - } - ], - "remediation": "##### Deployment mitigations\n\n* Dot not execute `apt-key` command, as it is deprecated.\n* Remove the URI configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`." - } - }, - { - "cves": [ - { - "cve": "CVE-2023-4039", - "cvss_v3_score": "4.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "cwe": [ - "NVD-CWE-Other" - ] - } - ], - "summary": "**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:gcc-12-base:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:gcc-12-base:12.2.0-14", - "full_path": "gcc-12-base:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libgcc-s1:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgcc-s1:12.2.0-14", - "full_path": "libgcc-s1:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libstdc++6:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libstdc++6:12.2.0-14", - "full_path": "libstdc++6:12.2.0-14" - } - ] - ] - } - }, - "issue_id": "XRAY-531779", - "references": [ - "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf", - "https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64", - "https://security-tracker.debian.org/tracker/CVE-2023-4039" - ] - }, - { - "cves": [ - { - "cve": "CVE-2022-27943", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-674" - ], - "cwe_details": { - "CWE-674": { - "name": "Uncontrolled Recursion", - "description": "The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack." - } - } - } - ], - "summary": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", - "severity": "Low", - "components": { - "deb://debian:bookworm:gcc-12-base:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:gcc-12-base:12.2.0-14", - "full_path": "gcc-12-base:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libgcc-s1:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgcc-s1:12.2.0-14", - "full_path": "libgcc-s1:12.2.0-14" - } - ] - ] - }, - "deb://debian:bookworm:libstdc++6:12.2.0-14": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libstdc++6:12.2.0-14", - "full_path": "libstdc++6:12.2.0-14" - } - ] - ] - } - }, - "issue_id": "XRAY-203474", - "references": [ - "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/", - "https://security-tracker.debian.org/tracker/CVE-2022-27943", - "https://sourceware.org/bugzilla/show_bug.cgi?id=28995" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-28182" - } - ], - "summary": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libnghttp2-14:1.52.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libnghttp2-14:1.52.0-1", - "full_path": "libnghttp2-14:1.52.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-597311", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/", - "https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9", - "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q", - "https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0", - "https://security-tracker.debian.org/tracker/CVE-2024-28182", - "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/", - "http://www.openwall.com/lists/oss-security/2024/04/03/16" - ], - "extended_information": { - "short_description": "A design problem in the implementation of the HTTP/2 protocol in Nghttp2 may lead to denial of service by abusing frame flags.", - "full_description": "[Nghttp2](https://github.com/nghttp2/nghttp2) is an open-source implementation of HTTP/2, a significant upgrade to the HTTP protocol, offering improved efficiency and performance for web communication. It provides libraries and command-line tools for developers to integrate HTTP/2 features into their applications, including binary framing, header compression, multiplexing of requests, and server push. `Nghttp2` is widely used in various projects, such as web servers, proxies, and clients.\n\n`HTTP/2` is a binary protocol where the client and server exchange binary frames instead of text lines as in `HTTP/1.x`. `HTTP/2` resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.\n\nThe `HEADERS` frame type allows sending HTTP headers of, both, request and response. The `HEADERS` frame contains many flags.\nThe `CONTINUATION` frame type is similar to the `HEADER` frame, but it has just one flag: `END_HEADERS`. When it is not set, the peer knows that more headers are coming in the following `CONTINUATION` frames.\n\nThis mechanism allows an attacker to send an `HTTP/2` stream with `CONTINUATION` frames, without setting the `END_HEADERS` flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.\n\nThe issue is exploitable by default due to `Nghttp2` being an `HTTP/2`-only implementation.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "Nghttp2 is vulnerable in its default configuration." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A very detailed technical write-up has been published regarding the issue." - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This issue can lead to denial of service." - }, - { - "name": "The issue can be exploited by attackers over the network" - }, - { - "name": "The issue has multiple mentions in general media", - "description": "This issue is related to the well-covered attack \"HTTP/2 CONTINUATION Flood\"." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-44487", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libnghttp2-14:1.52.0-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libnghttp2-14:1.52.0-1", - "full_path": "libnghttp2-14:1.52.0-1" - } - ] - ] - } - }, - "issue_id": "XRAY-533236", - "references": [ - "https://www.debian.org/security/2023/dsa-5540", - "https://github.com/eclipse/jetty.project/issues/10679", - "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", - "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", - "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", - "https://news.ycombinator.com/item?id=37830998", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", - "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", - "http://www.openwall.com/lists/oss-security/2023/10/13/4", - "https://access.redhat.com/security/cve/cve-2023-44487", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", - "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", - "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", - "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", - "https://github.com/micrictor/http2-rst-stream", - "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", - "http://www.openwall.com/lists/oss-security/2023/10/13/9", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", - "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", - "https://news.ycombinator.com/item?id=37830987", - "https://blog.vespa.ai/cve-2023-44487/", - "https://github.com/tempesta-tech/tempesta/issues/1986", - "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", - "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", - "https://github.com/kazu-yamamoto/http2/issues/93", - "https://github.com/Kong/kong/discussions/11741", - "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", - "https://github.com/envoyproxy/envoy/pull/30055", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", - "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", - "https://www.debian.org/security/2023/dsa-5558", - "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", - "https://security.gentoo.org/glsa/202311-09", - "https://bugzilla.suse.com/show_bug.cgi?id=1216123", - "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", - "https://github.com/projectcontour/contour/pull/5826", - "https://github.com/golang/go/issues/63417", - "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", - "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", - "https://ubuntu.com/security/CVE-2023-44487", - "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", - "https://www.debian.org/security/2023/dsa-5521", - "https://www.debian.org/security/2023/dsa-5570", - "https://github.com/h2o/h2o/pull/3291", - "https://github.com/oqtane/oqtane.framework/discussions/3367", - "https://github.com/opensearch-project/data-prepper/issues/3474", - "https://github.com/advisories/GHSA-vx74-f528-fxqg", - "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", - "https://github.com/etcd-io/etcd/issues/16740", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", - "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", - "https://github.com/apache/trafficserver/pull/10564", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", - "https://istio.io/latest/news/security/istio-security-2023-004/", - "https://news.ycombinator.com/item?id=37837043", - "https://security.netapp.com/advisory/ntap-20240621-0007/", - "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", - "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", - "https://github.com/dotnet/announcements/issues/277", - "http://www.openwall.com/lists/oss-security/2023/10/20/8", - "https://github.com/kubernetes/kubernetes/pull/121120", - "https://security.paloaltonetworks.com/CVE-2023-44487", - "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", - "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", - "https://github.com/junkurihara/rust-rpxy/issues/97", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", - "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", - "http://www.openwall.com/lists/oss-security/2023/10/18/4", - "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", - "https://github.com/facebook/proxygen/pull/466", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html", - "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", - "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", - "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", - "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", - "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", - "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", - "https://news.ycombinator.com/item?id=37831062", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", - "https://github.com/alibaba/tengine/issues/1872", - "http://www.openwall.com/lists/oss-security/2023/10/18/8", - "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", - "https://github.com/microsoft/CBL-Mariner/pull/6381", - "https://www.debian.org/security/2023/dsa-5549", - "https://security.netapp.com/advisory/ntap-20240426-0007/", - "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", - "https://security.netapp.com/advisory/ntap-20240621-0006/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", - "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", - "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", - "https://security.netapp.com/advisory/ntap-20231016-0001/", - "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", - "https://github.com/nghttp2/nghttp2/pull/1961", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", - "https://github.com/apache/httpd-site/pull/10", - "https://my.f5.com/manage/s/article/K000137106", - "https://github.com/akka/akka-http/issues/4323", - "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", - "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", - "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", - "https://github.com/line/armeria/pull/5232", - "https://security-tracker.debian.org/tracker/CVE-2023-44487", - "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113", - "https://www.openwall.com/lists/oss-security/2023/10/10/6", - "https://github.com/grpc/grpc-go/pull/6703", - "https://github.com/caddyserver/caddy/issues/5877", - "https://github.com/Azure/AKS/issues/3947", - "https://github.com/nodejs/node/pull/50121", - "https://github.com/haproxy/haproxy/issues/2312", - "https://github.com/ninenines/cowboy/issues/1615", - "http://www.openwall.com/lists/oss-security/2023/10/19/6", - "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", - "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", - "https://github.com/openresty/openresty/issues/930", - "https://github.com/bcdannyboy/CVE-2023-44487", - "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", - "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", - "https://www.debian.org/security/2023/dsa-5522", - "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", - "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", - "https://netty.io/news/2023/10/10/4-1-100-Final.html", - "https://github.com/varnishcache/varnish-cache/issues/3996", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", - "https://github.com/apache/apisix/issues/10320" - ], - "extended_information": { - "short_description": "A design problem in the implementation of the HTTP/2 protocol may lead to DoS and ease the possibility of DDoS in web server applications by abusing request cancellation.", - "full_description": "[The HTTP (Hypertext Transfer Protocol)](https://developer.mozilla.org/en-US/docs/Web/HTTP) is a fundamental protocol of the World Wide Web, enabling the exchange of data between a client (typically a web browser) and a server. It defines the rules for requesting and transmitting web pages and other resources over the internet. Request and response messages are exchanged as a stream of ASCII characters, sent over a reliable transport layer like TCP.\n\n[HTTP/2](https://http2.github.io/) is a modern network protocol designed to improve the performance and efficiency of web communication. It replaces the older HTTP/1.1 protocol and introduces features like header compression and enhanced request cancellation mechanisms, which collectively enhance the speed and responsiveness of websites.\n\nThis request cancellation mechanism allows clients to terminate unnecessary or redundant requests without waiting for a server's response, reducing network congestion and further improving the overall responsiveness of web applications.\n\nHTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include type, length, flags, stream identifier (ID), and payload. The stream ID is essential in clearly associating specific bytes on the network with their corresponding messages, facilitating secure multiplexing and concurrent processing. These streams are bidirectional, enabling clients to transmit frames, and servers to respond with frames using the same ID.\n\nAs detailed in [this technical analysis](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/), there's a vulnerability in the way request cancellation is implemented. The flaw lies in the process of sending an excessive number of requests (specifically, `HEADERS` frames), each immediately followed by a request cancellation frame utilizing the `RST_STREAM` frame. This sequence rapidly leads to a substantial consumption of server-side resources. Consequently, this vulnerability amplifies the risk of Distributed Denial of Service (DDoS) attacks, making it easier to overwhelm and exhaust the server's available resources.\n\nA lot of server applications are vulnerable to the Http/2 Rapid Reset attack.\nHowever, note that HTTP/2 must be enabled, which is not the default configuration on most applications (excluding nghttp2 for example).\nA non-exhaustive list of these vulnerable web applications:\n```\n- Tomcat\n- Jetty\n- NGINX on certain conditions\n- nghttp2\n- Netty\n```", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has been reported to be actively exploited in public networks", - "description": "Cloudflare identified this vulnerability being exploited in a DDoS attack of unprecedented scale on August 25, 2023, which surpassed their previous largest recorded attack by almost threefold." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker should attack a web server application with HTTP/2 protocol enabled and no (or a high) keepalive-requests options.", - "is_positive": true - }, - { - "name": "The issue can be exploited by attackers over the network" - }, - { - "name": "The issue has an exploit published", - "description": "A [PoC exists](https://github.com/imabee101/CVE-2023-44487) for this issue" - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This issue can lead to DoS on popular server applications using HTTP/2 protocol and ease the possibility of DDoS attack." - }, - { - "name": "The issue has multiple mentions in general media", - "description": "The vulnerability received extensive media coverage from Google, Cloudflare, and more." - } - ], - "remediation": "##### Deployment mitigations\n\nA possible mitigation is to limit the maximum number of requests that can be made over a single keep-alive connection.\n\n##### Deployment mitigations\n\nFor NGINX:\n\nDisabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:\n\n- `keepalive_requests` should be kept at the default setting of 1000 requests\n- `http2_max_concurrent_streams` should be kept at the default setting of 128 streams\n- `limit_conn` and `limit_req` should be set \"with a reasonable setting balancing application performance and security\"\n\n##### Development mitigations\n\nFor Nghttp2:\nImplement `nghttp2_on_frame_recv_callback` callback function, and check and count `RST_STREAM` frames. If an excessive number of `RST_STREAM` frames are received, then take action, such as dropping the connection silently, or calling `nghttp2_submit_goaway` and gracefully terminate the connection.\n```c\n#include \u003cnghttp2/nghttp2.h\u003e\n\n// Callback function for handling frame reception\nint on_frame_recv_callback(nghttp2_session* session,\n const nghttp2_frame* frame, void* user_data) {\n // Check if the received frame is an RST_STREAM frame\n if (frame-\u003ehd.type == NGHTTP2_RST_STREAM) {\n // Increment a counter for RST_STREAM frames\n int* rst_stream_counter = (int*)user_data;\n (*rst_stream_counter)++;\n \n // Define a threshold for excessive RST_STREAM frames\n int rst_stream_threshold = 10; // Adjust this value as needed\n \n // If the threshold is exceeded, take action (e.g., close the connection)\n if (*rst_stream_counter \u003e rst_stream_threshold) {\n // Here, you can choose to close the connection gracefully or drop it\n // For demonstration purposes, we'll just print a message\n printf(\"Excessive RST_STREAM frames received. Closing the connection.\\n\");\n // You can call nghttp2_submit_goaway() to send a GOAWAY frame if needed.\n // nghttp2_submit_goaway(session, NGHTTP2_FLAG_NONE, error_code, opaque_data);\n // Then, close the connection.\n }\n }\n \n // Continue processing other frames if needed\n return 0;\n}\n\nint main() {\n // Initialize nghttp2_session and set up the on_frame_recv_callback\n nghttp2_session* session;\n int rst_stream_counter = 0;\n \n // Initialize nghttp2_session, set up callbacks, etc.\n // ...\n\n // Set the user data to be passed to the callback\n nghttp2_session_user_data(session, \u0026rst_stream_counter);\n \n // Register the on_frame_recv_callback\n nghttp2_session_callbacks* callbacks;\n nghttp2_session_callbacks_new(\u0026callbacks);\n nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks, on_frame_recv_callback);\n // Other callback registrations here...\n \n // Attach the callbacks to the session\n nghttp2_session_server_new(\u0026session, callbacks, \u0026rst_stream_counter);\n \n // Start processing HTTP/2 frames\n // ...\n\n // Cleanup and finish the program\n // ...\n\n return 0;\n}\n```\n\n##### Development mitigations\n\nFor Golang:\n\nThe default stream concurrency limit in `golang` is `250 streams (requests) per HTTP/2 connection`. This value may be adjusted in the `golang.org/x/net/http2` package using the `Server.MaxConcurrentStreams` setting and the `ConfigureServer` function which are available in `golang.org/x/net/http2`.\n\n```go\nimport (\n\t\"fmt\"\n\t\"golang.org/x/net/http2\"\n\t\"net/http\"\n)\n\nfunc main() {\n\t// Create an HTTP/2 server instance\n\thttp2Server := \u0026http2.Server{}\n\n\t// Set the desired stream concurrency limit\n\tmaxConcurrentStreams := 500 // Change this to your desired limit\n\thttp2Server.MaxConcurrentStreams = uint32(maxConcurrentStreams)\n\n\t// Configure an HTTP server to use HTTP/2 with the adjusted settings\n\tserver := \u0026http.Server{\n\t\tAddr: \":8080\",\n\t\tHandler: http.HandlerFunc(handleRequest),\n\t}\n\thttp2.ConfigureServer(server, http2Server)\n\n\t// Start the HTTP server\n\terr := server.ListenAndServeTLS(\"cert.pem\", \"key.pem\")\n\tif err != nil {\n\t\tfmt.Println(\"Error:\", err)\n\t}\n}\n```\n\n##### Development mitigations\n\nFor netty:\n```java\nimport io.netty.handler.codec.http2.Http2FrameListener;\nimport io.netty.handler.codec.http2.Http2FrameStream;\nimport io.netty.handler.codec.http2.Http2ResetFrame;\nimport io.netty.handler.codec.http2.Http2HeadersFrame;\n\npublic class CustomHttp2FrameListener implements Http2FrameListener {\n private int rstFrameCount = 0;\n private int maxRstFrameCount = 10; // Adjust this to your desired limit\n private long resetTimeMillis = System.currentTimeMillis();\n private long resetTimeIntervalMillis = 60000; // 60 seconds\n\n @Override\n public int onDataRead(Http2FrameStream stream, byte[] data, int padding, boolean endOfStream) {\n // Handle data frames if needed\n return 0;\n }\n\n @Override\n public void onHeadersRead(Http2FrameStream stream, Http2HeadersFrame headersFrame) {\n // Handle headers frames if needed\n }\n\n @Override\n public void onHeadersRead(Http2FrameStream stream, Http2HeadersFrame headersFrame, boolean endOfStream) {\n // Handle headers frames if needed\n }\n\n @Override\n public void onRstStreamRead(Http2FrameStream stream, Http2ResetFrame resetFrame) {\n long currentTimeMillis = System.currentTimeMillis();\n \n // Check if the reset time interval has passed, and reset the count if needed\n if (currentTimeMillis - resetTimeMillis \u003e= resetTimeIntervalMillis) {\n rstFrameCount = 0;\n resetTimeMillis = currentTimeMillis;\n }\n \n rstFrameCount++;\n \n // Check if the count exceeds the limit\n if (rstFrameCount \u003e maxRstFrameCount) {\n // Take action, e.g., close the connection, log, or drop frames\n // You can use stream or resetFrame to get more context if needed.\n // To close the connection, you can use stream.connection().close();\n }\n }\n}\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2023-45853", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.", - "severity": "Critical", - "components": { - "deb://debian:bookworm:zlib1g:1:1.2.13.dfsg-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:zlib1g:1:1.2.13.dfsg-1", - "full_path": "zlib1g:1:1.2.13.dfsg-1" - } - ] - ] - } - }, - "issue_id": "XRAY-533715", - "references": [ - "http://www.openwall.com/lists/oss-security/2024/01/24/10", - "http://www.openwall.com/lists/oss-security/2023/10/20/9", - "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4", - "https://www.winimage.com/zLibDll/minizip.html", - "https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", - "https://pypi.org/project/pyminizip/#history", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", - "https://security.gentoo.org/glsa/202401-18", - "https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356", - "https://github.com/madler/zlib/pull/843", - "https://security.netapp.com/advisory/ntap-20231130-0009/", - "https://security-tracker.debian.org/tracker/CVE-2023-45853" - ], - "extended_information": { - "short_description": "A heap buffer overflow in zlib may lead to remote code execution when parsing a malicious archive.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "PoC demonstrates a heap overflow that crashes the application. Although not demonstrated, it is likely that an RCE exploit could be developed, since zip-processing may allow many heap-shaping primitives needed for a full RCE exploit." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "An attacker could compromise a server that is using the `zlib` library to zip or unzip any files." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context-dependent nature of this vulnerability.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Remote code execution." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker must find a way to upload a crafted zip archive, that is subsequently processed by the vulnerable `zipOpenNewFileInZip4_64` function.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nMake sure that files with names larger than 65536 characters are not parsed using `zlib`.\n\nAlso, a fix currently exists in the `develop` branch of `zlib` and can be deployed manually." - } - }, - { - "cves": [ - { - "cve": "CVE-2024-37371", - "cvss_v3_score": "9.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", - "cwe": [ - "NVD-CWE-Other" - ] - } - ], - "summary": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", - "severity": "Critical", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-607813", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-37371", - "https://web.mit.edu/kerberos/www/advisories/", - "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-37370", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", - "severity": "High", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-607812", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-37370", - "https://web.mit.edu/kerberos/www/advisories/", - "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef" - ] - }, - { - "cves": [ - { - "cve": "CVE-2011-0283", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cwe": [ - "NVD-CWE-Other" - ] - } - ], - "summary": "The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-515010", - "references": [ - "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt", - "http://www.securityfocus.com/bid/46272", - "http://securityreason.com/securityalert/8073", - "http://www.vupen.com/english/advisories/2011/0330", - "http://secunia.com/advisories/43260", - "http://www.securitytracker.com/id?1025037", - "http://www.securityfocus.com/archive/1/516299/100/0/threaded", - "https://security-tracker.debian.org/tracker/CVE-2011-0283" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-26462" - } - ], - "summary": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-592118", - "references": [ - "https://security.netapp.com/advisory/ntap-20240415-0012/", - "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md", - "https://security-tracker.debian.org/tracker/CVE-2024-26462" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-26458" - } - ], - "summary": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-592120", - "references": [ - "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md", - "https://security-tracker.debian.org/tracker/CVE-2024-26458", - "https://security.netapp.com/advisory/ntap-20240415-0010/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2018-5709", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cwe": [ - "CWE-190" - ], - "cwe_details": { - "CWE-190": { - "name": "Integer Overflow or Wraparound", - "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "14" - } - ] - } - } - } - ], - "summary": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-60750", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2018-5709", - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", - "https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow" - ], - "extended_information": { - "short_description": "(Non-issue) Integer truncation in Kerberos5 leads to no impact when processing a crafted Kerberos5 beta7 format database file.", - "full_description": "[Kerberos](https://web.mit.edu/kerberos/) is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.\n\nA [Kerberos database](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/database.html) contains all of a realm’s Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the `kdb5_util` program to manipulate the Kerberos database as a whole, and the `kadmin` program to make changes to the entries in the database. \n\nIn `kdb5_util`, there is a `process_k5beta7_princ` method responsible for adding Kerberos 5 beta 7 format data from a file to the Kerberos database. This function is vulnerable to integer overflow as a Database entry defined on 16-bits is assigned a 32-bits value from the given file. It turns out that it does not have any impact at all and it is not a security flaw.\n\nOriginally, the vulnerability was mistakenly reported as an Integer Overflow.\nThe issue should not affect any other data allocated close to the 16-bit integer in question. Furthermore, a negative value of the 16-bit integer does not impact the flow of the program in any meaningful way.\n\nTo trigger the integer truncation, an attacker has to get the user to use the `kdb5_util` utility to restore a Kerberos 5 - beta 7 format - database from a crafted malicious file. It can be done using the following command:\n```\nkdb5_util load -d DB_NAME DB_FILE \n```", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "Exploiting the issue requires the user to interact with the vulnerable software", - "description": "Requires the user to restore the Kerberos Database from a crafted malicious file, which is unlikely.", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "The integer truncation doesn't affect data allocated near the 16-bit integer and doesn't have any meaningful impact.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS does not reflect the fact that the vulnerability does not have any security impact.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "A Kerberos database is not restored often. The attacker must find a way to get the user to restore the database from a crafted file. If the attacker has access to the backup file, it can be modified even without exploiting this vulnerability. The vulnerability only helps by making the attacker's modifications to the backup file seem legitimate when manually inspected.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2024-26461" - } - ], - "summary": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libgssapi-krb5-2:1.20.1-2+deb12u1", - "full_path": "libgssapi-krb5-2:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libk5crypto3:1.20.1-2+deb12u1", - "full_path": "libk5crypto3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5-3:1.20.1-2+deb12u1", - "full_path": "libkrb5-3:1.20.1-2+deb12u1" - } - ] - ] - }, - "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libkrb5support0:1.20.1-2+deb12u1", - "full_path": "libkrb5support0:1.20.1-2+deb12u1" - } - ] - ] - } - }, - "issue_id": "XRAY-592121", - "references": [ - "https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md", - "https://security.netapp.com/advisory/ntap-20240415-0011/", - "https://security-tracker.debian.org/tracker/CVE-2024-26461" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-38950" - } - ], - "summary": "Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to __interceptor_memcpy function.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-607770", - "references": [ - "https://github.com/strukturag/libde265/issues/460", - "https://security-tracker.debian.org/tracker/CVE-2024-38950", - "https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38950" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-51792" - } - ], - "summary": "Buffer Overflow vulnerability in libde265 v1.0.12 allows a local attacker to cause a denial of service via the allocation size exceeding the maximum supported size of 0x10000000000.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-599139", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY/", - "https://github.com/strukturag/libde265", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/", - "https://github.com/strukturag/libde265/issues/427", - "https://security-tracker.debian.org/tracker/CVE-2023-51792" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-49465", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540366", - "references": [ - "https://github.com/strukturag/libde265/issues/435", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html", - "https://security-tracker.debian.org/tracker/CVE-2023-49465" - ], - "extended_information": { - "short_description": "A non-proven heap buffer overflow in libde265 may lead to remote code execution when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.\nThe exploit only works on a small percent of executions, since the impact of parsing a malicious Atari DEGAS Elite bitmap file is contingent on the current heap state.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although a PoC was linked to the issue, the maintainer was not able to reproduce the corruption. In addition, the heap buffer overflow was not proven to be able to cause remote code execution.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS does not take into account the non-trivial exploitation.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-43887", - "cvss_v3_score": "8.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.", - "severity": "High", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-538327", - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html", - "https://security-tracker.debian.org/tracker/CVE-2023-43887", - "https://github.com/strukturag/libde265/issues/418", - "https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133" - ], - "extended_information": { - "short_description": "An out of bounds read in libde265 may lead to denial of service or data leakage when decoding attacker-supplied data in a non-default configuration.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker has to be able to decode crafted H.265 files with the non-default dump headers option enabled. For example - `./dec265 -d attacker_input`", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "The Github issue has a linked PoC." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "The Github issue carefully explains the vulnerability." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-27103", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-427848", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-27103", - "https://github.com/strukturag/libde265/issues/394", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-47471", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-537162", - "references": [ - "https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7", - "https://security-tracker.debian.org/tracker/CVE-2023-47471", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html", - "https://github.com/strukturag/libde265/issues/426" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-27102", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-476" - ], - "cwe_details": { - "CWE-476": { - "name": "NULL Pointer Dereference", - "description": "A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "12" - } - ] - } - } - } - ], - "summary": "Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-427847", - "references": [ - "https://github.com/strukturag/libde265/issues/393", - "https://security-tracker.debian.org/tracker/CVE-2023-27102", - "https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-49468", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540358", - "references": [ - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html", - "https://security-tracker.debian.org/tracker/CVE-2023-49468", - "https://github.com/strukturag/libde265/issues/432" - ], - "extended_information": { - "short_description": "A buffer overflow (in a global variable) in libde265 causes memory corruption leading to DoS and possibly code execution, when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The provided PoC demonstrates a crash." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "The impact of this vulnerability depends on the implementation of the vulnerable library. Substantial research has to be conducted to determine the exact impact this vulnerability could have. Code execution is not always achievable through a buffer overflow in a global variable.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-49467", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540357", - "references": [ - "https://github.com/strukturag/libde265/issues/434", - "https://security-tracker.debian.org/tracker/CVE-2023-49467", - "https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html" - ], - "extended_information": { - "short_description": "An infinite loop in libde265 leads to DoS when parsing attacker-supplied H.265 data.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS does not take into account the non-trivial exploitation prerequisites. In addition, the CVSS alludes that remote code execution is possible, while in reality the worst impact of exploiting this issue is denial of service.", - "is_positive": true - }, - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The attacker must be able to provide remote input that will be parsed by H.265, for example - `./dec265 attacker_input`.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2024-38949" - } - ], - "summary": "Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers to crash the application via crafted payload to display444as420 function at sdl.cc", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libde265-0:1.0.11-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libde265-0:1.0.11-1", - "full_path": "libde265-0:1.0.11-1" - } - ] - ] - } - }, - "issue_id": "XRAY-607769", - "references": [ - "https://github.com/strukturag/libde265/issues/460", - "https://github.com/zhangteng0526/CVE-information/blob/main/CVE-2024-38949", - "https://security-tracker.debian.org/tracker/CVE-2024-38949" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6246", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.", - "severity": "High", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-589627", - "references": [ - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "https://security.netapp.com/advisory/ntap-20240216-0007/", - "https://security-tracker.debian.org/tracker/CVE-2023-6246", - "https://access.redhat.com/security/cve/CVE-2023-6246", - "http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html", - "http://seclists.org/fulldisclosure/2024/Feb/5", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=2249053", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://security.gentoo.org/glsa/202402-01", - "http://seclists.org/fulldisclosure/2024/Feb/3" - ], - "extended_information": { - "short_description": "A heap buffer overflow in glibc may lead to local privilege escalation.", - "full_description": "[glibc](https://www.gnu.org/software/libc/) is the GNU C Library, a widely-used implementation of the C standard library.\n\nA vulnerability was identified in __vsyslog_internal(), which is called by the API functions `syslog()` and `vsyslog()` of glibc syslog functionality. Unprivileged users could gain full root access by manipulating syslog inputs.\n\nThe initial prerequisite for exploiting this local privilege escalation is a local SUID executable that contains calls to one of the vulnerable functions `syslog()` and `vsyslog()`. In order to exploit this, the attacker needs to control either argv[0], which typically holds the name of the program being executed, or the `openlog()` ident argument. \n\nAs explained in [Qualys’s research](https://qualys.com/2024/01/30/cve-2023-6246/syslog.txt), the identification string (LogTag) being NULL is essential for exploiting this issue. Thus, the `openlog()` function would need to either not be called, or called with NULL for the ident param for successful exploitation. \n\nIn Qualys’s research, they utilized a code path in the `su` program that doesn’t reach `openlog()`. Meaning the default user-controlled, argv[0] was used. Keep in mind another attack vector is possible in a different scenario when the user can control the ident arg of `openlog()`.\n\nSeeing as argv[0] is the name (path) of the running program, it is highly likely for a local attacker to be able to abuse this CVE for a local privilege escalation and unlikely that a remote attacker will have control over this argument for an RCE attack.\n\nQualys demonstrated a successful LPE exploit on Fedora. While no other public exploits are yet known, the threat landscape could evolve. It is likely possible to exploit this on other Linux distributions as well.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has multiple mentions in general media", - "description": "The vulnerability received extensive media coverage." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "This vulnerability has a through technical writeup, which also details an exploit." - }, - { - "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", - "description": "As explained in the summary, the requirements to trigger the vulnerability are highly likely on default Linux machines that use a vulnerable version of glibc." - }, - { - "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", - "description": "This vulnerability requires local access to exploit. It is unlikely to be exploitable in remote scenarios as explained in the summary.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This is a local privilege escalation vulnerability that could enable a local attacker to execute code as a root user." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2019-9192", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-674" - ], - "cwe_details": { - "CWE-674": { - "name": "Uncontrolled Recursion", - "description": "The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack." - } - } - } - ], - "summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-75770", - "references": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=24269", - "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://security-tracker.debian.org/tracker/CVE-2019-9192" - ], - "extended_information": { - "short_description": "Uncontrolled recursion in glibc regexec leads to denial of service.", - "full_description": "The [GNU C Library](https://www.gnu.org/software/libc/), commonly known as glibc, is the GNU Project's implementation of the C standard library.\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, `check_dst_limits_calc_pos_1` in posix/regexec.c has Uncontrolled Recursion, as demonstrated by running grep with the pattern `(|)(\\\\1\\\\1)*`.\n\nNote that in order to exploit this vulnerability, the attacker must control the regular expression **pattern** that glibc uses, unlike standard ReDoS vulnerabilities where only the input buffer needs to be controlled. The The pattern it not likely to be attacker-controlled from remote input.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must find a remote input that propagates to the `regex` (pattern) argument of `regcomp` and then sent to `regexec`.\nThis includes controlling the pattern argument of a `grep` invocation.", - "is_positive": true - }, - { - "name": "The issue has been disputed by the vendor", - "description": "The software maintainer disputes that this is not a vulnerability because the behavior occurs only with a crafted pattern. Therefore - this issue is unlikely to get a fix.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "It is highly unlikely that a remote attacker will be able to control a regular expression pattern that's used by glibc", - "is_positive": true - }, - { - "name": "The issue has an exploit published" - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Denial of service only, marked as unimportant by the Debian tracker", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-6779", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.", - "severity": "High", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-589629", - "references": [ - "http://seclists.org/fulldisclosure/2024/Feb/3", - "https://security.netapp.com/advisory/ntap-20240223-0006/", - "https://access.redhat.com/security/cve/CVE-2023-6779", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "https://security-tracker.debian.org/tracker/CVE-2023-6779", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2254395", - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://security.gentoo.org/glsa/202402-01", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-6780", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "cwe": [ - "CWE-131" - ], - "cwe_details": { - "CWE-131": { - "name": "Incorrect Calculation of Buffer Size", - "description": "The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow." - } - } - } - ], - "summary": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-589628", - "references": [ - "http://seclists.org/fulldisclosure/2024/Feb/3", - "https://security.gentoo.org/glsa/202402-01", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/", - "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/", - "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html", - "https://www.openwall.com/lists/oss-security/2024/01/30/6", - "https://access.redhat.com/security/cve/CVE-2023-6780", - "https://security-tracker.debian.org/tracker/CVE-2023-6780", - "https://bugzilla.redhat.com/show_bug.cgi?id=2254396" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-33601" - } - ], - "summary": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-599389", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-33601", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007", - "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html", - "http://www.openwall.com/lists/oss-security/2024/07/22/5", - "https://security.netapp.com/advisory/ntap-20240524-0014/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-33599" - } - ], - "summary": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-599387", - "references": [ - "http://www.openwall.com/lists/oss-security/2024/07/22/5", - "https://security-tracker.debian.org/tracker/CVE-2024-33599", - "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html", - "https://security.netapp.com/advisory/ntap-20240524-0011/", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" - ], - "extended_information": { - "short_description": "A stack buffer overflow in the Name Service Cache Daemon (NSCD) in the GNU C library may lead to remote code execution.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "No PoC and no technical writeup were published.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The `/etc/nscd.conf` configuration file does not support netgroup caching by default.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Potential remote code execution." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "The Name Service Cache Daemon accepts arbitrary network input." - } - ], - "remediation": "##### Deployment mitigations\n\nDisable netgroup caching in the NSCD configuration.\nRemove the following line from `/etc/nscd.conf` -\n```\nenable-cache netgroup yes\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2019-1010022", - "cvss_v2_score": "7.5", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", - "cvss_v3_score": "9.8", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-119" - ], - "cwe_details": { - "CWE-119": { - "name": "Improper Restriction of Operations within the Bounds of a Memory Buffer", - "description": "The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "17" - } - ] - } - } - } - ], - "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-84860", - "references": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3", - "https://security-tracker.debian.org/tracker/CVE-2019-1010022", - "https://ubuntu.com/security/CVE-2019-1010022", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22850" - ], - "extended_information": { - "short_description": "Insufficient mitigation implementation in glibc's pthread could lead to an attacker bypassing the stack protector/canary mitigation.", - "full_description": "The [GNU C Library](https://www.gnu.org/s/libc/), commonly known as glibc, is the GNU Project's implementation of the C standard library.\n\nA well-known issue leads to the fact that in applications that call `pthread_create()`, if a large stack buffer overflow occurs, the stack overflow may overwrite both the reference value of the stack canary and the canary that's saved inside the stack-frame. This leads to a complete bypass of the \"stack protector\" mitigation.\n\nSpecifically, The stack protector (\"canary\") should protect an application from been exploited by stack-based buffer overflows. It is placed on stack frame in function prologue and checked with some trusted value in the function epilogue.\n\nFor x86 and x86-64 architecture the canary value is located in structure `tcbhead_t` field `stack_guard`. A Special register ('gs' for i386 and 'fs' for x86-64) keeps a pointer to this structure. The value `tcbhead_t.stack_guard` is compared with one on the stack to detect stack smashing.\n\nNPTL (Native POSIX Threads Library) is the GNU C library POSIX threads implementation that is used on modern Linux systems. When a `pthread` (new thread) is created, it will keep the `tcphead_t` structure in the thread stack. Thus, an attacker can overwrite the \"reference\" stack-canary value (since it's saved on the stack) by means of stack overflow in a new thread.\n\nThis vulnerability was disputed by the libc maintainers, since it is a well-known issue and not a standalone vulnerability but rather a vulnerability in a mitigation mechanism.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "The PoC demonstrates changing the \"retained\" stack-canary value" - }, - { - "name": "The issue cannot be exploited on its own, and can only be used as part of an attack chain", - "description": "Exploitation of this issue requires exploiting a different stack-buffer-overflow vulnerability in the target application", - "is_positive": true - }, - { - "name": "The issue has been disputed by the vendor", - "description": "The Libc maintainers treat this issue as a non-security bug, since it is a vulnerability in a post-attack mitigation (not a standalone vulnerability)", - "is_positive": true - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development" - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The victim application must call `pthread_create()` and must be vulnerable to a stack-buffer-overflow type of vulnerability", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2024-33602" - } - ], - "summary": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-599390", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-33602", - "http://www.openwall.com/lists/oss-security/2024/07/22/5", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008", - "https://security.netapp.com/advisory/ntap-20240524-0012/", - "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html" - ] - }, - { - "cves": [ - { - "cve": "CVE-2019-1010025", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cwe": [ - "CWE-330" - ], - "cwe_details": { - "CWE-330": { - "name": "Use of Insufficiently Random Values", - "description": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers." - } - } - } - ], - "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-84867", - "references": [ - "https://sourceware.org/bugzilla/show_bug.cgi?id=22853", - "https://support.f5.com/csp/article/K06046097", - "https://ubuntu.com/security/CVE-2019-1010025", - "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://security-tracker.debian.org/tracker/CVE-2019-1010025" - ] - }, - { - "cves": [ - { - "cve": "CVE-2019-1010023", - "cvss_v2_score": "6.8", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-84853", - "references": [ - "http://www.securityfocus.com/bid/109167", - "https://support.f5.com/csp/article/K11932200?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://security-tracker.debian.org/tracker/CVE-2019-1010023", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22851", - "https://ubuntu.com/security/CVE-2019-1010023" - ] - }, - { - "cves": [ - { - "cve": "CVE-2018-20796", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-674" - ], - "cwe_details": { - "CWE-674": { - "name": "Uncontrolled Recursion", - "description": "The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack." - } - } - } - ], - "summary": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-75786", - "references": [ - "https://security.netapp.com/advisory/ntap-20190315-0002/", - "https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", - "http://www.securityfocus.com/bid/107160", - "https://security-tracker.debian.org/tracker/CVE-2018-20796", - "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141" - ], - "extended_information": { - "short_description": "An uncontrolled recursion in glibc may result in a denial of service via malformed regular expression.", - "full_description": "The [GNU C Library](https://www.gnu.org/software/libc/), commonly known as glibc, is the GNU Project's implementation of the C standard library.\n\nAn uncontrolled recursion vulnerability exists in glibc's regular expression parsing engine (posix/regexec.c).\n\nAn attacker can exploit this issue by invoking any tool (`grep`, `sed` etc.) or API (`regexec()`) with a crafted regular expression. This can be demonstrated by the crafted input: `(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+'`.\nThis scenario is much more likely in a local attack than a remote one.\n\nNote that in order to exploit this vulnerability, the attacker must control the regular expression **pattern** that glibc uses, unlike standard ReDoS vulnerabilities where only the input buffer needs to be controlled. The The pattern it not likely to be attacker-controlled from remote input.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has been disputed by the vendor", - "description": "The software maintainer disputes that this is not a vulnerability because the behavior occurs only with a crafted pattern. Therefore - this issue is unlikely to get a fix.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must find a remote input that propagates to the `regex` (pattern) argument of `regcomp` and then sent to `regexec`.\nThis includes controlling the pattern argument of a `grep` invocation.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "It is highly unlikely that a remote attacker will be able to control a regular expression pattern that's used by glibc", - "is_positive": true - }, - { - "name": "The issue has an exploit published" - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Denial of service only, marked as unimportant by the Debian tracker", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2010-4756", - "cvss_v2_score": "4.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P", - "cwe": [ - "CWE-399" - ] - } - ], - "summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-33571", - "references": [ - "http://securityreason.com/achievement_securityalert/89", - "https://security-tracker.debian.org/tracker/CVE-2010-4756", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", - "http://cxib.net/stuff/glob-0day.c", - "https://bugzilla.redhat.com/show_bug.cgi?id=681681", - "http://securityreason.com/exploitalert/9223" - ], - "extended_information": { - "short_description": "An unbounded computation in glibc leads to denial of service when parsing crafted glob expressions.", - "full_description": "The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as the kernel. One of the provided functions is `glob`. *This function expands a filename wildcard which is passed as pattern*. It usually implements a limitation though the `GLOB_LIMIT` constant but a flaw is causing a `denial of service when the crafted glob expression does not match any pathnames`.\nThis vulnerability is very similar to the one affecting the *STAT* commands against an FTP Deamon which gives information about the file and the filesystem, also vulnerable to glob expression causing the process to use 100% of the CPU capabilities for a long time.\nHowever, this vulnerability needs the attacker to be an authenticated user.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "It is unlikely that a remote attacker will be able to control a glob pattern from a remote input", - "is_positive": true - }, - { - "name": "The issue has been disputed by the vendor", - "description": "The software maintainer disputes that this is not a vulnerability because the behavior occurs only with a crafted glob pattern. Therefore - this issue is unlikely to get a fix.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker must find a remote input that propagates into the `pattern` argument of a `glob` call.\nHowever, as the technical [write-up](https://cxsecurity.com/issue/WLB-2010100135) shows, this vulnerability can be remotely exploited in some common cases, such as FTP servers.", - "is_positive": true - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "Marked as unimportant by the Debian tracker. Computation-based DoS.", - "is_positive": true - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technical [write-up](https://cxsecurity.com/issue/WLB-2010100135) was published explaining the bug and how to trigger it." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2019-1010024", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", - "cvss_v3_score": "5.3", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "cwe": [ - "CWE-200" - ], - "cwe_details": { - "CWE-200": { - "name": "Exposure of Sensitive Information to an Unauthorized Actor", - "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." - } - } - } - ], - "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-84852", - "references": [ - "https://ubuntu.com/security/CVE-2019-1010024", - "https://support.f5.com/csp/article/K06046097?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://security-tracker.debian.org/tracker/CVE-2019-1010024", - "https://sourceware.org/bugzilla/show_bug.cgi?id=22852", - "http://www.securityfocus.com/bid/109162", - "https://support.f5.com/csp/article/K06046097" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-33600" - } - ], - "summary": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-599388", - "references": [ - "https://security.netapp.com/advisory/ntap-20240524-0013/", - "https://security-tracker.debian.org/tracker/CVE-2024-33600", - "https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006", - "http://www.openwall.com/lists/oss-security/2024/07/22/5" - ], - "extended_information": { - "short_description": "A null pointer dereference in the Name Service Cache Daemon (NSCD) in the GNU C library may lead to denial of service.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "No PoC and no technical writeup were published.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The `/etc/nscd.conf` configuration file does not support netgroup caching by default.", - "is_positive": true - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "The Name Service Cache Daemon accepts arbitrary network input" - } - ], - "remediation": "##### Deployment mitigations\n\nDisable netgroup caching in the NSCD configuration.\nRemove the following line from `/etc/nscd.conf` -\n```\nenable-cache netgroup yes\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2024-2961" - } - ], - "summary": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libc-bin:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc-bin:2.36-9+deb12u3", - "full_path": "libc-bin:2.36-9+deb12u3" - } - ] - ] - }, - "deb://debian:bookworm:libc6:2.36-9+deb12u3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libc6:2.36-9+deb12u3", - "full_path": "libc6:2.36-9+deb12u3" - } - ] - ] - } - }, - "issue_id": "XRAY-598749", - "references": [ - "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html", - "http://www.openwall.com/lists/oss-security/2024/07/22/5", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/", - "http://www.openwall.com/lists/oss-security/2024/04/24/2", - "https://security.netapp.com/advisory/ntap-20240531-0002/", - "http://www.openwall.com/lists/oss-security/2024/05/27/1", - "http://www.openwall.com/lists/oss-security/2024/05/27/3", - "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004", - "http://www.openwall.com/lists/oss-security/2024/04/17/9", - "http://www.openwall.com/lists/oss-security/2024/05/27/5", - "http://www.openwall.com/lists/oss-security/2024/05/27/2", - "http://www.openwall.com/lists/oss-security/2024/05/27/4", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/", - "https://security-tracker.debian.org/tracker/CVE-2024-2961", - "http://www.openwall.com/lists/oss-security/2024/05/27/6", - "http://www.openwall.com/lists/oss-security/2024/04/18/4", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" - ], - "extended_information": { - "short_description": "An out-of-bound write vulnerability in Glibc can lead to denial of service when using a specific character set.", - "full_description": "[Glibc](https://www.gnu.org/software/libc/) is a library that provides core libraries with API functions.\n\n`ISO-2022-CN` is a 7-bit Chinese character encoding that supports simplified and traditional Chinese characters. `ISO-2022-CN-EXT` is an extension of `ISO-2022-CN` that supports other GB character sets.\n\nThe vulnerability was introduced in the GNU C Library versions 2.39 in the `iconv()` function.\nAttackers can use the out-of-bounds write vulnerability by overflowing the buffer passed to the `iconv()` function and potentially overwriting the neighboring variables or crashing the application.\n`SS2designation` and `SS3designation` do not perform the necessary boundary checks, allowing attackers to overflow of 1, 2, or 3 bytes with fixed values by converting the following strings to the `ISO-2022-CN-EXT` character set: '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.\n\nThe researcher who found the vulnerability mentioned that it is not likely to be exploited in most libraries and programs except for PHP which was found to be applicable.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The researcher who found the vulnerability mentioned that it is not likely to be exploited in most libraries and programs except for PHP which was found to be applicable.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This issue can lead to a Denial of Service." - }, - { - "name": "The issue has multiple mentions in general media", - "description": "The vulnerability was discussed at the OffensiveCon conference." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-49460", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.", - "severity": "High", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540353", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2023-49460", - "https://github.com/strukturag/libheif/issues/1046" - ], - "extended_information": { - "short_description": "A NULL pointer dereference in libheif may lead to denial of service when parsing crafted images.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published in the report's GitHub Issue." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable `UncompressedImageCodec::decode_uncompressed_image` function.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation and impact of this vulnerability.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-49463", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540355", - "references": [ - "https://github.com/strukturag/libheif/issues/1042", - "https://github.com/strukturag/libheif", - "https://security-tracker.debian.org/tracker/CVE-2023-49463" - ], - "extended_information": { - "short_description": "An integer overflow in libheif leads to denial of service.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation of this vulnerability.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published along with the vulnerability via (GitHub)[https://github.com/strukturag/libheif/issues/1042]." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable functions `modify_exif_tag_if_it_exists(unsigned char*, unsigned int, unsigned short, unsigned short)` or `read_exif_orientation_tag(unsigned char const*, unsigned int)`.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Successful exploitation of this vulnerability leads to denial of service." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-29659", - "cvss_v3_score": "6.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-369" - ], - "cwe_details": { - "CWE-369": { - "name": "Divide By Zero", - "description": "The product divides a value by zero." - } - } - } - ], - "summary": "A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-519184", - "references": [ - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ/", - "https://github.com/strukturag/libheif/issues/794", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L/", - "https://security-tracker.debian.org/tracker/CVE-2023-29659" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-25269" - } - ], - "summary": "libheif \u003c= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-593085", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2024-25269", - "https://github.com/strukturag/libheif/issues/1073" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-49464", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.", - "severity": "High", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540356", - "references": [ - "https://github.com/strukturag/libheif/issues/1044", - "https://security-tracker.debian.org/tracker/CVE-2023-49464" - ], - "extended_information": { - "short_description": "A use-after-free in libheif leads to denial of service and possibly remote code execution.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score given to this CVE does not take into account the unlikely prerequisites for applicability of this vulnerability and the context required to exploit it.", - "is_positive": true - }, - { - "name": "The issue has an exploit published", - "description": "The fixing PR contains a denial of service PoC" - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "An attacker needs to find a remote input that propagates into the function `UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci`.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "For this vulnerability to be applicable, `libheif1` needs to be compiled with the flag `-DWITH_UNCOMPRESSED_CODEC=ON`.\n\nWe found that this setting is enabled only in some package managers by default, but not all of them. In vanilla compilations, this flag is disabled by default.", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Exploitation requires triggering a use-after-free beyond the scope of a single function. The use-after-free has not been proven to be able to cause code execution.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-49462", - "cvss_v3_score": "8.8", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "cwe": [ - "NVD-CWE-noinfo" - ] - } - ], - "summary": "libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.", - "severity": "High", - "components": { - "deb://debian:bookworm:libheif1:1.15.1-1": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libheif1:1.15.1-1", - "full_path": "libheif1:1.15.1-1" - } - ] - ] - } - }, - "issue_id": "XRAY-540354", - "references": [ - "https://github.com/strukturag/libheif/issues/1043", - "https://security-tracker.debian.org/tracker/CVE-2023-49462" - ], - "extended_information": { - "short_description": "An integer overflow in libheif leads to denial of service.", - "jfrog_research_severity": "Medium", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A proof-of-concept was published along with the vulnerability via (GitHub)[https://github.com/strukturag/libheif/issues/1043]." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS score does not reflect the context dependent exploitation of this vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "To successfully exploit this vulnerability an attacker needs to find a way to propagate input into the vulnerable functions `modify_exif_tag_if_it_exists(unsigned char*, unsigned int, unsigned short, unsigned short)` or `read_exif_orientation_tag(unsigned char const*, unsigned int)`.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "Successful exploitation of this vulnerability leads to denial of service." - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2018-6829", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "CWE-327" - ], - "cwe_details": { - "CWE-327": { - "name": "Use of a Broken or Risky Cryptographic Algorithm", - "description": "The product uses a broken or risky cryptographic algorithm or protocol." - } - } - } - ], - "summary": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libgcrypt20:1.10.1-3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgcrypt20:1.10.1-3", - "full_path": "libgcrypt20:1.10.1-3" - } - ] - ] - } - }, - "issue_id": "XRAY-65914", - "references": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://security-tracker.debian.org/tracker/CVE-2018-6829", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-2236", - "cwe": [ - "CWE-208" - ], - "cwe_details": { - "CWE-208": { - "name": "Observable Timing Discrepancy", - "description": "Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not." - } - } - } - ], - "summary": "A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgcrypt20:1.10.1-3": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgcrypt20:1.10.1-3", - "full_path": "libgcrypt20:1.10.1-3" - } - ] - ] - } - }, - "issue_id": "XRAY-593361", - "references": [ - "https://bugzilla.redhat.com/show_bug.cgi?id=2268268", - "https://bugzilla.redhat.com/show_bug.cgi?id=2245218", - "https://security-tracker.debian.org/tracker/CVE-2024-2236", - "https://access.redhat.com/security/cve/CVE-2024-2236" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-0553", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "CWE-203" - ], - "cwe_details": { - "CWE-203": { - "name": "Observable Discrepancy", - "description": "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not." - } - } - } - ], - "summary": "A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.", - "severity": "High", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-588549", - "references": [ - "https://access.redhat.com/errata/RHSA-2024:2094", - "https://access.redhat.com/errata/RHSA-2024:0627", - "https://gitlab.com/gnutls/gnutls/-/issues/1522", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://access.redhat.com/errata/RHSA-2024:0796", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://security.netapp.com/advisory/ntap-20240202-0011/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html", - "https://access.redhat.com/errata/RHSA-2024:1108", - "https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html", - "https://access.redhat.com/security/cve/CVE-2024-0553", - "https://access.redhat.com/errata/RHSA-2024:0533", - "https://access.redhat.com/errata/RHSA-2024:1082", - "https://bugzilla.redhat.com/show_bug.cgi?id=2258412", - "https://security-tracker.debian.org/tracker/CVE-2024-0553" - ], - "extended_information": { - "short_description": "A design problem in GnuTLS may lead to RSA key brute force when attackers can cause many decryption operations.", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue can be exploited by attackers over the network", - "description": "This vulnerability does not rely on timing to exploit, but rather on the server informing the client that decryption failed, hence it can be exploited remotely, completely disregarding latency issues." - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take the context required to exploit the vulnerability into account.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "This CVE is only exploitable when all of the following conditions are met:\n\n1. The server must use `RSA` for key exchange.\n2. The server encrypts/decrypts `RSA` with `PKCS#1 v1.5` padding.\n3. The server informs the client when decryption fails.\n4. An attacker is on the same subnet, hijacks a session between the client and the server and manipulates the client data.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "A successful attack would compromise the server's private RSA key, allowing the attacker to decrypt any sniffed TLS traffic sent to or from the server from any host." - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "description": "Although Bleichenbacher's Attack is well documented today, a high technical understanding of cryptography is required to exploit it.", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\n- When choosing a key exchange for your server, avoid using `RSA` and instead opt for the `Diffie-Hellman` key exchange, which provides forward secrecy.\nThis can be done by generating an ECDH key using OpenSSL:\n`openssl ecparam -name prime256v1 -genkey -noout -out mykey-prime256v1.pem`\nAnd giving the filepath of the keyfile to the `gnutls_certificate_set_x509_key_file` function - \n```c\ngnutls_certificate_set_x509_key_file(res, certfile, \"mykey-prime256v1.pem\", GNUTLS_X509_FMT_PEM);\n```\n\n- When using `RSA` for key exchange, use the `OAEP` padding scheme instead of `PKCS#1 v1.5`.\n\n- When using `RSA` and `PKCS#1` for key exchange, avoid informing the client of decryption failure." - } - }, - { - "cves": [ - { - "cve": "CVE-2024-28834", - "cwe": [ - "CWE-200" - ], - "cwe_details": { - "CWE-200": { - "name": "Exposure of Sensitive Information to an Unauthorized Actor", - "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." - } - } - } - ], - "summary": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-594374", - "references": [ - "https://access.redhat.com/errata/RHSA-2024:1784", - "https://access.redhat.com/errata/RHSA-2024:2044", - "https://access.redhat.com/security/cve/CVE-2024-28834", - "http://www.openwall.com/lists/oss-security/2024/03/22/1", - "https://access.redhat.com/errata/RHSA-2024:1997", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", - "https://access.redhat.com/errata/RHSA-2024:2570", - "https://security-tracker.debian.org/tracker/CVE-2024-28834", - "http://www.openwall.com/lists/oss-security/2024/03/22/2", - "https://access.redhat.com/errata/RHSA-2024:1879", - "https://security.netapp.com/advisory/ntap-20240524-0004/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2269228", - "https://access.redhat.com/errata/RHSA-2024:2889", - "https://minerva.crocs.fi.muni.cz/", - "https://people.redhat.com/~hkario/marvin/" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-28835", - "cwe": [ - "CWE-248" - ], - "cwe_details": { - "CWE-248": { - "name": "Uncaught Exception", - "description": "An exception is thrown from a function, but it is not caught." - } - } - } - ], - "summary": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.", - "severity": "Unknown", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-594364", - "references": [ - "http://www.openwall.com/lists/oss-security/2024/03/22/2", - "https://bugzilla.redhat.com/show_bug.cgi?id=2269084", - "https://access.redhat.com/errata/RHSA-2024:2570", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", - "https://security-tracker.debian.org/tracker/CVE-2024-28835", - "https://access.redhat.com/errata/RHSA-2024:2889", - "https://access.redhat.com/security/cve/CVE-2024-28835", - "https://access.redhat.com/errata/RHSA-2024:1879", - "http://www.openwall.com/lists/oss-security/2024/03/22/1" - ] - }, - { - "cves": [ - { - "cve": "CVE-2011-3389", - "cvss_v2_score": "4.3", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N", - "cwe": [ - "CWE-326" - ], - "cwe_details": { - "CWE-326": { - "name": "Inadequate Encryption Strength", - "description": "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required." - } - } - } - ], - "summary": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-42166", - "references": [ - "http://www.opera.com/docs/changelogs/mac/1160/", - "http://www.securityfocus.com/bid/49388", - "http://secunia.com/advisories/55322", - "http://support.apple.com/kb/HT5501", - "http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue", - "http://www.redhat.com/support/errata/RHSA-2012-0006.html", - "http://secunia.com/advisories/48256", - "http://www.opera.com/docs/changelogs/unix/1160/", - "http://marc.info/?l=bugtraq\u0026m=133365109612558\u0026w=2", - "http://technet.microsoft.com/security/advisory/2588513", - "http://marc.info/?l=bugtraq\u0026m=133728004526190\u0026w=2", - "http://secunia.com/advisories/45791", - "https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf", - "http://www.securitytracker.com/id?1026704", - "http://support.apple.com/kb/HT5130", - "https://hermes.opensuse.org/messages/13155432", - "http://vnhacker.blogspot.com/2011/09/beast.html", - "http://downloads.asterisk.org/pub/security/AST-2016-001.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=737506", - "http://lists.apple.com/archives/security-announce/2012/May/msg00001.html", - "http://www.opera.com/docs/changelogs/unix/1151/", - "http://secunia.com/advisories/48948", - "http://support.apple.com/kb/HT5001", - "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail", - "http://support.apple.com/kb/HT4999", - "http://www.us-cert.gov/cas/techalerts/TA12-010A.html", - "https://security-tracker.debian.org/tracker/CVE-2011-3389", - "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html", - "http://rhn.redhat.com/errata/RHSA-2013-1455.html", - "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006", - "http://secunia.com/advisories/55350", - "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html", - "http://www.opera.com/docs/changelogs/windows/1151/", - "http://support.apple.com/kb/HT5281", - "http://support.apple.com/kb/HT6150", - "http://www.debian.org/security/2012/dsa-2398", - "http://www.opera.com/support/kb/view/1004/", - "http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html", - "http://marc.info/?l=bugtraq\u0026m=132750579901589\u0026w=2", - "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", - "http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html", - "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862", - "http://www.ibm.com/developerworks/java/jdk/alerts/", - "https://bugzilla.novell.com/show_bug.cgi?id=719047", - "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html", - "http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx", - "http://curl.haxx.se/docs/adv_20120124B.html", - "http://secunia.com/advisories/48692", - "http://eprint.iacr.org/2006/136", - "http://secunia.com/advisories/55351", - "http://marc.info/?l=bugtraq\u0026m=134254866602253\u0026w=2", - "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752", - "http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html", - "http://www.securitytracker.com/id?1025997", - "http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html", - "http://www.securityfocus.com/bid/49778", - "http://www.insecure.cl/Beast-SSL.rar", - "http://www.mandriva.com/security/advisories?name=MDVSA-2012:058", - "http://www.redhat.com/support/errata/RHSA-2011-1384.html", - "http://rhn.redhat.com/errata/RHSA-2012-0508.html", - "http://secunia.com/advisories/47998", - "http://ekoparty.org/2011/juliano-rizzo.php", - "http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html", - "http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf", - "http://www.ubuntu.com/usn/USN-1263-1", - "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", - "http://security.gentoo.org/glsa/glsa-201406-32.xml", - "http://eprint.iacr.org/2004/111", - "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", - "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", - "http://www.securitytracker.com/id?1026103", - "http://www.opera.com/docs/changelogs/mac/1151/", - "http://secunia.com/advisories/49198", - "http://marc.info/?l=bugtraq\u0026m=132872385320240\u0026w=2", - "http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/", - "http://secunia.com/advisories/48915", - "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", - "http://www.opera.com/docs/changelogs/windows/1160/", - "http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx", - "http://www.imperialviolet.org/2011/09/23/chromeandbeast.html", - "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html", - "http://www.kb.cert.org/vuls/id/864643", - "http://security.gentoo.org/glsa/glsa-201203-02.xml", - "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", - "http://osvdb.org/74829", - "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", - "http://www.securitytracker.com/id/1029190", - "http://marc.info/?l=bugtraq\u0026m=134254957702612\u0026w=2", - "https://hermes.opensuse.org/messages/13154861" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-5981", - "cvss_v3_score": "5.9", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "cwe": [ - "CWE-203" - ], - "cwe_details": { - "CWE-203": { - "name": "Observable Discrepancy", - "description": "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not." - } - } - } - ], - "summary": "A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.", - "severity": "Medium", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-537103", - "references": [ - "https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23", - "https://access.redhat.com/errata/RHSA-2024:0451", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://access.redhat.com/errata/RHSA-2024:0533", - "https://bugzilla.redhat.com/show_bug.cgi?id=2248445", - "https://access.redhat.com/errata/RHSA-2024:0319", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://access.redhat.com/errata/RHSA-2024:0399", - "https://security-tracker.debian.org/tracker/CVE-2023-5981", - "https://access.redhat.com/security/cve/CVE-2023-5981", - "https://access.redhat.com/errata/RHSA-2024:0155" - ] - }, - { - "cves": [ - { - "cve": "CVE-2024-0567", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-347" - ], - "cwe_details": { - "CWE-347": { - "name": "Improper Verification of Cryptographic Signature", - "description": "The product does not verify, or incorrectly verifies, the cryptographic signature for data." - } - } - } - ], - "summary": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.", - "severity": "High", - "components": { - "deb://debian:bookworm:libgnutls30:3.7.9-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:libgnutls30:3.7.9-2", - "full_path": "libgnutls30:3.7.9-2" - } - ] - ] - } - }, - "issue_id": "XRAY-588550", - "references": [ - "https://access.redhat.com/errata/RHSA-2024:2094", - "https://access.redhat.com/security/cve/CVE-2024-0567", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/", - "https://bugzilla.redhat.com/show_bug.cgi?id=2258544", - "http://www.openwall.com/lists/oss-security/2024/01/19/3", - "https://security.netapp.com/advisory/ntap-20240202-0011/", - "https://access.redhat.com/errata/RHSA-2024:1383", - "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html", - "https://access.redhat.com/errata/RHSA-2024:1082", - "https://security-tracker.debian.org/tracker/CVE-2024-0567", - "https://gitlab.com/gnutls/gnutls/-/issues/1521", - "https://access.redhat.com/errata/RHSA-2024:0533" - ], - "extended_information": { - "short_description": "A design problem in GnuTLS may lead to denial of service when parsing a crafted certificate chain.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The given CVSS score does not take into account the prerequisites and context required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The vulnerability is only exploitable if a GnuTLS client or server calls any of the following functions with externally-supplied input -\n\n- `gnutls_pcert_import_x509_list`\n\n- `gnutls_certificate_set_x509_key`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_mem`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_file`\n\n- `gnutls_privkey_import_url`\n\n- `gnutls_privkey_import_pkcs11_url`\n\n- `gnutls_read_key_file`\n\n- `gnutls_certificate_set_rawpk_key_file`\n\n- `gnutls_certificate_set_x509_key_file2`\n\n- `gnutls_certificate_set_x509_key_file`\n\n- `gnutls_pcert_list_import_x509_file`\n\n- `gnutls_certificate_set_x509_key_mem2`\n\n- `gnutls_certificate_set_x509_key_mem`\n\n- `gnutls_x509_crt_list_import`\n\n- `gnutls_pcert_list_import_x509_raw`\n\n- `gnutls_session_channel_binding`\n\n- `gnutls_x509_crt_list_import2`\n\n- `gnutls_x509_trust_list_add_trust_mem`\n\n- `gnutls_x509_trust_list_add_system_trust`\n\n- `gnutls_certificate_set_x509_system_trust`\n\n- `gnutls_certificate_set_x509_crl_mem`\n\n- `gnutls_certificate_set_x509_trust_mem`\n\n- `gnutls_x509_trust_list_add_trust_file`\n\n- `gnutls_certificate_set_x509_crl_file`\n\n- `gnutls_certificate_set_x509_trust_file`\n\n- `gnutls_x509_trust_list_add_trust_dir`\n\n- `gnutls_certificate_set_x509_trust_dir`\n\n- `gnutls_x509_trust_list_remove_trust_mem`\n\n- `gnutls_x509_trust_list_remove_trust_file`\n\n- `gnutls_x509_trust_list_verify_crt2`\n\n- `gnutls_x509_cert_verify_peers`\n\n- `gnutls_certificate_verify_peers`\n\n- `gnutls_certificate_verify_peers2`\n\n- `gnutls_certificate_verify_peers3`\n\n- `gnutls_pkcs7_verify`\n\n- `gnutls_ocsp_resp_verify`\n\n- `gnutls_x509_trust_list_verify_crt`", - "is_positive": true - }, - { - "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2021-4214", - "cvss_v3_score": "5.5", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "cwe": [ - "CWE-120" - ], - "cwe_details": { - "CWE-120": { - "name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "description": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." - } - } - } - ], - "summary": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.", - "severity": "Low", - "components": { - "deb://debian:bookworm:libpng16-16:1.6.39-2": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed/sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar", - "full_path": "sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar" - }, - { - "component_id": "deb://debian:bookworm:libpng16-16:1.6.39-2", - "full_path": "libpng16-16:1.6.39-2" - } - ] - ] - } - }, - "issue_id": "XRAY-196432", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2021-4214", - "https://security.netapp.com/advisory/ntap-20221020-0001/", - "https://github.com/glennrp/libpng/issues/302", - "https://access.redhat.com/security/cve/CVE-2021-4214", - "https://bugzilla.redhat.com/show_bug.cgi?id=2043393" - ] - }, - { - "cves": [ - { - "cve": "CVE-2011-4116", - "cvss_v2_score": "5.0", - "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", - "cvss_v3_score": "7.5", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "cwe": [ - "CWE-59" - ], - "cwe_details": { - "CWE-59": { - "name": "Improper Link Resolution Before File Access ('Link Following')", - "description": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource." - } - } - } - ], - "summary": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "severity": "Low", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "issue_id": "XRAY-36310", - "references": [ - "https://security-tracker.debian.org/tracker/CVE-2011-4116", - "https://seclists.org/oss-sec/2011/q4/238", - "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", - "http://www.openwall.com/lists/oss-security/2011/11/04/2", - "https://rt.cpan.org/Public/Bug/Display.html?id=69106", - "http://www.openwall.com/lists/oss-security/2011/11/04/4" - ] - }, - { - "cves": [ - { - "cve": "CVE-2023-31486", - "cvss_v3_score": "8.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-295" - ], - "cwe_details": { - "CWE-295": { - "name": "Improper Certificate Validation", - "description": "The product does not validate, or incorrectly validates, a certificate." - } - } - } - ], - "summary": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "severity": "Low", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "issue_id": "XRAY-515822", - "references": [ - "https://github.com/chansen/p5-http-tiny/pull/153", - "https://security-tracker.debian.org/tracker/CVE-2023-31486", - "http://www.openwall.com/lists/oss-security/2023/05/07/2", - "http://www.openwall.com/lists/oss-security/2023/04/29/1", - "http://www.openwall.com/lists/oss-security/2023/05/03/5", - "http://www.openwall.com/lists/oss-security/2023/05/03/3", - "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/", - "https://www.openwall.com/lists/oss-security/2023/05/03/4", - "https://hackeriet.github.io/cpan-http-tiny-overview/", - "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", - "https://www.openwall.com/lists/oss-security/2023/04/18/14" - ], - "extended_information": { - "short_description": "Missing TLS check in HTTP::Tiny allows network attackers to perform man-in-the-middle attacks when performing SSL requests.", - "full_description": "[HTTP::Tiny](https://metacpan.org/pod/HTTP::Tiny) is an HTTP client written in Perl and a standalone CPAN module. By default, HTTP::Tiny does not verify TLS certificates. To enable verification, the `verify_SSL=\u003e1` flag must be specified when initializing the `HTTP::Tiny` object.\n\nThis could allow potential local-network attacker to perform a man-in-the-middle (ssl strip) attack.\nThis issue affects all packages that incorrectly use the `HTTP::Tiny` package.\n\nVulnerable code snippet -\n```\nuse HTTP::Tiny;\n\nmy $http = HTTP::Tiny-\u003enew();\nmy $response = $http-\u003eget('https://example.com');\n```", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "Exploitation only requires an attacker to perform a man-in-the-middle attack (which is extensively documented)." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technical write-up exists." - }, - { - "name": "The issue can be exploited by attackers over the network", - "description": "The vulnerability is exploitable by local network attackers" - }, - { - "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", - "description": "The impact depends on the action performed by the vulnerable code.\nThis could be anything from information disclosure (through the web requests) to remote code execution (in the event the request response is used to install a package or influence the application's flow).", - "is_positive": true - } - ], - "remediation": "##### Development mitigations\n\nEnable the `verify_SSL` flag when initializing HTTP::Tiny -\n\n```perl\n$http = HTTP::Tiny-\u003enew(verify_SSL=\u003e1);\n```" - } - }, - { - "cves": [ - { - "cve": "CVE-2023-47038", - "cvss_v3_score": "7.8", - "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-787" - ], - "cwe_details": { - "CWE-787": { - "name": "Out-of-bounds Write", - "description": "The product writes data past the end, or before the beginning, of the intended buffer.", - "categories": [ - { - "category": "2023 CWE Top 25", - "rank": "1" - } - ] - } - } - } - ], - "summary": "A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.", - "severity": "High", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "issue_id": "XRAY-539839", - "references": [ - "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746", - "https://access.redhat.com/errata/RHSA-2024:3128", - "https://access.redhat.com/security/cve/CVE-2023-47038", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/", - "https://security-tracker.debian.org/tracker/CVE-2023-47038", - "https://bugzilla.redhat.com/show_bug.cgi?id=2249523", - "https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property", - "https://access.redhat.com/errata/RHSA-2024:2228" - ], - "extended_information": { - "short_description": "(non-issue) A heap buffer overflow in Perl leads to no impact when parsing a crafted regular expression.", - "jfrog_research_severity": "Low", - "jfrog_research_severity_reasons": [ - { - "name": "The issue has an exploit published", - "description": "A test case is given, and is included in the Debian advisory:\n`perl -e 'qr/\\p{utf8::_perl_surrogate}/'`" - }, - { - "name": "The issue cannot result in a severe impact (such as remote code execution)", - "description": "If the attacker can execute arbitrary Perl code, exploiting the vulnerability would offer no additional security impact.", - "is_positive": true - }, - { - "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", - "description": "The CVSS impact does not reflect the prerequisites required to exploit the vulnerability.", - "is_positive": true - }, - { - "name": "The prerequisites for exploiting the issue are extremely unlikely", - "description": "The attacker must be able to run Perl code which the victim executes.", - "is_positive": true - } - ] - } - }, - { - "cves": [ - { - "cve": "CVE-2023-31484", - "cvss_v3_score": "8.1", - "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "cwe": [ - "CWE-295" - ], - "cwe_details": { - "CWE-295": { - "name": "Improper Certificate Validation", - "description": "The product does not validate, or incorrectly validates, a certificate." - } - } - } - ], - "summary": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "severity": "High", - "components": { - "deb://debian:bookworm:perl-base:5.36.0-7": { - "impact_paths": [ - [ - { - "component_id": "docker://docker.io/library/nginx:latest" - }, - { - "component_id": "generic://sha256:32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027/sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar", - "full_path": "sha256__32f2ee38f285d7a349380070ea0dbfa284c9181e5e8b1a736f7a9eca726b1027.tar" - }, - { - "component_id": "deb://debian:bookworm:perl-base:5.36.0-7", - "full_path": "perl-base:5.36.0-7" - } - ] - ] - } - }, - "issue_id": "XRAY-515823", - "references": [ - "http://www.openwall.com/lists/oss-security/2023/04/29/1", - "https://security.netapp.com/advisory/ntap-20240621-0007/", - "http://www.openwall.com/lists/oss-security/2023/05/03/5", - "http://www.openwall.com/lists/oss-security/2023/05/03/3", - "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", - "http://www.openwall.com/lists/oss-security/2023/05/07/2", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", - "https://metacpan.org/dist/CPAN/changes", - "https://security-tracker.debian.org/tracker/CVE-2023-31484", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", - "https://github.com/andk/cpanpm/pull/175", - "https://www.openwall.com/lists/oss-security/2023/04/18/14" - ], - "extended_information": { - "short_description": "Missing TLS check in CPAN.pm allows man-in-the-middle attacks when downloading packages and may lead to code execution.", - "full_description": "[CPAN.pm](https://metacpan.org/pod/CPAN) is a Perl module and command-line tool that provides an automated and standardized way to download, install, and manage Perl modules and their dependencies from the Comprehensive Perl Archive Network (CPAN).\n[HTTP::Tiny](https://metacpan.org/pod/HTTP::Tiny) is an HTTP client in Perl and a standalone CPAN module. By default, it does not verify TLS certificates. To enable it, the `verify_SSL=\u003e1` flag should be specified when initializing the `HTTP::Tiny` object. The problem identified in `HTTP::Tiny` has been assigned the CVE identifier `CVE-2023-31486` and serves as the underlying cause for the problem in `CPAN.pm`.\n\n`CPAN.pm` downloads and executes code through the `install` command followed by the package name.\nAlthough `CPAN.pm` downloads from `https://cpan.org`, it does not enable TLS certificate verification while using `HTTP::Tiny`, which could potentially allow an attacker to perform a man-in-the-middle attack by injecting malicious data that could be executed by CPAN.pm.\n\nExample of a vulnerable code:\n```\nuse CPAN;\ninstall DateTime\n```\n\nExample of a vulnerable command-line:\n```\ncpan install DateTime\n```", - "jfrog_research_severity": "High", - "jfrog_research_severity_reasons": [ - { - "name": "The issue is trivial to exploit and does not require a published writeup or PoC", - "description": "Exploitation only requires an attacker to perform a man-in-the-middle attack (which is extensively documented) and provide the victim with a malicious package instead of the legitimate one." - }, - { - "name": "The issue has a detailed technical explanation published, that can aid in exploit development", - "description": "A technical write-up exists." - }, - { - "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", - "description": "The attacker should be in the network to perform a man-in-the-middle attack, and then provide a malicious package when the victim installs a new CPAN.pm package.", - "is_positive": true - }, - { - "name": "The issue results in a severe impact (such as remote code execution)", - "description": "This issue may lead to code execution." - }, - { - "name": "The issue can be exploited by attackers over the network" - } - ] - } - } - ], - "component_id": "docker://docker.io/library/nginx:latest", - "package_type": "oci", - "status": "completed" - } - ] - }, - "jas_scans": { - "contextual_analysis": [ - { - "tool": { - "driver": { - "informationUri": "https://jfrog.com/help/r/jfrog-security-documentation/jfrog-advanced-security", - "name": "JFrog Applicability Scanner", - "rules": [ - { - "id": "applic_CVE-2011-3374", - "name": "CVE-2011-3374", - "shortDescription": { - "text": "Scanner for CVE-2011-3374" - }, - "fullDescription": { - "text": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", - "markdown": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2013-0337", - "name": "CVE-2013-0337", - "shortDescription": { - "text": "Scanner for CVE-2013-0337" - }, - "fullDescription": { - "text": "The scanner checks whether any of the Nginx log files (`error.log` and `access.log`) is a symbolic link. If both files are symbolic links that point to `\\dev\\*` path, the vulnerability is not relevant, thus not applicable. If one of the log files is not a symbolic link, the vulnerability is applicable.", - "markdown": "The scanner checks whether any of the Nginx log files (`error.log` and `access.log`) is a symbolic link. If both files are symbolic links that point to `\\dev\\*` path, the vulnerability is not relevant, thus not applicable. If one of the log files is not a symbolic link, the vulnerability is applicable." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2018-5709", - "name": "CVE-2018-5709", - "shortDescription": { - "text": "Scanner for CVE-2018-5709" - }, - "fullDescription": { - "text": "This CVE has no security impact, hence it is never applicable.\nOriginally, the vulnerability was mistakenly reported as an integer overflow, but it is actually an integer truncation.\nThe issue does not affect any other data allocated close to the 16-bit integer in question. Furthermore, a negative value of the 16-bit integer does not impact the flow of the program in any meaningful way.", - "markdown": "This CVE has no security impact, hence it is never applicable.\nOriginally, the vulnerability was mistakenly reported as an integer overflow, but it is actually an integer truncation.\nThe issue does not affect any other data allocated close to the 16-bit integer in question. Furthermore, a negative value of the 16-bit integer does not impact the flow of the program in any meaningful way." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-5171", - "name": "CVE-2024-5171", - "shortDescription": { - "text": "Scanner for CVE-2024-5171" - }, - "fullDescription": { - "text": "The scanner checks whether any of the vulnerable functions are called:\n\n* `aom_img_alloc()`\n\n* `aom_img_wrap()`\n\n* `aom_img_alloc_with_border()`", - "markdown": "The scanner checks whether any of the vulnerable functions are called:\n\n* `aom_img_alloc()`\n\n* `aom_img_wrap()`\n\n* `aom_img_alloc_with_border()`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-39616", - "name": "CVE-2023-39616", - "shortDescription": { - "text": "Scanner for CVE-2023-39616" - }, - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `aom_codec_encode` is called.\n\nIn order for the vulnerability to be fully applicable, the vulnerable code must also call the `aom_codec_enc_init` function with the 3rd argument struct (`config`) being set with `dropframe_thresh` == 1. This additional condition is currently not checked by the scanner.\n\nNote that the vulnerability is also exploitable through the CLI tool `aomenc` under rare conditions. However - exploitation of the CLI tool will cause it to simply crash, which has no security impact (crashing of a forked client process).", - "markdown": "The scanner checks whether the vulnerable function `aom_codec_encode` is called.\n\nIn order for the vulnerability to be fully applicable, the vulnerable code must also call the `aom_codec_enc_init` function with the 3rd argument struct (`config`) being set with `dropframe_thresh` == 1. This additional condition is currently not checked by the scanner.\n\nNote that the vulnerability is also exploitable through the CLI tool `aomenc` under rare conditions. However - exploitation of the CLI tool will cause it to simply crash, which has no security impact (crashing of a forked client process)." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2022-0563", - "name": "CVE-2022-0563", - "shortDescription": { - "text": "Scanner for CVE-2022-0563" - }, - "fullDescription": { - "text": "The scanner checks whether the `chfs` and `chfn` CLI utilities are compiled with the vulnerable `readline` library.", - "markdown": "The scanner checks whether the `chfs` and `chfn` CLI utilities are compiled with the vulnerable `readline` library." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-27103", - "name": "CVE-2023-27103", - "shortDescription": { - "text": "Scanner for CVE-2023-27103" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49465", - "name": "CVE-2023-49465", - "shortDescription": { - "text": "Scanner for CVE-2023-49465" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49467", - "name": "CVE-2023-49467", - "shortDescription": { - "text": "Scanner for CVE-2023-49467" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49468", - "name": "CVE-2023-49468", - "shortDescription": { - "text": "Scanner for CVE-2023-49468" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-52425", - "name": "CVE-2023-52425", - "shortDescription": { - "text": "Scanner for CVE-2023-52425" - }, - "fullDescription": { - "text": "The scanner checks whether any of the next functions are called:\n\n* `XML_Parse()`\n* `XML_ParseBuffer()`\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The vulnerable functions are used to parse an attacker-controlled file by chunks.", - "markdown": "The scanner checks whether any of the next functions are called:\n\n* `XML_Parse()`\n* `XML_ParseBuffer()`\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The vulnerable functions are used to parse an attacker-controlled file by chunks." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-45490", - "name": "CVE-2024-45490", - "shortDescription": { - "text": "Scanner for CVE-2024-45490" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled.", - "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-26965", - "name": "CVE-2023-26965", - "shortDescription": { - "text": "Scanner for CVE-2023-26965" - }, - "fullDescription": { - "text": "The scanner checks whether the vulnerable `tiffcrop` binary is present in the image.\n\nNote that the scanner does not check whether `tiffcrop` is invoked with arbitrary image files.", - "markdown": "The scanner checks whether the vulnerable `tiffcrop` binary is present in the image.\n\nNote that the scanner does not check whether `tiffcrop` is invoked with arbitrary image files." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-2953", - "name": "CVE-2023-2953", - "shortDescription": { - "text": "Scanner for CVE-2023-2953" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following vulnerable functions are used:\n\n- `ldif_open_url`\n- `ldif_fetch_url`\n- `ldif_parse_line2`\n- `ldif_parse_line`\n- `ldap_parse_ldif_record_x`\n- `ldap_parse_ldif_record`\n- `ldif_read_record`\n- `slapi_str2entry`", - "markdown": "The scanner checks whether any of the following vulnerable functions are used:\n\n- `ldif_open_url`\n- `ldif_fetch_url`\n- `ldif_parse_line2`\n- `ldif_parse_line`\n- `ldap_parse_ldif_record_x`\n- `ldap_parse_ldif_record`\n- `ldif_read_record`\n- `slapi_str2entry`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-40745", - "name": "CVE-2023-40745", - "shortDescription": { - "text": "Scanner for CVE-2023-40745" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-41175", - "name": "CVE-2023-41175", - "shortDescription": { - "text": "Scanner for CVE-2023-41175" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-43887", - "name": "CVE-2023-43887", - "shortDescription": { - "text": "Scanner for CVE-2023-43887" - }, - "fullDescription": { - "text": "The scanner checks for the presence of a binary related to `libde265` on the scanned artifact, specifically, any file ending with `dec265`.", - "markdown": "The scanner checks for the presence of a binary related to `libde265` on the scanned artifact, specifically, any file ending with `dec265`." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-44487", - "name": "CVE-2023-44487", - "shortDescription": { - "text": "Scanner for CVE-2023-44487" - }, - "fullDescription": { - "text": "The scanner checks for each vendor listed here:\n\n* Tomcat: configuration enables HTTP/2 either through the XML file or Java's `addUpgradeProtocol()` method.\n* Jetty: HTTP/2 enabled through `HTTP2CServerConnectionFactory`/`HTTP2ServerConnectionFactory` class initialization. Note: it also checks whether `jenkins` enables http/2 through its configuration.\n* Nginx: check whether one of the HTTP configurations is enabling http/2.\nNote: the following parameters should be configured properly to make the vulnerability not applicable:\n`keepalive_requests` should be kept at the default setting of 1000 requests\n`http2_max_concurrent_streams` should be kept at the default setting of 128 streams\n`limit_conn and limit_req` should be set `with a reasonable setting balancing application performance and security`. \n* Netty: check whether the `http2` codec classes are used in a java class\n* NodeJS: check whether the `http2.createSecureServer()` is used\n* NGHttp2: check whether a web server is instantiated through one of the symbols `nghttp2_session_server_new` or `listen_and_serve`.\n* Go: check whether a server is instantiated through the `net/http` or `net/http2` packages", - "markdown": "The scanner checks for each vendor listed here:\n\n* Tomcat: configuration enables HTTP/2 either through the XML file or Java's `addUpgradeProtocol()` method.\n* Jetty: HTTP/2 enabled through `HTTP2CServerConnectionFactory`/`HTTP2ServerConnectionFactory` class initialization. Note: it also checks whether `jenkins` enables http/2 through its configuration.\n* Nginx: check whether one of the HTTP configurations is enabling http/2.\nNote: the following parameters should be configured properly to make the vulnerability not applicable:\n`keepalive_requests` should be kept at the default setting of 1000 requests\n`http2_max_concurrent_streams` should be kept at the default setting of 128 streams\n`limit_conn and limit_req` should be set `with a reasonable setting balancing application performance and security`. \n* Netty: check whether the `http2` codec classes are used in a java class\n* NodeJS: check whether the `http2.createSecureServer()` is used\n* NGHttp2: check whether a web server is instantiated through one of the symbols `nghttp2_session_server_new` or `listen_and_serve`.\n* Go: check whether a server is instantiated through the `net/http` or `net/http2` packages" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-45853", - "name": "CVE-2023-45853", - "shortDescription": { - "text": "Scanner for CVE-2023-45853" - }, - "fullDescription": { - "text": "The scanner checks if any of the following functions are called:\n\n- `zipOpenNewFileInZip`\n- `zipOpenNewFileInZip_64`\n- `zipOpenNewFileInZip2`\n- `zipOpenNewFileInZip2_64`\n- `zipOpenNewFileInZip3`\n- `zipOpenNewFileInZip3_64`\n- `zipOpenNewFileInZip4`\n- `zipOpenNewFileInZip4_64`", - "markdown": "The scanner checks if any of the following functions are called:\n\n- `zipOpenNewFileInZip`\n- `zipOpenNewFileInZip_64`\n- `zipOpenNewFileInZip2`\n- `zipOpenNewFileInZip2_64`\n- `zipOpenNewFileInZip3`\n- `zipOpenNewFileInZip3_64`\n- `zipOpenNewFileInZip4`\n- `zipOpenNewFileInZip4_64`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-47038", - "name": "CVE-2023-47038", - "shortDescription": { - "text": "Scanner for CVE-2023-47038" - }, - "fullDescription": { - "text": "This CVE has no security impact (hence it is never applicable) as one of its prerequisites is arbitrary execution of Perl code, making any security impact of exploiting the vulnerability negligible since arbitrary code execution has already occurred.", - "markdown": "This CVE has no security impact (hence it is never applicable) as one of its prerequisites is arbitrary execution of Perl code, making any security impact of exploiting the vulnerability negligible since arbitrary code execution has already occurred." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49460", - "name": "CVE-2023-49460", - "shortDescription": { - "text": "Scanner for CVE-2023-49460" - }, - "fullDescription": { - "text": "The scanner checks if the `libheif` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON` and if the vulnerable function `UncompressedImageCodec::decode_uncompressed_image` is called.", - "markdown": "The scanner checks if the `libheif` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON` and if the vulnerable function `UncompressedImageCodec::decode_uncompressed_image` is called." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49463", - "name": "CVE-2023-49463", - "shortDescription": { - "text": "Scanner for CVE-2023-49463" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-49462", - "name": "CVE-2023-49462", - "shortDescription": { - "text": "Scanner for CVE-2023-49462" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-50387", - "name": "CVE-2023-50387", - "shortDescription": { - "text": "Scanner for CVE-2023-50387" - }, - "fullDescription": { - "text": "The scanner checks whether DNSSEC validation is on. Currently, the supported packages are `bind`, `dnsmasq`, `systemd`, `unbound`.\nFor bind, the scanner checks whether `dnssec-validation` configuration option is set to `auto` or `yes` in the bind configuration file.\n\nFor dnsmasq, the scanner checks whether the `dnssec` configuration appears in the dnsmasq configuration file.\n\nFor systemd, the scanner checks whether the `DNSSEC` configuration is set to `true` or `allow-downgrade` in the systemd-resolved configuration file.\n\nFor unbound, the scanner checks whether a `trust-anchor-file` or `auto-trust-anchor-file` file is set in the `server` configuration in the Unbound configuration file.\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: the attacker must be able to query the DNSSEC resolver to validate their malicious domain.", - "markdown": "The scanner checks whether DNSSEC validation is on. Currently, the supported packages are `bind`, `dnsmasq`, `systemd`, `unbound`.\nFor bind, the scanner checks whether `dnssec-validation` configuration option is set to `auto` or `yes` in the bind configuration file.\n\nFor dnsmasq, the scanner checks whether the `dnssec` configuration appears in the dnsmasq configuration file.\n\nFor systemd, the scanner checks whether the `DNSSEC` configuration is set to `true` or `allow-downgrade` in the systemd-resolved configuration file.\n\nFor unbound, the scanner checks whether a `trust-anchor-file` or `auto-trust-anchor-file` file is set in the `server` configuration in the Unbound configuration file.\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: the attacker must be able to query the DNSSEC resolver to validate their malicious domain." - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "applic_CVE-2023-50868", - "name": "CVE-2023-50868", - "shortDescription": { - "text": "Scanner for CVE-2023-50868" - }, - "fullDescription": { - "text": "The scanner checks whether DNSSEC validation is on. Currently, the supported packages are `bind`, `dnsmasq`, `systemd`, `unbound`.\nFor bind, the scanner checks whether `dnssec-validation` configuration option is set to `auto` or `yes` in the bind configuration file.\n\nFor dnsmasq, the scanner checks whether the `dnssec` configuration appears in the dnsmasq configuration file.\n\nFor systemd, the scanner checks whether the `DNSSEC` configuration is set to `true` or `allow-downgrade` in the systemd-resolved configuration file.\n\nFor unbound, the scanner checks whether a `trust-anchor-file` or `auto-trust-anchor-file` file is set in the `server` configuration in the Unbound configuration file.\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: the attacker must be able to query the DNSSEC resolver to validate their malicious domain.", - "markdown": "The scanner checks whether DNSSEC validation is on. Currently, the supported packages are `bind`, `dnsmasq`, `systemd`, `unbound`.\nFor bind, the scanner checks whether `dnssec-validation` configuration option is set to `auto` or `yes` in the bind configuration file.\n\nFor dnsmasq, the scanner checks whether the `dnssec` configuration appears in the dnsmasq configuration file.\n\nFor systemd, the scanner checks whether the `DNSSEC` configuration is set to `true` or `allow-downgrade` in the systemd-resolved configuration file.\n\nFor unbound, the scanner checks whether a `trust-anchor-file` or `auto-trust-anchor-file` file is set in the `server` configuration in the Unbound configuration file.\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: the attacker must be able to query the DNSSEC resolver to validate their malicious domain." - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "applic_CVE-2023-52355", - "name": "CVE-2023-52355", - "shortDescription": { - "text": "Scanner for CVE-2023-52355" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following functions are called:\n\n- `TIFFRasterScanlineSize64()`\n- `TIFFRasterScanlineSize()`", - "markdown": "The scanner checks whether any of the following functions are called:\n\n- `TIFFRasterScanlineSize64()`\n- `TIFFRasterScanlineSize()`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-52356", - "name": "CVE-2023-52356", - "shortDescription": { - "text": "Scanner for CVE-2023-52356" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following functions are called:\n\n- `TIFFReadRGBATileExt()` \n- `TIFFReadRGBATile()`", - "markdown": "The scanner checks whether any of the following functions are called:\n\n- `TIFFReadRGBATileExt()` \n- `TIFFReadRGBATile()`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-5363", - "name": "CVE-2023-5363", - "shortDescription": { - "text": "Scanner for CVE-2023-5363" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n- `EVP_EncryptInit_ex2`\n- `EVP_DecryptInit_ex2`\n- `EVP_CipherInit_ex2`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n- `EVP_EncryptInit_ex2`\n- `EVP_DecryptInit_ex2`\n- `EVP_CipherInit_ex2`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-6246", - "name": "CVE-2023-6246", - "shortDescription": { - "text": "Scanner for CVE-2023-6246" - }, - "fullDescription": { - "text": "The scanner checks whether the vulnerable functions `syslog` or `vsyslog` are called from a file with the `setuid` or `setgid` bit.\n\nTo exploit this vulnerability, the attacker needs to control either argv[0], which typically holds the name of the program being executed or the `ident` argument of syslog's `openlog()` function. The scanner currently does not verify this prerequisite but for local exploitation, it is a common scenraio, such as in `su` binary.", - "markdown": "The scanner checks whether the vulnerable functions `syslog` or `vsyslog` are called from a file with the `setuid` or `setgid` bit.\n\nTo exploit this vulnerability, the attacker needs to control either argv[0], which typically holds the name of the program being executed or the `ident` argument of syslog's `openlog()` function. The scanner currently does not verify this prerequisite but for local exploitation, it is a common scenraio, such as in `su` binary." - }, - "properties": { - "applicability": "applicable", - "conclusion": "negative", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-6879", - "name": "CVE-2023-6879", - "shortDescription": { - "text": "Scanner for CVE-2023-6879" - }, - "fullDescription": { - "text": "The scanner checks whether an encoding process is performed with the following requirements:\n\n* Using AV1 codec (`aom_codec_av1_cx()`).\n* Encoding (`aom_codec_encode()`)\n* Cleaning the memory at the end of the encoding process (`aom_codec_destroy()`).\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: `aom` is configured to use more than 1 thread. For example:\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```", - "markdown": "The scanner checks whether an encoding process is performed with the following requirements:\n\n* Using AV1 codec (`aom_codec_av1_cx()`).\n* Encoding (`aom_codec_encode()`)\n* Cleaning the memory at the end of the encoding process (`aom_codec_destroy()`).\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: `aom` is configured to use more than 1 thread. For example:\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-0553", - "name": "CVE-2024-0553", - "shortDescription": { - "text": "Scanner for CVE-2024-0553" - }, - "fullDescription": { - "text": "The scanner checks if RSA decryption occurs by finding calls to any of the following functions:\n\n- `gnutls_privkey_decrypt_data`\n\n- `gnutls_privkey_decrypt_data2`\n\nAn additional condition (that the scanner does not currently check) is required for the CVE to be applicable: the RSA padding algorithm needs to be `PKCS#1`. `key-\u003epk_algorithm` needs to be equal to `GNUTLS_PK_RSA`.", - "markdown": "The scanner checks if RSA decryption occurs by finding calls to any of the following functions:\n\n- `gnutls_privkey_decrypt_data`\n\n- `gnutls_privkey_decrypt_data2`\n\nAn additional condition (that the scanner does not currently check) is required for the CVE to be applicable: the RSA padding algorithm needs to be `PKCS#1`. `key-\u003epk_algorithm` needs to be equal to `GNUTLS_PK_RSA`." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-0567", - "name": "CVE-2024-0567", - "shortDescription": { - "text": "Scanner for CVE-2024-0567" - }, - "fullDescription": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n- `gnutls_pcert_import_x509_list`\n\n- `gnutls_certificate_set_x509_key`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_mem`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_file`\n\n- `gnutls_privkey_import_url`\n\n- `gnutls_privkey_import_pkcs11_url`\n\n- `gnutls_read_key_file`\n\n- `gnutls_certificate_set_rawpk_key_file`\n\n- `gnutls_certificate_set_x509_key_file2`\n\n- `gnutls_certificate_set_x509_key_file`\n\n- `gnutls_pcert_list_import_x509_file`\n\n- `gnutls_certificate_set_x509_key_mem2`\n\n- `gnutls_certificate_set_x509_key_mem`\n\n- `gnutls_x509_crt_list_import`\n\n- `gnutls_pcert_list_import_x509_raw`\n\n- `gnutls_session_channel_binding`\n\n- `gnutls_x509_crt_list_import2`\n\n- `gnutls_x509_trust_list_add_trust_mem`\n\n- `gnutls_x509_trust_list_add_system_trust`\n\n- `gnutls_certificate_set_x509_system_trust`\n\n- `gnutls_certificate_set_x509_crl_mem`\n\n- `gnutls_certificate_set_x509_trust_mem`\n\n- `gnutls_x509_trust_list_add_trust_file`\n\n- `gnutls_certificate_set_x509_crl_file`\n\n- `gnutls_certificate_set_x509_trust_file`\n\n- `gnutls_x509_trust_list_add_trust_dir`\n\n- `gnutls_certificate_set_x509_trust_dir`\n\n- `gnutls_x509_trust_list_remove_trust_mem`\n\n- `gnutls_x509_trust_list_remove_trust_file`\n\n- `gnutls_x509_trust_list_verify_crt2`\n\n- `gnutls_x509_cert_verify_peers`\n\n- `gnutls_certificate_verify_peers`\n\n- `gnutls_certificate_verify_peers2`\n\n- `gnutls_certificate_verify_peers3`\n\n- `gnutls_pkcs7_verify`\n\n- `gnutls_ocsp_resp_verify`\n\n- `gnutls_x509_trust_list_verify_crt`", - "markdown": "The scanner checks if any of the following vulnerable functions are called:\n\n- `gnutls_pcert_import_x509_list`\n\n- `gnutls_certificate_set_x509_key`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_mem`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_file`\n\n- `gnutls_privkey_import_url`\n\n- `gnutls_privkey_import_pkcs11_url`\n\n- `gnutls_read_key_file`\n\n- `gnutls_certificate_set_rawpk_key_file`\n\n- `gnutls_certificate_set_x509_key_file2`\n\n- `gnutls_certificate_set_x509_key_file`\n\n- `gnutls_pcert_list_import_x509_file`\n\n- `gnutls_certificate_set_x509_key_mem2`\n\n- `gnutls_certificate_set_x509_key_mem`\n\n- `gnutls_x509_crt_list_import`\n\n- `gnutls_pcert_list_import_x509_raw`\n\n- `gnutls_session_channel_binding`\n\n- `gnutls_x509_crt_list_import2`\n\n- `gnutls_x509_trust_list_add_trust_mem`\n\n- `gnutls_x509_trust_list_add_system_trust`\n\n- `gnutls_certificate_set_x509_system_trust`\n\n- `gnutls_certificate_set_x509_crl_mem`\n\n- `gnutls_certificate_set_x509_trust_mem`\n\n- `gnutls_x509_trust_list_add_trust_file`\n\n- `gnutls_certificate_set_x509_crl_file`\n\n- `gnutls_certificate_set_x509_trust_file`\n\n- `gnutls_x509_trust_list_add_trust_dir`\n\n- `gnutls_certificate_set_x509_trust_dir`\n\n- `gnutls_x509_trust_list_remove_trust_mem`\n\n- `gnutls_x509_trust_list_remove_trust_file`\n\n- `gnutls_x509_trust_list_verify_crt2`\n\n- `gnutls_x509_cert_verify_peers`\n\n- `gnutls_certificate_verify_peers`\n\n- `gnutls_certificate_verify_peers2`\n\n- `gnutls_certificate_verify_peers3`\n\n- `gnutls_pkcs7_verify`\n\n- `gnutls_ocsp_resp_verify`\n\n- `gnutls_x509_trust_list_verify_crt`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-25062", - "name": "CVE-2024-25062", - "shortDescription": { - "text": "Scanner for CVE-2024-25062" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following functions are called:\n\n* `xmlValidatePopElement()`\n* `xmlTextReaderClose()`\n* `xmlFreeTextReader() `\n* `xmlTextReaderRead()`\n* `xmlSchemaValidateDoc()`", - "markdown": "The scanner checks whether any of the following functions are called:\n\n* `xmlValidatePopElement()`\n* `xmlTextReaderClose()`\n* `xmlFreeTextReader() `\n* `xmlTextReaderRead()`\n* `xmlSchemaValidateDoc()`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-28182", - "name": "CVE-2024-28182", - "shortDescription": { - "text": "Scanner for CVE-2024-28182" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "applicable", - "conclusion": "negative" - } - }, - { - "id": "applic_CVE-2024-2961", - "name": "CVE-2024-2961", - "shortDescription": { - "text": "Scanner for CVE-2024-2961" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-33600", - "name": "CVE-2024-33600", - "shortDescription": { - "text": "Scanner for CVE-2024-33600" - }, - "fullDescription": { - "text": "The scanner checks whether the `nscd` binary exists on the machine.", - "markdown": "The scanner checks whether the `nscd` binary exists on the machine." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-33599", - "name": "CVE-2024-33599", - "shortDescription": { - "text": "Scanner for CVE-2024-33599" - }, - "fullDescription": { - "text": "The scanner checks whether the `nscd` binary exists on the machine.", - "markdown": "The scanner checks whether the `nscd` binary exists on the machine." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-4741", - "name": "CVE-2024-4741", - "shortDescription": { - "text": "Scanner for CVE-2024-4741" - }, - "fullDescription": { - "text": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called.", - "markdown": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called." - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2023-31484", - "name": "CVE-2023-31484", - "shortDescription": { - "text": "Scanner for CVE-2023-31484" - }, - "fullDescription": { - "text": "The scanner checks whether a script (either bash or perl) installs a package through the `CPAN.pm` module.", - "markdown": "The scanner checks whether a script (either bash or perl) installs a package through the `CPAN.pm` module." - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "applic_CVE-2023-49464", - "name": "CVE-2023-49464", - "shortDescription": { - "text": "Scanner for CVE-2023-49464" - }, - "fullDescription": { - "text": "The scanner checks for two conditions:\n\n1. The `libheif.so` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON`. \n\n2. Any of the following vulnerable functions are called:\n\n* `HeifContext::Image::get_luma_bits_per_pixel`\n* `HeifContext::decode_full_grid_image`\n* `HeifFile::get_luma_bits_per_pixel_from_configuration`\n* `UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci`\n* `heif_image_handle_get_luma_bits_per_pixel`", - "markdown": "The scanner checks for two conditions:\n\n1. The `libheif.so` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON`. \n\n2. Any of the following vulnerable functions are called:\n\n* `HeifContext::Image::get_luma_bits_per_pixel`\n* `HeifContext::decode_full_grid_image`\n* `HeifFile::get_luma_bits_per_pixel_from_configuration`\n* `UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci`\n* `heif_image_handle_get_luma_bits_per_pixel`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2024-6119", - "name": "CVE-2024-6119", - "shortDescription": { - "text": "Scanner for CVE-2024-6119" - }, - "fullDescription": { - "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`", - "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive", - "security-severity": "6.9" - } - }, - { - "id": "applic_CVE-2019-1010022", - "name": "CVE-2019-1010022", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-1010022" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2019-3815", - "name": "CVE-2019-3815", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-3815" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6228", - "name": "CVE-2023-6228", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6228" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-27102", - "name": "CVE-2023-27102", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-27102" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-26462", - "name": "CVE-2024-26462", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-26462" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-34459", - "name": "CVE-2024-34459", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-34459" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2010-4756", - "name": "CVE-2010-4756", - "shortDescription": { - "text": "Scanner for uncovered CVE-2010-4756" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-17740", - "name": "CVE-2017-17740", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-17740" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-31437", - "name": "CVE-2023-31437", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-31437" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-4039", - "name": "CVE-2023-4039", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-4039" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-25269", - "name": "CVE-2024-25269", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-25269" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-2379", - "name": "CVE-2024-2379", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-2379" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-26458", - "name": "CVE-2024-26458", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-26458" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6237", - "name": "CVE-2023-6237", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6237" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-9117", - "name": "CVE-2017-9117", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-9117" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2022-3219", - "name": "CVE-2022-3219", - "shortDescription": { - "text": "Scanner for uncovered CVE-2022-3219" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-1916", - "name": "CVE-2023-1916", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-1916" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-37371", - "name": "CVE-2024-37371", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-37371" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2013-4392", - "name": "CVE-2013-4392", - "shortDescription": { - "text": "Scanner for uncovered CVE-2013-4392" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-2908", - "name": "CVE-2023-2908", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-2908" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6277", - "name": "CVE-2023-6277", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6277" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-17973", - "name": "CVE-2017-17973", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-17973" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2022-27943", - "name": "CVE-2022-27943", - "shortDescription": { - "text": "Scanner for uncovered CVE-2022-27943" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-4603", - "name": "CVE-2024-4603", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-4603" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-45491", - "name": "CVE-2024-45491", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-45491" - }, - "fullDescription": { - "text": "The scanner checks whether the `xmlwf` CLI tool exists or if the vulnerable function `XML_ExternalEntityParserCreate()` is called.\n\nThis CVE is applicable only when the platform is 32bit. The scanner currently does not check for this condition.", - "markdown": "The scanner checks whether the `xmlwf` CLI tool exists or if the vulnerable function `XML_ExternalEntityParserCreate()` is called.\n\nThis CVE is applicable only when the platform is 32bit. The scanner currently does not check for this condition." - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-7006", - "name": "CVE-2024-7006", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-7006" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-7008", - "name": "CVE-2023-7008", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-7008" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2015-3276", - "name": "CVE-2015-3276", - "shortDescription": { - "text": "Scanner for uncovered CVE-2015-3276" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-45918", - "name": "CVE-2023-45918", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-45918" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2019-9192", - "name": "CVE-2019-9192", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-9192" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-28757", - "name": "CVE-2024-28757", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-28757" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-32570", - "name": "CVE-2023-32570", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-32570" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2009-4487", - "name": "CVE-2009-4487", - "shortDescription": { - "text": "Scanner for uncovered CVE-2009-4487" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2011-0283", - "name": "CVE-2011-0283", - "shortDescription": { - "text": "Scanner for uncovered CVE-2011-0283" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-4641", - "name": "CVE-2023-4641", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-4641" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2012-2131", - "name": "CVE-2012-2131", - "shortDescription": { - "text": "Scanner for uncovered CVE-2012-2131" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2011-4116", - "name": "CVE-2011-4116", - "shortDescription": { - "text": "Scanner for uncovered CVE-2011-4116" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-9937", - "name": "CVE-2017-9937", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-9937" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-3164", - "name": "CVE-2023-3164", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-3164" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-38949", - "name": "CVE-2024-38949", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-38949" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-45492", - "name": "CVE-2024-45492", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-45492" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2019-1010024", - "name": "CVE-2019-1010024", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-1010024" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-0727", - "name": "CVE-2024-0727", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-0727" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-37370", - "name": "CVE-2024-37370", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-37370" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-5678", - "name": "CVE-2023-5678", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-5678" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2016-2781", - "name": "CVE-2016-2781", - "shortDescription": { - "text": "Scanner for uncovered CVE-2016-2781" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-31439", - "name": "CVE-2023-31439", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-31439" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-51792", - "name": "CVE-2023-51792", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-51792" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2021-4214", - "name": "CVE-2021-4214", - "shortDescription": { - "text": "Scanner for uncovered CVE-2021-4214" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-22365", - "name": "CVE-2024-22365", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-22365" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-31438", - "name": "CVE-2023-31438", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-31438" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2018-10126", - "name": "CVE-2018-10126", - "shortDescription": { - "text": "Scanner for uncovered CVE-2018-10126" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-33602", - "name": "CVE-2024-33602", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-33602" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2022-1210", - "name": "CVE-2022-1210", - "shortDescription": { - "text": "Scanner for uncovered CVE-2022-1210" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-3618", - "name": "CVE-2023-3618", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-3618" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-26966", - "name": "CVE-2023-26966", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-26966" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6780", - "name": "CVE-2023-6780", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6780" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2015-9019", - "name": "CVE-2015-9019", - "shortDescription": { - "text": "Scanner for uncovered CVE-2015-9019" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2010-4665", - "name": "CVE-2010-4665", - "shortDescription": { - "text": "Scanner for uncovered CVE-2010-4665" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-39615", - "name": "CVE-2023-39615", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-39615" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-16232", - "name": "CVE-2017-16232", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-16232" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2019-1010025", - "name": "CVE-2019-1010025", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-1010025" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-26461", - "name": "CVE-2024-26461", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-26461" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6129", - "name": "CVE-2023-6129", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6129" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-1580", - "name": "CVE-2024-1580", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-1580" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-29659", - "name": "CVE-2023-29659", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-29659" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-31486", - "name": "CVE-2023-31486", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-31486" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-29383", - "name": "CVE-2023-29383", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-29383" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2020-15719", - "name": "CVE-2020-15719", - "shortDescription": { - "text": "Scanner for uncovered CVE-2020-15719" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-5563", - "name": "CVE-2017-5563", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-5563" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-39804", - "name": "CVE-2023-39804", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-39804" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-2236", - "name": "CVE-2024-2236", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-2236" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2022-3636", - "name": "CVE-2022-3636", - "shortDescription": { - "text": "Scanner for uncovered CVE-2022-3636" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-46219", - "name": "CVE-2023-46219", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-46219" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2022-48303", - "name": "CVE-2022-48303", - "shortDescription": { - "text": "Scanner for uncovered CVE-2022-48303" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-5981", - "name": "CVE-2023-5981", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-5981" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-2398", - "name": "CVE-2024-2398", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-2398" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2011-3389", - "name": "CVE-2011-3389", - "shortDescription": { - "text": "Scanner for uncovered CVE-2011-3389" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-33601", - "name": "CVE-2024-33601", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-33601" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2019-1010023", - "name": "CVE-2019-1010023", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-1010023" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2007-5686", - "name": "CVE-2007-5686", - "shortDescription": { - "text": "Scanner for uncovered CVE-2007-5686" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-2511", - "name": "CVE-2024-2511", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-2511" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-28834", - "name": "CVE-2024-28834", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-28834" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-47471", - "name": "CVE-2023-47471", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-47471" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-45322", - "name": "CVE-2023-45322", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-45322" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-7347", - "name": "CVE-2024-7347", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-7347" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-14159", - "name": "CVE-2017-14159", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-14159" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-3576", - "name": "CVE-2023-3576", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-3576" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-25433", - "name": "CVE-2023-25433", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-25433" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-28085", - "name": "CVE-2024-28085", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-28085" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2018-20796", - "name": "CVE-2018-20796", - "shortDescription": { - "text": "Scanner for uncovered CVE-2018-20796" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-50495", - "name": "CVE-2023-50495", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-50495" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-38950", - "name": "CVE-2024-38950", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-38950" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-46218", - "name": "CVE-2023-46218", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-46218" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-5535", - "name": "CVE-2024-5535", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-5535" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-6779", - "name": "CVE-2023-6779", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-6779" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-28835", - "name": "CVE-2024-28835", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-28835" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2023-52426", - "name": "CVE-2023-52426", - "shortDescription": { - "text": "Scanner for uncovered CVE-2023-52426" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2024-7264", - "name": "CVE-2024-7264", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-7264" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2017-18018", - "name": "CVE-2017-18018", - "shortDescription": { - "text": "Scanner for uncovered CVE-2017-18018" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, - { - "id": "applic_CVE-2018-6829", - "name": "CVE-2018-6829", - "shortDescription": { - "text": "Scanner for uncovered CVE-2018-6829" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } - }, + "issue_id": "XRAY-632747", + "references": [ + "https://openssl-library.org/news/secadv/20240903.txt", + "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2", + "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f", + "https://security-tracker.debian.org/tracker/CVE-2024-6119", + "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0", + "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6" + ], + "extended_information": { + "short_description": "Out of bounds read in OpenSSL clients can lead to denial of service when using non-default TLS verification options and connecting to malicious TLS servers", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ { - "id": "applic_CVE-2005-2541", - "name": "CVE-2005-2541", - "shortDescription": { - "text": "Scanner for uncovered CVE-2005-2541" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } + "name": "The issue has an exploit published", + "description": "The fix commit contains PoC certificates that trigger the denial of service issue" }, { - "id": "applic_CVE-2024-2004", - "name": "CVE-2024-2004", - "shortDescription": { - "text": "Scanner for uncovered CVE-2024-2004" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "The attacker must make the victim client connect to their malicious TLS server, in order to serve the malformed TLS certificate. The victim client must use OpenSSL and must enable non-default certificate verification options, either -\n\n* DNS verification - by using `X509_VERIFY_PARAM_set1_host` or `X509_check_host`\n* Email verification - by using ` X509_VERIFY_PARAM_set1_email` or `X509_check_email`", + "is_positive": true }, { - "id": "applic_CVE-2019-19882", - "name": "CVE-2019-19882", - "shortDescription": { - "text": "Scanner for uncovered CVE-2019-19882" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "not_covered" - } + "name": "The issue cannot result in a severe impact (such as remote code execution)", + "description": "Denial of service of a TLS clients only. This out of bounds read cannot lead to data disclosure.", + "is_positive": true } - ], - "version": "1.0" + ] } }, - "invocations": [ - { - "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/jas_scanner/jas_scanner", - "scan", - "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978580-3584350251/Applicability_1725978580/config.yaml" - ], - "executionSuccessful": true, - "workingDirectory": { - "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978503-2625964325/image.tar" - } - } - ], - "results": [ - { - "ruleId": "applic_CVE-2011-3374", - "kind": "pass", - "message": { - "text": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." - } - }, - { - "ruleId": "applic_CVE-2013-0337", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the Nginx log files (`error.log` and `access.log`) is a symbolic link. If both files are symbolic links that point to `\\dev\\*` path, the vulnerability is not relevant, thus not applicable. If one of the log files is not a symbolic link, the vulnerability is applicable." - } - }, - { - "ruleId": "applic_CVE-2018-5709", - "kind": "pass", - "message": { - "text": "This CVE has no security impact, hence it is never applicable.\nOriginally, the vulnerability was mistakenly reported as an integer overflow, but it is actually an integer truncation.\nThe issue does not affect any other data allocated close to the 16-bit integer in question. Furthermore, a negative value of the 16-bit integer does not impact the flow of the program in any meaningful way." - } - }, - { - "ruleId": "applic_CVE-2024-5171", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the vulnerable functions are called:\n\n* `aom_img_alloc()`\n\n* `aom_img_wrap()`\n\n* `aom_img_alloc_with_border()`" - } - }, - { - "ruleId": "applic_CVE-2023-39616", - "kind": "pass", - "message": { - "text": "The scanner checks whether the vulnerable function `aom_codec_encode` is called.\n\nIn order for the vulnerability to be fully applicable, the vulnerable code must also call the `aom_codec_enc_init` function with the 3rd argument struct (`config`) being set with `dropframe_thresh` == 1. This additional condition is currently not checked by the scanner.\n\nNote that the vulnerability is also exploitable through the CLI tool `aomenc` under rare conditions. However - exploitation of the CLI tool will cause it to simply crash, which has no security impact (crashing of a forked client process)." - } - }, - { - "ruleId": "applic_CVE-2022-0563", - "kind": "pass", - "message": { - "text": "The scanner checks whether the `chfs` and `chfn` CLI utilities are compiled with the vulnerable `readline` library." - } - }, - { - "ruleId": "applic_CVE-2023-27103", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - } - }, - { - "ruleId": "applic_CVE-2023-49465", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - } - }, - { - "ruleId": "applic_CVE-2023-49467", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - } - }, - { - "ruleId": "applic_CVE-2023-49468", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `de265_new_decoder`\n* `de265_decode`\n* `de265_decode_data`" - } - }, - { - "ruleId": "applic_CVE-2023-52425", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the next functions are called:\n\n* `XML_Parse()`\n* `XML_ParseBuffer()`\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: The vulnerable functions are used to parse an attacker-controlled file by chunks." - } - }, - { - "ruleId": "applic_CVE-2024-45490", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled." - } - }, - { - "ruleId": "applic_CVE-2023-26965", - "kind": "pass", - "message": { - "text": "The scanner checks whether the vulnerable `tiffcrop` binary is present in the image.\n\nNote that the scanner does not check whether `tiffcrop` is invoked with arbitrary image files." - } - }, - { - "ruleId": "applic_CVE-2023-2953", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following vulnerable functions are used:\n\n- `ldif_open_url`\n- `ldif_fetch_url`\n- `ldif_parse_line2`\n- `ldif_parse_line`\n- `ldap_parse_ldif_record_x`\n- `ldap_parse_ldif_record`\n- `ldif_read_record`\n- `slapi_str2entry`" - } - }, - { - "ruleId": "applic_CVE-2023-40745", - "kind": "pass", - "message": { - "text": "" - } - }, - { - "ruleId": "applic_CVE-2023-41175", - "kind": "pass", - "message": { - "text": "" - } - }, - { - "ruleId": "applic_CVE-2023-43887", - "kind": "pass", - "message": { - "text": "The scanner checks for the presence of a binary related to `libde265` on the scanned artifact, specifically, any file ending with `dec265`." - } - }, - { - "ruleId": "applic_CVE-2023-44487", - "kind": "pass", - "message": { - "text": "The scanner checks for each vendor listed here:\n\n* Tomcat: configuration enables HTTP/2 either through the XML file or Java's `addUpgradeProtocol()` method.\n* Jetty: HTTP/2 enabled through `HTTP2CServerConnectionFactory`/`HTTP2ServerConnectionFactory` class initialization. Note: it also checks whether `jenkins` enables http/2 through its configuration.\n* Nginx: check whether one of the HTTP configurations is enabling http/2.\nNote: the following parameters should be configured properly to make the vulnerability not applicable:\n`keepalive_requests` should be kept at the default setting of 1000 requests\n`http2_max_concurrent_streams` should be kept at the default setting of 128 streams\n`limit_conn and limit_req` should be set `with a reasonable setting balancing application performance and security`. \n* Netty: check whether the `http2` codec classes are used in a java class\n* NodeJS: check whether the `http2.createSecureServer()` is used\n* NGHttp2: check whether a web server is instantiated through one of the symbols `nghttp2_session_server_new` or `listen_and_serve`.\n* Go: check whether a server is instantiated through the `net/http` or `net/http2` packages" - } - }, - { - "ruleId": "applic_CVE-2023-45853", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following functions are called:\n\n- `zipOpenNewFileInZip`\n- `zipOpenNewFileInZip_64`\n- `zipOpenNewFileInZip2`\n- `zipOpenNewFileInZip2_64`\n- `zipOpenNewFileInZip3`\n- `zipOpenNewFileInZip3_64`\n- `zipOpenNewFileInZip4`\n- `zipOpenNewFileInZip4_64`" - } - }, - { - "ruleId": "applic_CVE-2023-47038", - "kind": "pass", - "message": { - "text": "This CVE has no security impact (hence it is never applicable) as one of its prerequisites is arbitrary execution of Perl code, making any security impact of exploiting the vulnerability negligible since arbitrary code execution has already occurred." - } - }, - { - "ruleId": "applic_CVE-2023-49460", - "kind": "pass", - "message": { - "text": "The scanner checks if the `libheif` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON` and if the vulnerable function `UncompressedImageCodec::decode_uncompressed_image` is called." - } - }, - { - "ruleId": "applic_CVE-2023-49463", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`" - } - }, - { - "ruleId": "applic_CVE-2023-49462", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n* `read_exif_orientation_tag`\n\n* `modify_exif_orientation_tag_if_it_exists`" - } - }, - { - "ruleId": "applic_CVE-2023-52355", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following functions are called:\n\n- `TIFFRasterScanlineSize64()`\n- `TIFFRasterScanlineSize()`" + { + "cves": [ + { + "cve": "CVE-2024-38428", + "cvss_v3_score": "9.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "cwe": [ + "CWE-436" + ], + "cwe_details": { + "CWE-436": { + "name": "Interpretation Conflict", + "description": "Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state." + } + } + } + ], + "summary": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", + "severity": "Critical", + "components": { + "deb://debian:bookworm:wget:1.21.3-1+b1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" + }, + { + "component_id": "generic://sha256:f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595/sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "full_path": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + }, + { + "component_id": "deb://debian:bookworm:wget:1.21.3-1+b1", + "full_path": "wget:1.21.3-1+b1" + } + ] + ] } }, - { - "ruleId": "applic_CVE-2023-52356", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following functions are called:\n\n- `TIFFReadRGBATileExt()` \n- `TIFFReadRGBATile()`" + "issue_id": "XRAY-606103", + "references": [ + "https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace", + "https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html", + "https://security-tracker.debian.org/tracker/CVE-2024-38428" + ] + }, + { + "summary": "Malicious package cors.js for Node.js", + "severity": "Critical", + "components": { + "npm://cors.js:0.0.1-security": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" + }, + { + "component_id": "generic://sha256:ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f/sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar", + "full_path": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar" + }, + { + "component_id": "npm://cors.js:0.0.1-security", + "full_path": "usr/src/app/node_modules/cors.js/package.json" + } + ] + ] } }, - { - "ruleId": "applic_CVE-2023-5363", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n- `EVP_EncryptInit_ex2`\n- `EVP_DecryptInit_ex2`\n- `EVP_CipherInit_ex2`" + "issue_id": "XRAY-264729", + "references": [ + "https://registry.npmjs.com" + ], + "extended_information": { + "short_description": "Malicious package cors.js for Node.js", + "full_description": "The package cors.js for Node.js contains malicious code that installs a persistent connectback shell. The package is typosquatting the popular `cors` package. When installed, the package opens a connectback shell to the hardcoded host `107.175.32.229` on TCP port 56173. The malicious payload achieves persistency by installing a cron job that repeats every 10 seconds - `*/10 * * * * *`", + "jfrog_research_severity": "Critical", + "remediation": "As with any malware, the malicious package must be completely removed, and steps must be taken care to remediate the damage that was done by the malicious package -\n\n##### Removing the malicious package\n\nRun `npm uninstall cors.js`\n\n##### Refreshing stolen credentials\n\nMany malicious packages steal stored user credentials, focusing on the following -\n\n* [Browser autocomplete](https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/) data, such as saved passwords and credit cards\n* [Environment variables](https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/) passed to the malicious code\n* [Stored Discord tokens](https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/)\n* AWS / GitHub credentials stored in cleartext files\n\nIt is highly recommended to change or revoke data that is stored in the infected machine at those locations\n\n##### Stopping malicious processes\n\nMany malicious packages start malicious processes such as [connectback shells](https://jfrog.com/blog/jfrog-discloses-3-remote-access-trojans-in-pypi/) or crypto-miners. Search for any unfamiliar processes that consume a large amount of CPU or a large amount of network traffic, and stop them. On Windows, this can be facilitated with [Sysinternals Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer).\n\n##### Removing installed backdoors\n\nMany malicious packages install themselves as a [persistent backdoor](https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/), in order to guarantee the malicious code survives a reboot. Search for any unfamiliar binaries set to be run on startup, and remove them. On Windows, this can be facilitated with [Sysinternals Autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns).\n\n##### Defining an Xray policy that blocks downloads of Artifacts with malicious packages\n\nIt is possible to [create an Xray policy](https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules) that will not allow artifacts with identified malicious packages to be downloaded from Artifactory. To create such a policy, add a new `Security` policy and set `Minimal Severity` to `Critical`. Under `Automatic Actions` check the `Block Download` action.\n\n##### Contacting the JFrog Security Research team for additional information\n\nOptionally, if you are unsure of the full impact of the malicious package and wish to get more details, the JFrog Security Research team can help you assess the potential damage from the installed malicious package.\n\nPlease contact us at research@jfrog.com with details of the affected artifact and the name of the identified malicious package." + } + }, + { + "cves": [ + { + "cve": "CVE-2024-45490", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cwe": [ + "CWE-611" + ], + "cwe_details": { + "CWE-611": { + "name": "Improper Restriction of XML External Entity Reference", + "description": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output." + } + } + } + ], + "summary": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", + "severity": "Critical", + "components": { + "deb://debian:bookworm:libexpat1:2.5.0-1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" + }, + { + "component_id": "generic://sha256:20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1/sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "full_path": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + }, + { + "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", + "full_path": "libexpat1:2.5.0-1" + } + ] + ] } }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/chage" - }, - "region": { - "snippet": { - "text": "" + "issue_id": "XRAY-632613", + "references": [ + "https://github.com/libexpat/libexpat/issues/887", + "https://security-tracker.debian.org/tracker/CVE-2024-45490", + "https://github.com/libexpat/libexpat/pull/890" + ] + }, + { + "cves": [ + { + "cve": "CVE-2024-45492", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cwe": [ + "CWE-190" + ], + "cwe_details": { + "CWE-190": { + "name": "Integer Overflow or Wraparound", + "description": "The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.", + "categories": [ + { + "category": "2023 CWE Top 25", + "rank": "14" } - } + ] } } - ] - }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/chfn" + } + ], + "summary": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", + "severity": "Critical", + "components": { + "deb://debian:bookworm:libexpat1:2.5.0-1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1/sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "full_path": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + }, + { + "component_id": "deb://debian:bookworm:libexpat1:2.5.0-1", + "full_path": "libexpat1:2.5.0-1" } - } - } - ] + ] + ] + } }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/chsh" + "issue_id": "XRAY-632612", + "references": [ + "https://github.com/libexpat/libexpat/issues/889", + "https://security-tracker.debian.org/tracker/CVE-2024-45492", + "https://github.com/libexpat/libexpat/pull/892" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-51767", + "cvss_v3_score": "7.0", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cwe": [ + "NVD-CWE-Other" + ] + } + ], + "summary": "OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.", + "severity": "Low", + "components": { + "deb://debian:bookworm:openssh-client:1:9.2p1-2+deb12u3": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1/sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "full_path": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + }, + { + "component_id": "deb://debian:bookworm:openssh-client:1:9.2p1-2+deb12u3", + "full_path": "openssh-client:1:9.2p1-2+deb12u3" } - } - } - ] + ] + ] + } }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ + "issue_id": "XRAY-585612", + "references": [ + "https://arxiv.org/abs/2309.02545", + "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878", + "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77", + "https://bugzilla.redhat.com/show_bug.cgi?id=2255850", + "https://security-tracker.debian.org/tracker/CVE-2023-51767", + "https://ubuntu.com/security/CVE-2023-51767", + "https://security.netapp.com/advisory/ntap-20240125-0006/", + "https://access.redhat.com/security/cve/CVE-2023-51767" + ], + "extended_information": { + "short_description": "The RowHammer fault injection attack can theoretically lead to local authentication bypass in OpenSSH.", + "full_description": "[OpenSSH](https://www.openssh.com/) is a popular open-source implementation of the SSH (Secure Shell) protocol, providing encrypted communication over a network.\nIt was discovered that the OpenSSH authentication logic can be susceptible in some cases to a side-channel fault injection attack. The attack can theoretically be carried out by a local attacker which eventually bypass OpenSSH authentication mechanism.\n\nThis vulnerability currently lacks widely known published exploits, and its exploitation is considered highly complex. The intricacies of the attack, combined with the absence of well-documented exploits, contribute to the difficulty in achieving successful exploitation. Furthermore, it's essential to note that the susceptibility to this vulnerability is hardware-dependent, and the success of an attack relies on probabilities associated with the specific hardware configuration. \n\nThe vulnerability is theoretically exploitable by several different ways, the only two published ways are:\n\nIn the OpenSSH function `mm_answer_authpassword()`, a stack variable `authenticated`, is assigned to the value of the function `auth_password()` which returns 1/0 and then returned. If the value of `authenticated` is 1, the SSH connection will be established. Since `authenticated` is stored on the stack, therefore in DRAM, a local attacker could flip this 32-bit integer least significant bit, thus, bypass authentication.\n\nAnother possible exploit is the `result` stack variable in `auth_password()` function. It is initialized to 0 and set to 1 if the password is correct. \nSimilarly to the previous method, this attack requires a single bit flip of the `result` variable in order for the function to return 1 and bypass the authentication.\n\nAttackers can trigger the vulnerability via a RowHammer fault injection. The Rowhammer bug is a hardware reliability issue in which an attacker repeatedly accesses (hammers) DRAM cells to cause unauthorized changes in physically adjacent memory locations.\nSimply put:\n\n* A specific register value(`authenticated`/`result` value) is pushed onto the stack during program execution. \n* The stack, where the register value is stored, is identified to be located in a memory row susceptible to bit flips (flippable row) due to the RowHammer vulnerability in DRAM.\n* The attacker performs a series of rapid and repeated memory accesses to the adjacent rows of the flippable row in the DRAM. This repeated access exploits the RowHammer vulnerability, inducing bit flips in the targeted flippable row.\n* Due to the RowHammer effect, bit flips occur in the flippable row, potentially corrupting the data stored there.\n* After inducing bit flips in the flippable row, the attacker manipulates the program's control flow to pop the corrupted value from the stack into a register.\n* The register now holds a value that has been corrupted through the RowHammer attack. Now the `authenticated`/`result` variables hold this corrupted value thus it can lead to authentication bypass, as it may impact the control flow in a way advantageous to the attacker.", + "jfrog_research_severity": "Low", + "jfrog_research_severity_reasons": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/expiry" - }, - "region": { - "snippet": { - "text": "" - } - } - } + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The vulnerability depends on the OS and hardware. It was only evaluated in one test environment, therefore results for other conditions might differ. The attacker must be extremely familiar with the details of the exploited system (ex. know the exact hardware which is running the OS).", + "is_positive": true + }, + { + "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", + "is_positive": true + }, + { + "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", + "description": "Exploitation is extremely non-trivial (even theoretically), no public exploits have been published.", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "The vulnerability's attack complexity is significantly higher than what the CVSS represents.", + "is_positive": true } ] - }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/gpasswd" + } + }, + { + "cves": [ + { + "cve": "CVE-2011-3374", + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "3.7", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cwe": [ + "CWE-347" + ], + "cwe_details": { + "CWE-347": { + "name": "Improper Verification of Cryptographic Signature", + "description": "The product does not verify, or incorrectly verifies, the cryptographic signature for data." + } + } + } + ], + "summary": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "severity": "Low", + "components": { + "deb://debian:bookworm:apt:2.6.1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e/sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "full_path": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + }, + { + "component_id": "deb://debian:bookworm:apt:2.6.1", + "full_path": "apt:2.6.1" } - } - } - ] - }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" + ] + ] }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/newgrp" + "deb://debian:bookworm:libapt-pkg6.0:2.6.1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e/sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "full_path": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + }, + { + "component_id": "deb://debian:bookworm:libapt-pkg6.0:2.6.1", + "full_path": "libapt-pkg6.0:2.6.1" } - } - } - ] + ] + ] + } }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" - }, - "locations": [ + "issue_id": "XRAY-34417", + "references": [ + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://seclists.org/fulldisclosure/2011/Sep/221", + "https://ubuntu.com/security/CVE-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518", + "https://security-tracker.debian.org/tracker/CVE-2011-3374" + ], + "extended_information": { + "short_description": "Improper signature validation in apt-key may enable Man-in-the-Middle attacks and result in code execution.", + "full_description": "`apt-key` is [`apt`](https://github.com/Debian/apt)'s key management utility, and is used to manage the keys that are used by `apt` to authenticate packages.\n\nA vulnerability in `apt-key`'s `net-update` function exists, in which [`GPG`](https://www.gnupg.org/) keys, that are used for signing packages and validating their authenticity, aren't validated correctly. The `net-update` function pulls the signing keys that should be added from an insecure location (`http://...`), exposing it to a Man-in-the-Middle attack in which malicious signing keys could be added to the system's keyring. This issue happens due to a vulnerability in the `add_keys_with_veirfy_against_master_keyring()` function, which allows adding signing keys without proper signature validation. \n\nThis vulnerability then potentially allows a malicious actor to perform a Man-in-the-Middle attack on a target, by making it validate malicious packages that were signed with the `GPG` signing key used by the attacker. Effectively, this means that `apt` can be duped to install malicious services and daemons with root privileges.\n\nThe conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man In The Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from [python-apt](https://pypi.org/project/python-apt/) Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.\n\nDo note that `apt-key` is **deprecated** and shouldn't be used, and in most Debian versions `ARCHIVE_KEYRING_URI` is not defined, making this vulnerability unexploitable in most Debian systems.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the python-apt Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "This vulnerability is remotely exploitable when the applicability conditions apply." + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Remote code execution is possible when the applicability conditions apply." + }, { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/passwd" + "name": "The issue has an exploit published", + "description": "The reporter of this issue has provided a GPG key that can be used for an actual attack, as well as a simple PoC example." + } + ], + "remediation": "##### Deployment mitigations\n\n* Dot not execute `apt-key` command, as it is deprecated.\n* Remove the URI configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`." + } + }, + { + "cves": [ + { + "cve": "CVE-2024-4741" + } + ], + "summary": "CVE-2024-4741", + "severity": "Unknown", + "components": { + "deb://debian:bookworm:libssl3:3.0.13-1~deb12u1": { + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595/sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "full_path": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + }, + { + "component_id": "deb://debian:bookworm:libssl3:3.0.13-1~deb12u1", + "full_path": "libssl3:3.0.13-1~deb12u1" } - } - } - ] - }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `syslog` is called in a suid/guid file" + ] + ] }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/bin/su" + "deb://debian:bookworm:openssl:3.0.13-1~deb12u1": { + "fixed_versions": [ + "[3.0.14-1~deb12u1]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest" }, - "region": { - "snippet": { - "text": "" - } + { + "component_id": "generic://sha256:f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595/sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "full_path": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + }, + { + "component_id": "deb://debian:bookworm:openssl:3.0.13-1~deb12u1", + "full_path": "openssl:3.0.13-1~deb12u1" + } + ] + ] + } + }, + "issue_id": "XRAY-603657", + "references": [ + "https://security-tracker.debian.org/tracker/CVE-2024-4741" + ] + } + ], + "component_id": "docker://platform.jfrog.io/swamp-docker/swamp:latest", + "package_type": "oci", + "status": "completed" + } + ] + }, + "jas_scans": { + "contextual_analysis": [ + { + "tool": { + "driver": { + "informationUri": "https://jfrog.com/help/r/jfrog-security-documentation/jfrog-advanced-security", + "name": "JFrog Applicability Scanner", + "rules": [ + { + "id": "applic_CVE-2024-6119", + "name": "CVE-2024-6119", + "shortDescription": { + "text": "Scanner for CVE-2024-6119" + }, + "fullDescription": { + "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`", + "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + }, + { + "id": "applic_CVE-2024-45490", + "name": "CVE-2024-45490", + "shortDescription": { + "text": "Scanner for CVE-2024-45490" + }, + "fullDescription": { + "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled.", + "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled." + }, + "properties": { + "applicability": "not_applicable", + "conclusion": "positive", + "security-severity": "6.9" + } + }, + { + "id": "applic_CVE-2024-38428", + "name": "CVE-2024-38428", + "shortDescription": { + "text": "Scanner for CVE-2024-38428" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "properties": { + "applicability": "undetermined", + "conclusion": "private" + } + }, + { + "id": "applic_CVE-2024-45492", + "name": "CVE-2024-45492", + "shortDescription": { + "text": "Scanner for CVE-2024-45492" + }, + "fullDescription": { + "text": "The scanner checks whether the current binary was compiled with 32-bit architecture and if any of the vulnerable functions are called:\n\n- `XML_ParseBuffer()`\n- `XML_Parse()`\n\nNote - the vulnerability occurs when certain inputs are passed to those functions.", + "markdown": "The scanner checks whether the current binary was compiled with 32-bit architecture and if any of the vulnerable functions are called:\n\n- `XML_ParseBuffer()`\n- `XML_Parse()`\n\nNote - the vulnerability occurs when certain inputs are passed to those functions." + }, + "properties": { + "applicability": "not_applicable", + "conclusion": "positive", + "security-severity": "6.9" + } + }, + { + "id": "applic_CVE-2023-51767", + "name": "CVE-2023-51767", + "shortDescription": { + "text": "Scanner for CVE-2023-51767" + }, + "fullDescription": { + "text": "The CVE is always applicable.\n\nNote - The vulnerability is hardware-dependent.", + "markdown": "The CVE is always applicable.\n\nNote - The vulnerability is hardware-dependent." + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative" + } + }, + { + "id": "applic_CVE-2011-3374", + "name": "CVE-2011-3374", + "shortDescription": { + "text": "Scanner for CVE-2011-3374" + }, + "fullDescription": { + "text": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", + "markdown": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." + }, + "properties": { + "applicability": "not_applicable", + "conclusion": "positive", + "security-severity": "6.9" + } + }, + { + "id": "applic_CVE-2024-4741", + "name": "CVE-2024-4741", + "shortDescription": { + "text": "Scanner for CVE-2024-4741" + }, + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called.", + "markdown": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called." + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + } + ], + "version": "1.0" + } + }, + "invocations": [ + { + "arguments": [ + "/Users/user/.jfrog/dependencies/analyzerManager/jas_scanner/jas_scanner", + "scan", + "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210780-681556384/Applicability_1726210780/config.yaml" + ], + "executionSuccessful": true, + "workingDirectory": { + "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar" + } + } + ], + "results": [ + { + "properties": { + "metadata": "", + "tokenValidation": "" + }, + "ruleId": "applic_CVE-2024-4741", + "message": { + "text": "References to the vulnerable functions were found" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///usr/local/bin/node" + }, + "region": { + "snippet": { + "text": "" } } } - ] + } + ] + }, + { + "ruleId": "applic_CVE-2024-45490", + "kind": "pass", + "message": { + "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled." + } + }, + { + "ruleId": "applic_CVE-2011-3374", + "kind": "pass", + "message": { + "text": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." + } + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" }, - { - "properties": { - "metadata": "", - "tokenValidation": "" - }, - "ruleId": "applic_CVE-2023-6246", - "message": { - "text": "The vulnerable function `vsyslog` is called in a suid/guid file" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///usr/sbin/unix_chkpwd" - }, - "region": { - "snippet": { - "text": "" - } + "ruleId": "applic_CVE-2024-6119", + "message": { + "text": "References to the vulnerable functions were found" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///usr/local/bin/node" + }, + "region": { + "snippet": { + "text": "" } } } - ] - }, - { - "ruleId": "applic_CVE-2023-6879", - "kind": "pass", - "message": { - "text": "The scanner checks whether an encoding process is performed with the following requirements:\n\n* Using AV1 codec (`aom_codec_av1_cx()`).\n* Encoding (`aom_codec_encode()`)\n* Cleaning the memory at the end of the encoding process (`aom_codec_destroy()`).\n\nFor determining the applicability of this CVE, an additional condition (that the scanner currently does not check) should be verified: `aom` is configured to use more than 1 thread. For example:\n```\naom_codec_enc_cfg_t cfg;\naom_codec_enc_config_default(iface, \u0026cfg, AOM_USAGE_GOOD_QUALITY));\ncfg.g_threads = 4;\n```" - } - }, - { - "ruleId": "applic_CVE-2024-0553", - "kind": "pass", - "message": { - "text": "The scanner checks if RSA decryption occurs by finding calls to any of the following functions:\n\n- `gnutls_privkey_decrypt_data`\n\n- `gnutls_privkey_decrypt_data2`\n\nAn additional condition (that the scanner does not currently check) is required for the CVE to be applicable: the RSA padding algorithm needs to be `PKCS#1`. `key-\u003epk_algorithm` needs to be equal to `GNUTLS_PK_RSA`." } + ] + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" }, - { - "ruleId": "applic_CVE-2024-0567", - "kind": "pass", - "message": { - "text": "The scanner checks if any of the following vulnerable functions are called:\n\n- `gnutls_pcert_import_x509_list`\n\n- `gnutls_certificate_set_x509_key`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_mem`\n\n- `gnutls_certificate_set_x509_simple_pkcs12_file`\n\n- `gnutls_privkey_import_url`\n\n- `gnutls_privkey_import_pkcs11_url`\n\n- `gnutls_read_key_file`\n\n- `gnutls_certificate_set_rawpk_key_file`\n\n- `gnutls_certificate_set_x509_key_file2`\n\n- `gnutls_certificate_set_x509_key_file`\n\n- `gnutls_pcert_list_import_x509_file`\n\n- `gnutls_certificate_set_x509_key_mem2`\n\n- `gnutls_certificate_set_x509_key_mem`\n\n- `gnutls_x509_crt_list_import`\n\n- `gnutls_pcert_list_import_x509_raw`\n\n- `gnutls_session_channel_binding`\n\n- `gnutls_x509_crt_list_import2`\n\n- `gnutls_x509_trust_list_add_trust_mem`\n\n- `gnutls_x509_trust_list_add_system_trust`\n\n- `gnutls_certificate_set_x509_system_trust`\n\n- `gnutls_certificate_set_x509_crl_mem`\n\n- `gnutls_certificate_set_x509_trust_mem`\n\n- `gnutls_x509_trust_list_add_trust_file`\n\n- `gnutls_certificate_set_x509_crl_file`\n\n- `gnutls_certificate_set_x509_trust_file`\n\n- `gnutls_x509_trust_list_add_trust_dir`\n\n- `gnutls_certificate_set_x509_trust_dir`\n\n- `gnutls_x509_trust_list_remove_trust_mem`\n\n- `gnutls_x509_trust_list_remove_trust_file`\n\n- `gnutls_x509_trust_list_verify_crt2`\n\n- `gnutls_x509_cert_verify_peers`\n\n- `gnutls_certificate_verify_peers`\n\n- `gnutls_certificate_verify_peers2`\n\n- `gnutls_certificate_verify_peers3`\n\n- `gnutls_pkcs7_verify`\n\n- `gnutls_ocsp_resp_verify`\n\n- `gnutls_x509_trust_list_verify_crt`" - } + "ruleId": "applic_CVE-2024-6119", + "message": { + "text": "References to the vulnerable functions were found" }, - { - "ruleId": "applic_CVE-2024-25062", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following functions are called:\n\n* `xmlValidatePopElement()`\n* `xmlTextReaderClose()`\n* `xmlFreeTextReader() `\n* `xmlTextReaderRead()`\n* `xmlSchemaValidateDoc()`" + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///usr/local/bin/node" + }, + "region": { + "snippet": { + "text": "" + } + } + } } + ] + }, + { + "ruleId": "applic_CVE-2024-45492", + "kind": "pass", + "message": { + "text": "The scanner checks whether the current binary was compiled with 32-bit architecture and if any of the vulnerable functions are called:\n\n- `XML_ParseBuffer()`\n- `XML_Parse()`\n\nNote - the vulnerability occurs when certain inputs are passed to those functions." + } + } + ] + } + ], + "secrets": [ + { + "tool": { + "driver": { + "informationUri": "https://jfrog.com/help/r/jfrog-security-documentation/jfrog-advanced-security", + "name": "JFrog Secrets scanner", + "rules": [ + { + "id": "REQ.SECRET.GENERIC.TEXT", + "name": "REQ.SECRET.GENERIC.TEXT", + "shortDescription": { + "text": "Scanner for REQ.SECRET.GENERIC.TEXT" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "not_applicable", + "conclusion": "positive" + } + }, + { + "id": "REQ.SECRET.GENERIC.CODE", + "name": "REQ.SECRET.GENERIC.CODE", + "shortDescription": { + "text": "Scanner for REQ.SECRET.GENERIC.CODE" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + }, + { + "id": "REQ.SECRET.KEYS", + "name": "REQ.SECRET.KEYS", + "shortDescription": { + "text": "Scanner for REQ.SECRET.KEYS" + }, + "fullDescription": { + "text": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n", + "markdown": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + }, + { + "id": "REQ.CRED.PUBLIC-ONLY", + "name": "REQ.CRED.PUBLIC-ONLY", + "shortDescription": { + "text": "Scanner for REQ.CRED.PUBLIC-ONLY" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "properties": { + "applicability": "undetermined", + "conclusion": "private" + } + }, + { + "id": "REQ.SECRET.GENERIC.URL", + "name": "REQ.SECRET.GENERIC.URL", + "shortDescription": { + "text": "Scanner for REQ.SECRET.GENERIC.URL" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + } + ], + "version": "1.0" + } + }, + "invocations": [ + { + "arguments": [ + "/Users/user/.jfrog/dependencies/analyzerManager/jas_scanner/jas_scanner", + "scan", + "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210780-681556384/Secrets_1726210839/config.yaml" + ], + "executionSuccessful": true, + "workingDirectory": { + "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar" + } + } + ], + "results": [ + { + "properties": { + "metadata": "", + "tokenValidation": "" }, - { - "ruleId": "applic_CVE-2024-2961", - "kind": "pass", - "message": { - "text": "" - } + "ruleId": "REQ.SECRET.GENERIC.CODE", + "message": { + "text": "Hardcoded secrets were found" }, - { - "ruleId": "applic_CVE-2024-33600", - "kind": "pass", - "message": { - "text": "The scanner checks whether the `nscd` binary exists on the machine." + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///private/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/tmpsfyn_3d1/unpacked/filesystem/blobs/sha256/9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0/usr/src/app/server/index.js" + }, + "region": { + "startLine": 5, + "startColumn": 7, + "endLine": 5, + "endColumn": 57, + "snippet": { + "text": "tok************" + } + } + } } + ] + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" }, - { - "ruleId": "applic_CVE-2024-33599", - "kind": "pass", - "message": { - "text": "The scanner checks whether the `nscd` binary exists on the machine." - } + "ruleId": "REQ.SECRET.KEYS", + "message": { + "text": "Secret keys were found" }, - { - "ruleId": "applic_CVE-2024-4741", - "kind": "pass", - "message": { - "text": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called." + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///private/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/tmpsfyn_3d1/unpacked/filesystem/blobs/sha256/9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0/usr/src/app/server/index.js" + }, + "region": { + "startLine": 6, + "startColumn": 14, + "endLine": 6, + "endColumn": 24, + "snippet": { + "text": "eyJ************" + } + } + } } + ] + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" }, - { - "ruleId": "applic_CVE-2023-49464", - "kind": "pass", - "message": { - "text": "The scanner checks for two conditions:\n\n1. The `libheif.so` binary was compiled with the vulnerable setting `-DWITH_UNCOMPRESSED_CODEC=ON`. \n\n2. Any of the following vulnerable functions are called:\n\n* `HeifContext::Image::get_luma_bits_per_pixel`\n* `HeifContext::decode_full_grid_image`\n* `HeifFile::get_luma_bits_per_pixel_from_configuration`\n* `UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci`\n* `heif_image_handle_get_luma_bits_per_pixel`" - } + "ruleId": "REQ.SECRET.GENERIC.URL", + "message": { + "text": "Hardcoded secrets were found" }, - { - "ruleId": "applic_CVE-2024-6119", - "kind": "pass", - "message": { - "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`" - } - } - ] - } - ], - "secrets": [ - { - "tool": { - "driver": { - "informationUri": "https://jfrog.com/help/r/jfrog-security-documentation/jfrog-advanced-security", - "name": "JFrog Binary Secrets Scanner", - "rules": [ - { - "id": "REQ.SECRET.GENERIC.TEXT", - "shortDescription": { - "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.TEXT" + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///usr/src/app/server/scripts/__pycache__/fetch_github_repo.cpython-311.pyc" }, - "fullDescription": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "help": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "properties": { - "applicability": "not_applicable", - "conclusion": "positive" - } - }, - { - "id": "REQ.SECRET.GENERIC.CODE", - "shortDescription": { - "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.CODE" - }, - "fullDescription": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "help": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "REQ.SECRET.KEYS", - "shortDescription": { - "text": "[Secret in Binary found] Scanner for REQ.SECRET.KEYS" - }, - "fullDescription": { - "text": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n", - "markdown": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" - }, - "help": { - "text": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n", - "markdown": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "REQ.CRED.PUBLIC-ONLY", - "shortDescription": { - "text": "[Secret in Binary found] Scanner for REQ.CRED.PUBLIC-ONLY" - }, - "fullDescription": { - "text": "", - "markdown": "" - }, - "help": { - "text": "", - "markdown": "" - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" - } - }, - { - "id": "REQ.SECRET.GENERIC.URL", - "shortDescription": { - "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.URL" - }, - "fullDescription": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "help": { - "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", - "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" - }, - "properties": { - "applicability": "undetermined", - "conclusion": "private" + "region": { + "snippet": { + "text": "htt************" + } } } - ], - "version": "1.0" - } - }, - "invocations": [ - { - "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/jas_scanner/jas_scanner", - "scan", - "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978580-3584350251/Secrets_1725978603/config.yaml" - ], - "executionSuccessful": true, - "workingDirectory": { - "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978503-2625964325/image.tar" } - } - ], - "results": [] - } - ] - } + ] + } + ] + } + ] } - ] - } \ No newline at end of file + } + ] +} \ No newline at end of file diff --git a/tests/testdata/output/dockerscan/docker_sarif.json b/tests/testdata/output/dockerscan/docker_sarif.json index e69de29b..adda131f 100644 --- a/tests/testdata/output/dockerscan/docker_sarif.json +++ b/tests/testdata/output/dockerscan/docker_sarif.json @@ -0,0 +1,778 @@ +{ + "version": "2.1.0", + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "informationUri": "https://jfrog.com/help/r/jfrog-security-documentation/jfrog-advanced-security", + "name": "JFrog Binary Secrets Scanner", + "rules": [ + { + "id": "REQ.SECRET.GENERIC.TEXT", + "name": "REQ.SECRET.GENERIC.TEXT", + "shortDescription": { + "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.TEXT" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "help": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "not_applicable", + "conclusion": "positive" + } + }, + { + "id": "REQ.SECRET.GENERIC.CODE", + "name": "REQ.SECRET.GENERIC.CODE", + "shortDescription": { + "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.CODE" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "help": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + }, + { + "id": "REQ.SECRET.KEYS", + "name": "REQ.SECRET.KEYS", + "shortDescription": { + "text": "[Secret in Binary found] Scanner for REQ.SECRET.KEYS" + }, + "fullDescription": { + "text": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n", + "markdown": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" + }, + "help": { + "text": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n", + "markdown": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + }, + { + "id": "REQ.CRED.PUBLIC-ONLY", + "name": "REQ.CRED.PUBLIC-ONLY", + "shortDescription": { + "text": "[Secret in Binary found] Scanner for REQ.CRED.PUBLIC-ONLY" + }, + "fullDescription": { + "text": "", + "markdown": "" + }, + "help": { + "text": "", + "markdown": "" + }, + "properties": { + "applicability": "undetermined", + "conclusion": "private" + } + }, + { + "id": "REQ.SECRET.GENERIC.URL", + "name": "REQ.SECRET.GENERIC.URL", + "shortDescription": { + "text": "[Secret in Binary found] Scanner for REQ.SECRET.GENERIC.URL" + }, + "fullDescription": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "help": { + "text": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n", + "markdown": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + "properties": { + "applicability": "applicable", + "conclusion": "negative", + "security-severity": "6.9" + } + } + ], + "version": "1.0" + } + }, + "invocations": [ + { + "arguments": [ + "/Users/user/.jfrog/dependencies/analyzerManager/jas_scanner/jas_scanner", + "scan", + "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210780-681556384/Secrets_1726210839/config.yaml" + ], + "executionSuccessful": true, + "workingDirectory": { + "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar" + } + } + ], + "results": [ + { + "properties": { + "metadata": "", + "tokenValidation": "" + }, + "ruleId": "REQ.SECRET.GENERIC.CODE", + "message": { + "text": "Hardcoded secrets were found", + "markdown": "🔒 Found Secrets in Binary docker scanning:\nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): 9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0\nFilepath: usr/src/app/server/index.js\nEvidence: tok************" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "usr/src/app/server/index.js" + }, + "region": { + "startLine": 5, + "startColumn": 7, + "endLine": 5, + "endColumn": 57, + "snippet": { + "text": "tok************" + } + } + }, + "logicalLocations": [ + { + "name": "9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "00436fac1d19ea36302f14e892926efb" + } + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" + }, + "ruleId": "REQ.SECRET.KEYS", + "message": { + "text": "Secret keys were found", + "markdown": "🔒 Found Secrets in Binary docker scanning:\nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): 9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0\nFilepath: usr/src/app/server/index.js\nEvidence: eyJ************" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "usr/src/app/server/index.js" + }, + "region": { + "startLine": 6, + "startColumn": 14, + "endLine": 6, + "endColumn": 24, + "snippet": { + "text": "eyJ************" + } + } + }, + "logicalLocations": [ + { + "name": "9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "2550dbdb124696ae8fcc5cfd6f2b65b8" + } + }, + { + "properties": { + "metadata": "", + "tokenValidation": "" + }, + "ruleId": "REQ.SECRET.GENERIC.URL", + "message": { + "text": "Hardcoded secrets were found", + "markdown": "🔒 Found Secrets in Binary docker scanning:\nImage: platform.jfrog.io/swamp-docker/swamp:latest\nFilepath: usr/src/app/server/scripts/__pycache__/fetch_github_repo.cpython-311.pyc\nEvidence: htt************" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "usr/src/app/server/scripts/__pycache__/fetch_github_repo.cpython-311.pyc" + }, + "region": { + "snippet": { + "text": "htt************" + } + } + } + } + ], + "fingerprints": { + "jfrogFingerprintHash": "9164423e88bbec9d1216bc5600eb7f9b" + } + } + ] + }, + { + "tool": { + "driver": { + "informationUri": "https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sca", + "name": "JFrog Xray Scanner", + "rules": [ + { + "id": "CVE-2024-6119_debian:bookworm:openssl_3.0.13-1~deb12u1", + "shortDescription": { + "text": "[CVE-2024-6119] debian:bookworm:openssl 3.0.13-1~deb12u1" + }, + "help": { + "text": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 0.0 | Applicable | `sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ` | [3.0.14-1~deb12u2] |" + }, + "properties": { + "security-severity": "0.0" + } + }, + { + "id": "CVE-2024-38428_debian:bookworm:wget_1.21.3-1+b1", + "shortDescription": { + "text": "[CVE-2024-38428] debian:bookworm:wget 1.21.3-1+b1" + }, + "help": { + "text": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 9.1 | Undetermined | `sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ` | No fix available |" + }, + "properties": { + "security-severity": "9.1" + } + }, + { + "id": "CVE-2024-45490_debian:bookworm:libexpat1_2.5.0-1", + "shortDescription": { + "text": "[CVE-2024-45490] debian:bookworm:libexpat1 2.5.0-1" + }, + "help": { + "text": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 9.8 | Not Applicable | `sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ` | No fix available |" + }, + "properties": { + "security-severity": "9.8" + } + }, + { + "id": "CVE-2024-45492_debian:bookworm:libexpat1_2.5.0-1", + "shortDescription": { + "text": "[CVE-2024-45492] debian:bookworm:libexpat1 2.5.0-1" + }, + "help": { + "text": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 9.8 | Not Applicable | `sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ` | No fix available |" + }, + "properties": { + "security-severity": "9.8" + } + }, + { + "id": "CVE-2024-4741_debian:bookworm:openssl_3.0.13-1~deb12u1", + "shortDescription": { + "text": "[CVE-2024-4741] debian:bookworm:openssl 3.0.13-1~deb12u1" + }, + "help": { + "text": "CVE-2024-4741", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 0.0 | Applicable | `sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ` | [3.0.14-1~deb12u1] |" + }, + "properties": { + "security-severity": "0.0" + } + }, + { + "id": "CVE-2024-6119_debian:bookworm:libssl3_3.0.13-1~deb12u1", + "shortDescription": { + "text": "[CVE-2024-6119] debian:bookworm:libssl3 3.0.13-1~deb12u1" + }, + "help": { + "text": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 0.0 | Applicable | `sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ` | No fix available |" + }, + "properties": { + "security-severity": "0.0" + } + }, + { + "id": "XRAY-264729_cors.js_0.0.1-security", + "shortDescription": { + "text": "[XRAY-264729] cors.js 0.0.1-security" + }, + "help": { + "text": "Malicious package cors.js for Node.js", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 10.0 | Not Covered | `sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar ` | No fix available |" + }, + "properties": { + "security-severity": "10.0" + } + }, + { + "id": "CVE-2023-51767_debian:bookworm:openssh-client:1_9.2p1-2+deb12u3", + "shortDescription": { + "text": "[CVE-2023-51767] debian:bookworm:openssh-client:1 9.2p1-2+deb12u3" + }, + "help": { + "text": "OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 7.0 | Applicable | `sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ` | No fix available |" + }, + "properties": { + "security-severity": "7.0" + } + }, + { + "id": "CVE-2011-3374_debian:bookworm:apt_2.6.1", + "shortDescription": { + "text": "[CVE-2011-3374] debian:bookworm:apt 2.6.1" + }, + "help": { + "text": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 3.7 | Not Applicable | `sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar ` | No fix available |" + }, + "properties": { + "security-severity": "3.7" + } + }, + { + "id": "CVE-2011-3374_debian:bookworm:libapt-pkg6.0_2.6.1", + "shortDescription": { + "text": "[CVE-2011-3374] debian:bookworm:libapt-pkg6.0 2.6.1" + }, + "help": { + "text": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 3.7 | Not Applicable | `sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar ` | No fix available |" + }, + "properties": { + "security-severity": "3.7" + } + }, + { + "id": "CVE-2024-4741_debian:bookworm:libssl3_3.0.13-1~deb12u1", + "shortDescription": { + "text": "[CVE-2024-4741] debian:bookworm:libssl3 3.0.13-1~deb12u1" + }, + "help": { + "text": "CVE-2024-4741", + "markdown": "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 0.0 | Applicable | `sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ` | No fix available |" + }, + "properties": { + "security-severity": "0.0" + } + } + ], + "version": "3.104.8" + } + }, + "invocations": [ + { + "executionSuccessful": true, + "workingDirectory": { + "uri": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar" + } + } + ], + "results": [ + { + "properties": { + "applicability": "Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2024-6119_debian:bookworm:libssl3_3.0.13-1~deb12u1", + "ruleIndex": 5, + "level": "none", + "message": { + "text": "[CVE-2024-6119] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ", + "markdown": "[CVE-2024-6119] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + "logicalLocations": [ + { + "name": "f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "5b5d2ba57a2eddf58f4579b7ebe42599" + } + }, + { + "properties": { + "applicability": "Applicable", + "fixedVersion": "[3.0.14-1~deb12u2]" + }, + "ruleId": "CVE-2024-6119_debian:bookworm:openssl_3.0.13-1~deb12u1", + "ruleIndex": 0, + "level": "none", + "message": { + "text": "[CVE-2024-6119] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ", + "markdown": "[CVE-2024-6119] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + "logicalLocations": [ + { + "name": "f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "bd5908946de9c082f96e15217590eebc" + } + }, + { + "properties": { + "applicability": "Undetermined", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2024-38428_debian:bookworm:wget_1.21.3-1+b1", + "ruleIndex": 1, + "level": "error", + "message": { + "text": "[CVE-2024-38428] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ", + "markdown": "[CVE-2024-38428] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + "logicalLocations": [ + { + "name": "f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "db89861310f80a270a0a81f48d7dc974" + } + }, + { + "properties": { + "applicability": "Not Covered", + "fixedVersion": "No fix available" + }, + "ruleId": "XRAY-264729_cors.js_0.0.1-security", + "ruleIndex": 6, + "level": "error", + "message": { + "text": "[XRAY-264729] sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar ", + "markdown": "[XRAY-264729] sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar" + } + }, + "logicalLocations": [ + { + "name": "ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "d653c414ef56560432b122358961104a" + } + }, + { + "properties": { + "applicability": "Not Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2024-45490_debian:bookworm:libexpat1_2.5.0-1", + "ruleIndex": 2, + "level": "error", + "message": { + "text": "[CVE-2024-45490] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ", + "markdown": "[CVE-2024-45490] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): 20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + "logicalLocations": [ + { + "name": "20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "61be5170151428187e85ff7b27fd65b4" + } + }, + { + "properties": { + "applicability": "Not Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2024-45492_debian:bookworm:libexpat1_2.5.0-1", + "ruleIndex": 3, + "level": "error", + "message": { + "text": "[CVE-2024-45492] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ", + "markdown": "[CVE-2024-45492] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): 20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + "logicalLocations": [ + { + "name": "20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "e47bb0a94451ed5111fabcf0ccaaeee6" + } + }, + { + "properties": { + "applicability": "Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2023-51767_debian:bookworm:openssh-client:1_9.2p1-2+deb12u3", + "ruleIndex": 7, + "level": "note", + "message": { + "text": "[CVE-2023-51767] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar ", + "markdown": "[CVE-2023-51767] sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): 20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + "logicalLocations": [ + { + "name": "20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "fe7c1c90b3e7d340890027344468b42d" + } + }, + { + "properties": { + "applicability": "Not Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2011-3374_debian:bookworm:apt_2.6.1", + "ruleIndex": 8, + "level": "note", + "message": { + "text": "[CVE-2011-3374] sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar ", + "markdown": "[CVE-2011-3374] sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + }, + "logicalLocations": [ + { + "name": "cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "81f98a6fd77d17d7647c0ae81410b506" + } + }, + { + "properties": { + "applicability": "Not Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2011-3374_debian:bookworm:libapt-pkg6.0_2.6.1", + "ruleIndex": 9, + "level": "note", + "message": { + "text": "[CVE-2011-3374] sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar ", + "markdown": "[CVE-2011-3374] sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + }, + "logicalLocations": [ + { + "name": "cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "7933bf1c7b4635012e7571e82e619db6" + } + }, + { + "properties": { + "applicability": "Applicable", + "fixedVersion": "No fix available" + }, + "ruleId": "CVE-2024-4741_debian:bookworm:libssl3_3.0.13-1~deb12u1", + "ruleIndex": 10, + "level": "none", + "message": { + "text": "[CVE-2024-4741] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ", + "markdown": "[CVE-2024-4741] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + "logicalLocations": [ + { + "name": "f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "2c34553d9c75460bf14243ff13ba84c8" + } + }, + { + "properties": { + "applicability": "Applicable", + "fixedVersion": "[3.0.14-1~deb12u1]" + }, + "ruleId": "CVE-2024-4741_debian:bookworm:openssl_3.0.13-1~deb12u1", + "ruleIndex": 4, + "level": "none", + "message": { + "text": "[CVE-2024-4741] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar ", + "markdown": "[CVE-2024-4741] sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar \nImage: platform.jfrog.io/swamp-docker/swamp:latest\nLayer (sha256): f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + "logicalLocations": [ + { + "name": "f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595", + "kind": "layer", + "properties": { + "algorithm": "sha256" + } + } + ] + } + ], + "fingerprints": { + "jfrogFingerprintHash": "a374e04992f42ee827634927edd7e8d4" + } + } + ] + } + ] + } \ No newline at end of file diff --git a/tests/testdata/output/dockerscan/docker_simple_json.json b/tests/testdata/output/dockerscan/docker_simple_json.json index e69de29b..bb5a715a 100644 --- a/tests/testdata/output/dockerscan/docker_simple_json.json +++ b/tests/testdata/output/dockerscan/docker_simple_json.json @@ -0,0 +1,826 @@ +{ + "vulnerabilities": [ + { + "severity": "Critical", + "impactedPackageName": "debian:bookworm:wget", + "impactedPackageVersion": "1.21.3-1+b1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + } + ], + "summary": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", + "applicable": "Undetermined", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2024-38428", + "cvssV2": "", + "cvssV3": "9.1", + "applicability": { + "status": "Undetermined" + } + } + ], + "issueId": "XRAY-606103", + "references": [ + "https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace", + "https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html", + "https://security-tracker.debian.org/tracker/CVE-2024-38428" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + { + "name": "debian:bookworm:wget", + "version": "1.21.3-1+b1", + "location": { + "file": "wget:1.21.3-1+b1" + } + } + ] + ], + "jfrogResearchInformation": null + }, + { + "severity": "Critical", + "impactedPackageName": "cors.js", + "impactedPackageVersion": "0.0.1-security", + "impactedPackageType": "npm", + "components": [ + { + "name": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar", + "version": "", + "location": { + "file": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar" + } + } + ], + "summary": "Malicious package cors.js for Node.js", + "applicable": "Not Covered", + "fixedVersions": null, + "cves": null, + "issueId": "XRAY-264729", + "references": [ + "https://registry.npmjs.com" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar", + "version": "", + "location": { + "file": "sha256__ab1c0a95b2970fb44e2a4046c5c00f37a5b061e74d72b254a8975beb7d09f74f.tar" + } + }, + { + "name": "cors.js", + "version": "0.0.1-security", + "location": { + "file": "usr/src/app/node_modules/cors.js/package.json" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "Critical", + "summary": "Malicious package cors.js for Node.js", + "details": "The package cors.js for Node.js contains malicious code that installs a persistent connectback shell. The package is typosquatting the popular `cors` package. When installed, the package opens a connectback shell to the hardcoded host `107.175.32.229` on TCP port 56173. The malicious payload achieves persistency by installing a cron job that repeats every 10 seconds - `*/10 * * * * *`", + "remediation": "As with any malware, the malicious package must be completely removed, and steps must be taken care to remediate the damage that was done by the malicious package -\n\n##### Removing the malicious package\n\nRun `npm uninstall cors.js`\n\n##### Refreshing stolen credentials\n\nMany malicious packages steal stored user credentials, focusing on the following -\n\n* [Browser autocomplete](https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/) data, such as saved passwords and credit cards\n* [Environment variables](https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/) passed to the malicious code\n* [Stored Discord tokens](https://jfrog.com/blog/malicious-npm-packages-are-after-your-discord-tokens-17-new-packages-disclosed/)\n* AWS / GitHub credentials stored in cleartext files\n\nIt is highly recommended to change or revoke data that is stored in the infected machine at those locations\n\n##### Stopping malicious processes\n\nMany malicious packages start malicious processes such as [connectback shells](https://jfrog.com/blog/jfrog-discloses-3-remote-access-trojans-in-pypi/) or crypto-miners. Search for any unfamiliar processes that consume a large amount of CPU or a large amount of network traffic, and stop them. On Windows, this can be facilitated with [Sysinternals Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer).\n\n##### Removing installed backdoors\n\nMany malicious packages install themselves as a [persistent backdoor](https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/), in order to guarantee the malicious code survives a reboot. Search for any unfamiliar binaries set to be run on startup, and remove them. On Windows, this can be facilitated with [Sysinternals Autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns).\n\n##### Defining an Xray policy that blocks downloads of Artifacts with malicious packages\n\nIt is possible to [create an Xray policy](https://www.jfrog.com/confluence/display/JFROG/Creating+Xray+Policies+and+Rules) that will not allow artifacts with identified malicious packages to be downloaded from Artifactory. To create such a policy, add a new `Security` policy and set `Minimal Severity` to `Critical`. Under `Automatic Actions` check the `Block Download` action.\n\n##### Contacting the JFrog Security Research team for additional information\n\nOptionally, if you are unsure of the full impact of the malicious package and wish to get more details, the JFrog Security Research team can help you assess the potential damage from the installed malicious package.\n\nPlease contact us at research@jfrog.com with details of the affected artifact and the name of the identified malicious package." + } + }, + { + "severity": "Low", + "impactedPackageName": "debian:bookworm:openssh-client:1", + "impactedPackageVersion": "9.2p1-2+deb12u3", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + } + ], + "summary": "OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.", + "applicable": "Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2023-51767", + "cvssV2": "", + "cvssV3": "7.0", + "applicability": { + "status": "Applicable", + "scannerDescription": "The CVE is always applicable.\n\nNote - The vulnerability is hardware-dependent." + } + } + ], + "issueId": "XRAY-585612", + "references": [ + "https://arxiv.org/abs/2309.02545", + "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878", + "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77", + "https://bugzilla.redhat.com/show_bug.cgi?id=2255850", + "https://security-tracker.debian.org/tracker/CVE-2023-51767", + "https://ubuntu.com/security/CVE-2023-51767", + "https://security.netapp.com/advisory/ntap-20240125-0006/", + "https://access.redhat.com/security/cve/CVE-2023-51767" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + { + "name": "debian:bookworm:openssh-client:1", + "version": "9.2p1-2+deb12u3", + "location": { + "file": "openssh-client:1:9.2p1-2+deb12u3" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "Low", + "summary": "The RowHammer fault injection attack can theoretically lead to local authentication bypass in OpenSSH.", + "details": "[OpenSSH](https://www.openssh.com/) is a popular open-source implementation of the SSH (Secure Shell) protocol, providing encrypted communication over a network.\nIt was discovered that the OpenSSH authentication logic can be susceptible in some cases to a side-channel fault injection attack. The attack can theoretically be carried out by a local attacker which eventually bypass OpenSSH authentication mechanism.\n\nThis vulnerability currently lacks widely known published exploits, and its exploitation is considered highly complex. The intricacies of the attack, combined with the absence of well-documented exploits, contribute to the difficulty in achieving successful exploitation. Furthermore, it's essential to note that the susceptibility to this vulnerability is hardware-dependent, and the success of an attack relies on probabilities associated with the specific hardware configuration. \n\nThe vulnerability is theoretically exploitable by several different ways, the only two published ways are:\n\nIn the OpenSSH function `mm_answer_authpassword()`, a stack variable `authenticated`, is assigned to the value of the function `auth_password()` which returns 1/0 and then returned. If the value of `authenticated` is 1, the SSH connection will be established. Since `authenticated` is stored on the stack, therefore in DRAM, a local attacker could flip this 32-bit integer least significant bit, thus, bypass authentication.\n\nAnother possible exploit is the `result` stack variable in `auth_password()` function. It is initialized to 0 and set to 1 if the password is correct. \nSimilarly to the previous method, this attack requires a single bit flip of the `result` variable in order for the function to return 1 and bypass the authentication.\n\nAttackers can trigger the vulnerability via a RowHammer fault injection. The Rowhammer bug is a hardware reliability issue in which an attacker repeatedly accesses (hammers) DRAM cells to cause unauthorized changes in physically adjacent memory locations.\nSimply put:\n\n* A specific register value(`authenticated`/`result` value) is pushed onto the stack during program execution. \n* The stack, where the register value is stored, is identified to be located in a memory row susceptible to bit flips (flippable row) due to the RowHammer vulnerability in DRAM.\n* The attacker performs a series of rapid and repeated memory accesses to the adjacent rows of the flippable row in the DRAM. This repeated access exploits the RowHammer vulnerability, inducing bit flips in the targeted flippable row.\n* Due to the RowHammer effect, bit flips occur in the flippable row, potentially corrupting the data stored there.\n* After inducing bit flips in the flippable row, the attacker manipulates the program's control flow to pop the corrupted value from the stack into a register.\n* The register now holds a value that has been corrupted through the RowHammer attack. Now the `authenticated`/`result` variables hold this corrupted value thus it can lead to authentication bypass, as it may impact the control flow in a way advantageous to the attacker.", + "severityReasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The vulnerability depends on the OS and hardware. It was only evaluated in one test environment, therefore results for other conditions might differ. The attacker must be extremely familiar with the details of the exploited system (ex. know the exact hardware which is running the OS).", + "isPositive": true + }, + { + "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", + "isPositive": true + }, + { + "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", + "description": "Exploitation is extremely non-trivial (even theoretically), no public exploits have been published.", + "isPositive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "The vulnerability's attack complexity is significantly higher than what the CVSS represents.", + "isPositive": true + } + ] + } + }, + { + "severity": "Unknown", + "impactedPackageName": "debian:bookworm:libssl3", + "impactedPackageVersion": "3.0.13-1~deb12u1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + } + ], + "summary": "CVE-2024-4741", + "applicable": "Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2024-4741", + "cvssV2": "", + "cvssV3": "", + "applicability": { + "status": "Applicable", + "scannerDescription": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called.", + "evidence": [ + { + "file": "usr/local/bin/node", + "reason": "References to the vulnerable functions were found" + } + ] + } + } + ], + "issueId": "XRAY-603657", + "references": [ + "https://security-tracker.debian.org/tracker/CVE-2024-4741" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + { + "name": "debian:bookworm:libssl3", + "version": "3.0.13-1~deb12u1", + "location": { + "file": "libssl3:3.0.13-1~deb12u1" + } + } + ] + ], + "jfrogResearchInformation": null + }, + { + "severity": "Unknown", + "impactedPackageName": "debian:bookworm:openssl", + "impactedPackageVersion": "3.0.13-1~deb12u1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + } + ], + "summary": "CVE-2024-4741", + "applicable": "Applicable", + "fixedVersions": [ + "[3.0.14-1~deb12u1]" + ], + "cves": [ + { + "id": "CVE-2024-4741", + "cvssV2": "", + "cvssV3": "", + "applicability": { + "status": "Applicable", + "scannerDescription": "The scanner checks whether the vulnerable function `SSL_free_buffers` is called.", + "evidence": [ + { + "file": "usr/local/bin/node", + "reason": "References to the vulnerable functions were found" + } + ] + } + } + ], + "issueId": "XRAY-603657", + "references": [ + "https://security-tracker.debian.org/tracker/CVE-2024-4741" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + { + "name": "debian:bookworm:openssl", + "version": "3.0.13-1~deb12u1", + "location": { + "file": "openssl:3.0.13-1~deb12u1" + } + } + ] + ], + "jfrogResearchInformation": null + }, + { + "severity": "Unknown", + "impactedPackageName": "debian:bookworm:libssl3", + "impactedPackageVersion": "3.0.13-1~deb12u1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + } + ], + "summary": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "applicable": "Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2024-6119", + "cvssV2": "", + "cvssV3": "", + "applicability": { + "status": "Applicable", + "scannerDescription": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`", + "evidence": [ + { + "file": "usr/local/bin/node", + "reason": "References to the vulnerable functions were found" + } + ] + } + } + ], + "issueId": "XRAY-632747", + "references": [ + "https://openssl-library.org/news/secadv/20240903.txt", + "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2", + "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f", + "https://security-tracker.debian.org/tracker/CVE-2024-6119", + "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0", + "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + { + "name": "debian:bookworm:libssl3", + "version": "3.0.13-1~deb12u1", + "location": { + "file": "libssl3:3.0.13-1~deb12u1" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "Medium", + "summary": "Out of bounds read in OpenSSL clients can lead to denial of service when using non-default TLS verification options and connecting to malicious TLS servers", + "severityReasons": [ + { + "name": "The issue has an exploit published", + "description": "The fix commit contains PoC certificates that trigger the denial of service issue" + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "The attacker must make the victim client connect to their malicious TLS server, in order to serve the malformed TLS certificate. The victim client must use OpenSSL and must enable non-default certificate verification options, either -\n\n* DNS verification - by using `X509_VERIFY_PARAM_set1_host` or `X509_check_host`\n* Email verification - by using ` X509_VERIFY_PARAM_set1_email` or `X509_check_email`", + "isPositive": true + }, + { + "name": "The issue cannot result in a severe impact (such as remote code execution)", + "description": "Denial of service of a TLS clients only. This out of bounds read cannot lead to data disclosure.", + "isPositive": true + } + ] + } + }, + { + "severity": "Unknown", + "impactedPackageName": "debian:bookworm:openssl", + "impactedPackageVersion": "3.0.13-1~deb12u1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + } + ], + "summary": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "applicable": "Applicable", + "fixedVersions": [ + "[3.0.14-1~deb12u2]" + ], + "cves": [ + { + "id": "CVE-2024-6119", + "cvssV2": "", + "cvssV3": "", + "applicability": { + "status": "Applicable", + "scannerDescription": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `X509_VERIFY_PARAM_set1_email`\n\n- `X509_check_email`\n\n- `X509_VERIFY_PARAM_set1_host`\n\n- `X509_check_host`", + "evidence": [ + { + "file": "usr/local/bin/node", + "reason": "References to the vulnerable functions were found" + } + ] + } + } + ], + "issueId": "XRAY-632747", + "references": [ + "https://openssl-library.org/news/secadv/20240903.txt", + "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2", + "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f", + "https://security-tracker.debian.org/tracker/CVE-2024-6119", + "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0", + "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", + "version": "", + "location": { + "file": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar" + } + }, + { + "name": "debian:bookworm:openssl", + "version": "3.0.13-1~deb12u1", + "location": { + "file": "openssl:3.0.13-1~deb12u1" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "Medium", + "summary": "Out of bounds read in OpenSSL clients can lead to denial of service when using non-default TLS verification options and connecting to malicious TLS servers", + "severityReasons": [ + { + "name": "The issue has an exploit published", + "description": "The fix commit contains PoC certificates that trigger the denial of service issue" + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "The attacker must make the victim client connect to their malicious TLS server, in order to serve the malformed TLS certificate. The victim client must use OpenSSL and must enable non-default certificate verification options, either -\n\n* DNS verification - by using `X509_VERIFY_PARAM_set1_host` or `X509_check_host`\n* Email verification - by using ` X509_VERIFY_PARAM_set1_email` or `X509_check_email`", + "isPositive": true + }, + { + "name": "The issue cannot result in a severe impact (such as remote code execution)", + "description": "Denial of service of a TLS clients only. This out of bounds read cannot lead to data disclosure.", + "isPositive": true + } + ] + } + }, + { + "severity": "Critical", + "impactedPackageName": "debian:bookworm:libexpat1", + "impactedPackageVersion": "2.5.0-1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + } + ], + "summary": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", + "applicable": "Not Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2024-45490", + "cvssV2": "", + "cvssV3": "9.8", + "applicability": { + "status": "Not Applicable", + "scannerDescription": "The scanner checks whether any of the following vulnerable functions are called:\n\n- `XML_Parse()`\n- `XML_ParseBuffer()`\n\nAn additional condition, which the scanner currently does not check, is that the `len` parameter which is passed to those functions is user-controlled." + } + } + ], + "issueId": "XRAY-632613", + "references": [ + "https://github.com/libexpat/libexpat/issues/887", + "https://security-tracker.debian.org/tracker/CVE-2024-45490", + "https://github.com/libexpat/libexpat/pull/890" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + { + "name": "debian:bookworm:libexpat1", + "version": "2.5.0-1", + "location": { + "file": "libexpat1:2.5.0-1" + } + } + ] + ], + "jfrogResearchInformation": null + }, + { + "severity": "Critical", + "impactedPackageName": "debian:bookworm:libexpat1", + "impactedPackageVersion": "2.5.0-1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + } + ], + "summary": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", + "applicable": "Not Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2024-45492", + "cvssV2": "", + "cvssV3": "9.8", + "applicability": { + "status": "Not Applicable", + "scannerDescription": "The scanner checks whether the current binary was compiled with 32-bit architecture and if any of the vulnerable functions are called:\n\n- `XML_ParseBuffer()`\n- `XML_Parse()`\n\nNote - the vulnerability occurs when certain inputs are passed to those functions." + } + } + ], + "issueId": "XRAY-632612", + "references": [ + "https://github.com/libexpat/libexpat/issues/889", + "https://security-tracker.debian.org/tracker/CVE-2024-45492", + "https://github.com/libexpat/libexpat/pull/892" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar", + "version": "", + "location": { + "file": "sha256__20f026ae0a91ba4668a54b46f39853dd4c114a84cfedb4144ff24521d3e6dcb1.tar" + } + }, + { + "name": "debian:bookworm:libexpat1", + "version": "2.5.0-1", + "location": { + "file": "libexpat1:2.5.0-1" + } + } + ] + ], + "jfrogResearchInformation": null + }, + { + "severity": "Low", + "impactedPackageName": "debian:bookworm:libapt-pkg6.0", + "impactedPackageVersion": "2.6.1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "version": "", + "location": { + "file": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + } + ], + "summary": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "applicable": "Not Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2011-3374", + "cvssV2": "4.3", + "cvssV3": "3.7", + "applicability": { + "status": "Not Applicable", + "scannerDescription": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." + } + } + ], + "issueId": "XRAY-34417", + "references": [ + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://seclists.org/fulldisclosure/2011/Sep/221", + "https://ubuntu.com/security/CVE-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518", + "https://security-tracker.debian.org/tracker/CVE-2011-3374" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "version": "", + "location": { + "file": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + }, + { + "name": "debian:bookworm:libapt-pkg6.0", + "version": "2.6.1", + "location": { + "file": "libapt-pkg6.0:2.6.1" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "High", + "summary": "Improper signature validation in apt-key may enable Man-in-the-Middle attacks and result in code execution.", + "details": "`apt-key` is [`apt`](https://github.com/Debian/apt)'s key management utility, and is used to manage the keys that are used by `apt` to authenticate packages.\n\nA vulnerability in `apt-key`'s `net-update` function exists, in which [`GPG`](https://www.gnupg.org/) keys, that are used for signing packages and validating their authenticity, aren't validated correctly. The `net-update` function pulls the signing keys that should be added from an insecure location (`http://...`), exposing it to a Man-in-the-Middle attack in which malicious signing keys could be added to the system's keyring. This issue happens due to a vulnerability in the `add_keys_with_veirfy_against_master_keyring()` function, which allows adding signing keys without proper signature validation. \n\nThis vulnerability then potentially allows a malicious actor to perform a Man-in-the-Middle attack on a target, by making it validate malicious packages that were signed with the `GPG` signing key used by the attacker. Effectively, this means that `apt` can be duped to install malicious services and daemons with root privileges.\n\nThe conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man In The Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from [python-apt](https://pypi.org/project/python-apt/) Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.\n\nDo note that `apt-key` is **deprecated** and shouldn't be used, and in most Debian versions `ARCHIVE_KEYRING_URI` is not defined, making this vulnerability unexploitable in most Debian systems.", + "severityReasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the python-apt Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", + "isPositive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "This vulnerability is remotely exploitable when the applicability conditions apply." + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Remote code execution is possible when the applicability conditions apply." + }, + { + "name": "The issue has an exploit published", + "description": "The reporter of this issue has provided a GPG key that can be used for an actual attack, as well as a simple PoC example." + } + ], + "remediation": "##### Deployment mitigations\n\n* Dot not execute `apt-key` command, as it is deprecated.\n* Remove the URI configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`." + } + }, + { + "severity": "Low", + "impactedPackageName": "debian:bookworm:apt", + "impactedPackageVersion": "2.6.1", + "impactedPackageType": "Debian", + "components": [ + { + "name": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "version": "", + "location": { + "file": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + } + ], + "summary": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "applicable": "Not Applicable", + "fixedVersions": null, + "cves": [ + { + "id": "CVE-2011-3374", + "cvssV2": "4.3", + "cvssV3": "3.7", + "applicability": { + "status": "Not Applicable", + "scannerDescription": "The scanner checks if the vulnerable variable `ARCHIVE_KEYRING_URI` in `/usr/bin/apt-key` is not empty and not commented out. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n\nThe below prerequisites are also crucial for exploitability but are not checked in the scanner:\n\n1. The command apt-key net-update should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the `python-apt` Python module should be called. This is for the malicious keys download.\n\n2. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine." + } + } + ], + "issueId": "XRAY-34417", + "references": [ + "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", + "https://seclists.org/fulldisclosure/2011/Sep/221", + "https://ubuntu.com/security/CVE-2011-3374", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", + "https://access.redhat.com/security/cve/cve-2011-3374", + "https://snyk.io/vuln/SNYK-LINUX-APT-116518", + "https://security-tracker.debian.org/tracker/CVE-2011-3374" + ], + "impactPaths": [ + [ + { + "name": "platform.jfrog.io/swamp-docker/swamp", + "version": "latest" + }, + { + "name": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar", + "version": "", + "location": { + "file": "sha256__cedb364ef937c7e51179d8e514bdd98644bac5fdc82a45d784ef91afe4bc647e.tar" + } + }, + { + "name": "debian:bookworm:apt", + "version": "2.6.1", + "location": { + "file": "apt:2.6.1" + } + } + ] + ], + "jfrogResearchInformation": { + "severity": "High", + "summary": "Improper signature validation in apt-key may enable Man-in-the-Middle attacks and result in code execution.", + "details": "`apt-key` is [`apt`](https://github.com/Debian/apt)'s key management utility, and is used to manage the keys that are used by `apt` to authenticate packages.\n\nA vulnerability in `apt-key`'s `net-update` function exists, in which [`GPG`](https://www.gnupg.org/) keys, that are used for signing packages and validating their authenticity, aren't validated correctly. The `net-update` function pulls the signing keys that should be added from an insecure location (`http://...`), exposing it to a Man-in-the-Middle attack in which malicious signing keys could be added to the system's keyring. This issue happens due to a vulnerability in the `add_keys_with_veirfy_against_master_keyring()` function, which allows adding signing keys without proper signature validation. \n\nThis vulnerability then potentially allows a malicious actor to perform a Man-in-the-Middle attack on a target, by making it validate malicious packages that were signed with the `GPG` signing key used by the attacker. Effectively, this means that `apt` can be duped to install malicious services and daemons with root privileges.\n\nThe conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man In The Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from [python-apt](https://pypi.org/project/python-apt/) Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.\n\nDo note that `apt-key` is **deprecated** and shouldn't be used, and in most Debian versions `ARCHIVE_KEYRING_URI` is not defined, making this vulnerability unexploitable in most Debian systems.", + "severityReasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The conditions for this vulnerability to be applicable:\n \n1. A valid URI should be configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`. This is the URI that an attacker would need to target in a Man-in-the-Middle attack.\n2. The command `apt-key net-update` should be executed on the affected system, or alternatively `apt.auth.net_update()` function from the python-apt Python module should be called. This is for the malicious keys download.\n3. After the execution of `apt-key net-update`, APT packages should be installed or updated on the machine.", + "isPositive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "This vulnerability is remotely exploitable when the applicability conditions apply." + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Remote code execution is possible when the applicability conditions apply." + }, + { + "name": "The issue has an exploit published", + "description": "The reporter of this issue has provided a GPG key that can be used for an actual attack, as well as a simple PoC example." + } + ], + "remediation": "##### Deployment mitigations\n\n* Dot not execute `apt-key` command, as it is deprecated.\n* Remove the URI configured in `ARCHIVE_KEYRING_URI` variable in the file `/usr/bin/apt-key`." + } + } + ], + "securityViolations": null, + "licensesViolations": null, + "licenses": null, + "operationalRiskViolations": null, + "secrets": [ + { + "severity": "Medium", + "file": "usr/src/app/server/scripts/__pycache__/fetch_github_repo.cpython-311.pyc", + "snippet": "htt************", + "finding": "Hardcoded secrets were found", + "scannerDescription": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + { + "severity": "Medium", + "file": "private/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/tmpsfyn_3d1/unpacked/filesystem/blobs/sha256/9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0/usr/src/app/server/index.js", + "startLine": 5, + "startColumn": 7, + "endLine": 5, + "endColumn": 57, + "snippet": "tok************", + "finding": "Hardcoded secrets were found", + "scannerDescription": "Storing hardcoded secrets in your source code or binary artifact could lead to several risks.\n\nIf the secret is associated with a wide scope of privileges, attackers could extract it from the source code or binary artifact and use it maliciously to attack many targets. For example, if the hardcoded password gives high-privilege access to an AWS account, the attackers may be able to query/modify company-wide sensitive data without per-user authentication.\n\n## Best practices\n\nUse safe storage when storing high-privilege secrets such as passwords and tokens, for example -\n\n* ### Environment Variables\n\nEnvironment variables are set outside of the application code, and can be dynamically passed to the application only when needed, for example -\n`SECRET_VAR=MySecret ./my_application`\nThis way, `MySecret` does not have to be hardcoded into `my_application`.\n\nNote that if your entire binary artifact is published (ex. a Docker container published to Docker Hub), the value for the environment variable must not be stored in the artifact itself (ex. inside the `Dockerfile` or one of the container's files) but rather must be passed dynamically, for example in the `docker run` call as an argument.\n\n* ### Secret management services\n\nExternal vendors offer cloud-based secret management services, that provide proper access control to each secret. The given access to each secret can be dynamically modified or even revoked. Some examples include -\n\n* [Hashicorp Vault](https://www.vaultproject.io)\n* [AWS KMS](https://aws.amazon.com/kms) (Key Management Service)\n* [Google Cloud KMS](https://cloud.google.com/security-key-management)\n\n## Least-privilege principle\n\nStoring a secret in a hardcoded manner can be made safer, by making sure the secret grants the least amount of privilege as needed by the application.\nFor example - if the application needs to read a specific table from a specific database, and the secret grants access to perform this operation **only** (meaning - no access to other tables, no write access at all) then the damage from any secret leaks is mitigated.\nThat being said, it is still not recommended to store secrets in a hardcoded manner, since this type of storage does not offer any way to revoke or moderate the usage of the secret.\n" + }, + { + "severity": "Medium", + "file": "private/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/tmpsfyn_3d1/unpacked/filesystem/blobs/sha256/9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0/usr/src/app/server/index.js", + "startLine": 6, + "startColumn": 14, + "endLine": 6, + "endColumn": 24, + "snippet": "eyJ************", + "finding": "Secret keys were found", + "scannerDescription": "\nStoring an API key in the image could lead to several risks.\n\nIf the key is associated with a wide scope of privileges, attackers could extract it from a single image or firmware and use it maliciously to attack many targets. For example, if the embedded key allows querying/modifying data for all cloud user accounts, without per-user authentication, the attackers who extract it would gain access to system-wide data.\n\nIf the cloud/SaaS provider bills by key usage - for example, every million queries cost the key's owner a fixed sum of money - attackers could use the keys for their own purposes (or just as a form of vandalism), incurring a large cost to the legitimate user or operator.\n\n## Best practices\n\nUse narrow scopes for stored API keys. As much as possible, API keys should be unique per host and require additional authentication with the user's individual credentials for any sensitive actions.\n\nAvoid placing keys whose use incurs costs directly in the image. Store the key with any software or hardware protection available on the host for key storage (such as operating system key-stores, hardware cryptographic storage mechanisms or cloud-managed secure storage services such as [AWS KMS](https://aws.amazon.com/kms/)).\n\nTokens that were detected as exposed should be revoked and replaced -\n\n* [AWS Key Revocation](https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Deactivate.)\n* [GCP Key Revocation](https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudIAM/delete-api-keys.html)\n* [Azure Key Revocation](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=Windows#revoke-a-pat)\n* [GitHub Key Revocation](https://docs.github.com/en/rest/apps/oauth-applications#delete-an-app-authorization)\n" + } + ], + "iacViolations": null, + "sastViolations": null, + "errors": null + } \ No newline at end of file diff --git a/tests/testdata/output/dockerscan/docker_summary.json b/tests/testdata/output/dockerscan/docker_summary.json index 8fa8d1ed..f325e059 100644 --- a/tests/testdata/output/dockerscan/docker_summary.json +++ b/tests/testdata/output/dockerscan/docker_summary.json @@ -1,77 +1,43 @@ { - "resultType": "docker_image", - "args": { - "base_jfrog_url": "https://tokyoshiftleft.jfrog.io/", - "docker_image": "nginx:latest" - }, - "summary": { - "scans": [ - { - "target": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1725978503-2625964325/image.tar", - "name": "nginx:latest", - "vulnerabilities": { - "sca": { - "scan_ids": [ - "f1ca2a08-1d7b-4194-72be-7b84afc51fac" - ], - "security": { - "Critical": { - "Not Applicable": 4, - "Not Covered": 3 - }, - "High": { - "Applicable": 1, - "Not Applicable": 19, - "Not Covered": 5, - "Undetermined": 2 - }, - "Low": { - "Not Applicable": 5, - "Not Covered": 47 - }, - "Medium": { - "Not Applicable": 3, - "Not Covered": 28 - }, - "Unknown": { - "Applicable": 1, - "Not Applicable": 5, - "Not Covered": 21, - "Undetermined": 1 - } - } - }, - "iac": {}, - "secrets": {}, - "sast": {} - }, - "violations": { - "watches": [ - "Security_watch_1" - ], - "sca": { - "scan_ids": [ - "f1ca2a08-1d7b-4194-72be-7b84afc51fac" - ], - "security": { - "Critical": { - "Not Applicable": 4, - "Not Covered": 3 - }, - "High": { - "Applicable": 1, - "Not Applicable": 19, - "Not Covered": 5, - "Undetermined": 2 - }, - "Medium": { - "Not Applicable": 3, - "Not Covered": 28 - } - } - } - } + "scans": [ + { + "target": "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1726210535-1985298017/image.tar", + "name": "platform.jfrog.io/swamp-docker/swamp:latest", + "vulnerabilities": { + "sca": { + "scan_ids": [ + "27da9106-88ea-416b-799b-bc7d15783473" + ], + "security": { + "Critical": { + "Not Applicable": 2, + "Not Covered": 1, + "Undetermined": 1 + }, + "Low": { + "Applicable": 1, + "Not Applicable": 1 + }, + "Unknown": { + "Applicable": 2 + } } - ] - } -} \ No newline at end of file + }, + "iac": {}, + "secrets": { + "Medium": { + "": 3 + } + }, + "sast": {} + }, + "violations": { + "sca": { + "scan_ids": [ + "27da9106-88ea-416b-799b-bc7d15783473" + ] + } + } + } + ] + } \ No newline at end of file diff --git a/tests/testdata/projects/jas/jas-config/sast/result.sarif b/tests/testdata/projects/jas/jas-config/sast/result.sarif index 839f3481..c499a4aa 100644 --- a/tests/testdata/projects/jas/jas-config/sast/result.sarif +++ b/tests/testdata/projects/jas/jas-config/sast/result.sarif @@ -63,12 +63,12 @@ { "executionSuccessful": true, "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", + "/users/user/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", "scan", "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1693492973-1963413933/results.sarif" ], "workingDirectory": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast" + "uri": "file:///Users/user/testdata/xray/jas/sast" } } ], @@ -87,7 +87,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/__init__.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/__init__.py" }, "region": { "endColumn": 39, @@ -117,7 +117,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/__init__.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/__init__.py" }, "region": { "endColumn": 39, @@ -151,7 +151,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 31, @@ -174,7 +174,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 35, @@ -197,7 +197,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 44, @@ -220,7 +220,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -243,7 +243,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -266,7 +266,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -295,7 +295,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -329,7 +329,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 31, @@ -352,7 +352,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 35, @@ -375,7 +375,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 44, @@ -398,7 +398,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -421,7 +421,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 63, @@ -444,7 +444,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 70, @@ -467,7 +467,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 76, @@ -490,7 +490,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -513,7 +513,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -536,7 +536,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -565,7 +565,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -594,7 +594,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/run.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/run.py" }, "region": { "endColumn": 24, diff --git a/tests/testdata/projects/jas/jas/sast/result.sarif b/tests/testdata/projects/jas/jas/sast/result.sarif index 839f3481..c499a4aa 100644 --- a/tests/testdata/projects/jas/jas/sast/result.sarif +++ b/tests/testdata/projects/jas/jas/sast/result.sarif @@ -63,12 +63,12 @@ { "executionSuccessful": true, "arguments": [ - "/Users/assafa/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", + "/users/user/.jfrog/dependencies/analyzerManager/zd_scanner/scanner", "scan", "/var/folders/xv/th4cksxn7jv9wjrdnn1h4tj00000gq/T/jfrog.cli.temp.-1693492973-1963413933/results.sarif" ], "workingDirectory": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast" + "uri": "file:///Users/user/testdata/xray/jas/sast" } } ], @@ -87,7 +87,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/__init__.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/__init__.py" }, "region": { "endColumn": 39, @@ -117,7 +117,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/__init__.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/__init__.py" }, "region": { "endColumn": 39, @@ -151,7 +151,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 31, @@ -174,7 +174,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 35, @@ -197,7 +197,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 44, @@ -220,7 +220,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -243,7 +243,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -266,7 +266,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -295,7 +295,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 10, @@ -329,7 +329,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 31, @@ -352,7 +352,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 35, @@ -375,7 +375,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 44, @@ -398,7 +398,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -421,7 +421,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 63, @@ -444,7 +444,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 70, @@ -467,7 +467,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 76, @@ -490,7 +490,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 16, @@ -513,7 +513,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -536,7 +536,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -565,7 +565,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/flask_webgoat/ui.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/flask_webgoat/ui.py" }, "region": { "endColumn": 62, @@ -594,7 +594,7 @@ ], "physicalLocation": { "artifactLocation": { - "uri": "file:///Users/assafa/Documents/code/cli-projects/jfrog-cli/testdata/xray/jas/sast/run.py" + "uri": "file:///Users/user/testdata/xray/jas/sast/run.py" }, "region": { "endColumn": 24, diff --git a/utils/formats/sarifutils/sarifutils.go b/utils/formats/sarifutils/sarifutils.go index 6bc9144d..833f05e6 100644 --- a/utils/formats/sarifutils/sarifutils.go +++ b/utils/formats/sarifutils/sarifutils.go @@ -29,6 +29,68 @@ func CombineReports(reports ...*sarif.Report) (combined *sarif.Report, err error return } +func GetToolVersion(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.Version != nil { + return *run.Tool.Driver.Version + } + return "" +} + +func CopyRunMetadata(run *sarif.Run) (copied *sarif.Run) { + if run == nil { + return + } + copied = sarif.NewRun(*sarif.NewTool(sarif.NewDriver(GetRunToolName(run)))).WithInvocations(run.Invocations) + + if toolFullName := GetRunToolFullName(run); toolFullName != "" { + copied.Tool.Driver.FullName = &toolFullName + } + if toolVersion := GetToolVersion(run); toolVersion != "" { + copied.Tool.Driver.Version = &toolVersion + } + if fullDescription := GetRunToolFullDescription(run); fullDescription != "" { + SetRunToolFullDescriptionText(fullDescription, copied) + } + if fullDescriptionMarkdown := GetRunToolFullDescriptionMarkdown(run); fullDescriptionMarkdown != "" { + SetRunToolFullDescriptionMarkdown(fullDescriptionMarkdown, copied) + } + if language := getRunLanguage(run); language != "" { + copied.Language = &language + } + if informationURI := GetRunToolInformationURI(run); informationURI != "" { + copied.Tool.Driver.InformationURI = &informationURI + } + return +} + +func GetRunToolFullName(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.FullName != nil { + return *run.Tool.Driver.FullName + } + return "" +} + +func GetRunToolFullDescription(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.FullDescription != nil && run.Tool.Driver.FullDescription.Text != nil { + return *run.Tool.Driver.FullDescription.Text + } + return "" +} + +func getRunLanguage(run *sarif.Run) string { + if run.Language != nil { + return *run.Language + } + return "" +} + +func GetRunToolInformationURI(run *sarif.Run) string { + if run.Tool.Driver != nil && run.Tool.Driver.InformationURI != nil { + return *run.Tool.Driver.InformationURI + } + return "" +} + func NewPhysicalLocation(physicalPath string) *sarif.PhysicalLocation { return &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ @@ -67,14 +129,14 @@ func ReadScanRunsFromFile(fileName string) (sarifRuns []*sarif.Run, err error) { func CopyResult(result *sarif.Result) *sarif.Result { copied := &sarif.Result{ - RuleID: result.RuleID, - RuleIndex: result.RuleIndex, - Kind: result.Kind, + RuleID: result.RuleID, + RuleIndex: result.RuleIndex, + Kind: result.Kind, Fingerprints: result.Fingerprints, CodeFlows: result.CodeFlows, - Level: result.Level, - Message: result.Message, - PropertyBag: result.PropertyBag, + Level: result.Level, + Message: result.Message, + PropertyBag: result.PropertyBag, } for _, location := range result.Locations { copied.Locations = append(copied.Locations, CopyLocation(location)) @@ -82,29 +144,56 @@ func CopyResult(result *sarif.Result) *sarif.Result { return copied } +func copyStrAttribute(attr *string) *string { + if attr == nil { + return nil + } + copy := *attr + return © +} + +func copyIntAttribute(attr *int) *int { + if attr == nil { + return nil + } + copy := *attr + return © +} + func CopyLocation(location *sarif.Location) *sarif.Location { - copied := &sarif.Location{ - PhysicalLocation: &sarif.PhysicalLocation{ - ArtifactLocation: &sarif.ArtifactLocation{ - URI: location.PhysicalLocation.ArtifactLocation.URI, - }, - Region: &sarif.Region{ - StartLine: location.PhysicalLocation.Region.StartLine, - StartColumn: location.PhysicalLocation.Region.StartColumn, - EndLine: location.PhysicalLocation.Region.EndLine, - EndColumn: location.PhysicalLocation.Region.EndColumn, - Snippet: location.PhysicalLocation.Region.Snippet, - }, - }, + if location == nil { + return nil + } + copied := sarif.NewLocation() + if location.PhysicalLocation != nil { + copied.PhysicalLocation = &sarif.PhysicalLocation{} + if location.PhysicalLocation.ArtifactLocation != nil { + copied.PhysicalLocation.ArtifactLocation = &sarif.ArtifactLocation{ + URI: copyStrAttribute(location.PhysicalLocation.ArtifactLocation.URI), + } + } + if location.PhysicalLocation.Region != nil { + copied.PhysicalLocation.Region = &sarif.Region{ + StartLine: copyIntAttribute(location.PhysicalLocation.Region.StartLine), + StartColumn: copyIntAttribute(location.PhysicalLocation.Region.StartColumn), + EndLine: copyIntAttribute(location.PhysicalLocation.Region.EndLine), + EndColumn: copyIntAttribute(location.PhysicalLocation.Region.EndColumn), + } + if location.PhysicalLocation.Region.Snippet != nil { + copied.PhysicalLocation.Region.Snippet = &sarif.ArtifactContent{ + Text: copyStrAttribute(location.PhysicalLocation.Region.Snippet.Text), + } + } + } } copied.Properties = location.Properties for _, logicalLocation := range location.LogicalLocations { copied.LogicalLocations = append(copied.LogicalLocations, &sarif.LogicalLocation{ - Name: logicalLocation.Name, + Name: logicalLocation.Name, FullyQualifiedName: logicalLocation.FullyQualifiedName, - DecoratedName: logicalLocation.DecoratedName, - Kind: logicalLocation.Kind, - PropertyBag: logicalLocation.PropertyBag, + DecoratedName: logicalLocation.DecoratedName, + Kind: logicalLocation.Kind, + PropertyBag: logicalLocation.PropertyBag, }) } return copied @@ -168,7 +257,7 @@ func GetLogicalLocation(kind string, location *sarif.Location) *sarif.LogicalLoc func GetLocationId(location *sarif.Location) string { return fmt.Sprintf("%s:%s:%d:%d:%d:%d", GetLocationFileName(location), - GetLocationSnippet(location), + GetLocationSnippetText(location), GetLocationStartLine(location), GetLocationStartColumn(location), GetLocationEndLine(location), @@ -183,6 +272,13 @@ func SetRunToolName(toolName string, run *sarif.Run) { run.Tool.Driver.Name = toolName } +func GetRunToolName(run *sarif.Run) string { + if run.Tool.Driver != nil { + return run.Tool.Driver.Name + } + return "" +} + func SetRunToolFullDescriptionText(txt string, run *sarif.Run) { if run.Tool.Driver == nil { run.Tool.Driver = &sarif.ToolComponent{} @@ -218,13 +314,6 @@ func GetRunToolFullDescriptionMarkdown(run *sarif.Run) string { return "" } -func GetRunToolName(run *sarif.Run) string { - if run.Tool.Driver != nil { - return run.Tool.Driver.Name - } - return "" -} - func GetResultsLocationCount(runs ...*sarif.Run) (count int) { for _, run := range runs { for _, result := range run.Results { @@ -307,19 +396,27 @@ func SetResultFingerprint(algorithm, value string, result *sarif.Result) { func GetResultLocationSnippets(result *sarif.Result) []string { var snippets []string for _, location := range result.Locations { - if snippet := GetLocationSnippet(location); snippet != "" { + if snippet := GetLocationSnippetText(location); snippet != "" { snippets = append(snippets, snippet) } } return snippets } -func GetLocationSnippet(location *sarif.Location) string { +func GetLocationSnippetText(location *sarif.Location) string { + snippetContent := GetLocationSnippet(location) + if snippetContent != nil && snippetContent.Text != nil { + return *snippetContent.Text + } + return "" +} + +func GetLocationSnippet(location *sarif.Location) *sarif.ArtifactContent { region := getLocationRegion(location) if region != nil && region.Snippet != nil { - return *region.Snippet.Text + return region.Snippet } - return "" + return nil } func SetLocationSnippet(location *sarif.Location, snippet string) { diff --git a/utils/formats/sarifutils/sarifutils_test.go b/utils/formats/sarifutils/sarifutils_test.go index 6363b515..ee30cde2 100644 --- a/utils/formats/sarifutils/sarifutils_test.go +++ b/utils/formats/sarifutils/sarifutils_test.go @@ -207,7 +207,7 @@ func TestGetResultMsgText(t *testing.T) { } } -func TestGetLocationSnippet(t *testing.T) { +func TestGetLocationSnippetText(t *testing.T) { tests := []struct { location *sarif.Location expectedOutput string @@ -223,7 +223,7 @@ func TestGetLocationSnippet(t *testing.T) { } for _, test := range tests { - assert.Equal(t, test.expectedOutput, GetLocationSnippet(test.location)) + assert.Equal(t, test.expectedOutput, GetLocationSnippetText(test.location)) } } @@ -244,7 +244,7 @@ func TestSetLocationSnippet(t *testing.T) { for _, test := range tests { SetLocationSnippet(test.location, test.expectedOutput) - assert.Equal(t, test.expectedOutput, GetLocationSnippet(test.location)) + assert.Equal(t, test.expectedOutput, GetLocationSnippetText(test.location)) } } diff --git a/utils/formats/sarifutils/test_sarifutils.go b/utils/formats/sarifutils/test_sarifutils.go index 4e9f56f1..bbf0621e 100644 --- a/utils/formats/sarifutils/test_sarifutils.go +++ b/utils/formats/sarifutils/test_sarifutils.go @@ -12,11 +12,10 @@ func CreateRunWithDummyResults(results ...*sarif.Result) *sarif.Run { return createRunWithDummyResults("", results...) } -func CreateDummyDriver(toolName, infoURI string, rules ...*sarif.ReportingDescriptor) *sarif.ToolComponent { +func CreateDummyDriver(toolName string, rules ...*sarif.ReportingDescriptor) *sarif.ToolComponent { return &sarif.ToolComponent{ - Name: toolName, - InformationURI: &infoURI, - Rules: rules, + Name: toolName, + Rules: rules, } } @@ -25,7 +24,7 @@ func CreateRunNameWithResults(toolName string, results ...*sarif.Result) *sarif. } func createRunWithDummyResults(toolName string, results ...*sarif.Result) *sarif.Run { - run := sarif.NewRunWithInformationURI(toolName, "") + run := sarif.NewRun(*sarif.NewSimpleTool(toolName)) for _, result := range results { if result.RuleID != nil { run.AddRule(*result.RuleID) diff --git a/utils/results/common.go b/utils/results/common.go index 75b34cf3..295d143c 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -244,7 +244,7 @@ func getDirectComponentsAndImpactPaths(target string, impactPaths [][]services.I componentId := impactPath[impactPathIndex].ComponentId if _, exist := componentsMap[componentId]; !exist { compName, compVersion, _ := techutils.SplitComponentId(componentId) - componentsMap[componentId] = formats.ComponentRow{Name: compName, Version: compVersion, Location: getComponentLocation(target)} + componentsMap[componentId] = formats.ComponentRow{Name: compName, Version: compVersion, Location: getComponentLocation(impactPath[impactPathIndex].FullPath, target)} } // Convert the impact path @@ -252,8 +252,9 @@ func getDirectComponentsAndImpactPaths(target string, impactPaths [][]services.I for _, pathNode := range impactPath { nodeCompName, nodeCompVersion, _ := techutils.SplitComponentId(pathNode.ComponentId) compImpactPathRows = append(compImpactPathRows, formats.ComponentRow{ - Name: nodeCompName, - Version: nodeCompVersion, + Name: nodeCompName, + Version: nodeCompVersion, + Location: getComponentLocation(pathNode.FullPath), }) } impactPathsRows = append(impactPathsRows, compImpactPathRows) @@ -265,11 +266,13 @@ func getDirectComponentsAndImpactPaths(target string, impactPaths [][]services.I return } -func getComponentLocation(target string) *formats.Location { - if target == "" { - return nil +func getComponentLocation(pathsByPriority ...string) *formats.Location { + for _, path := range pathsByPriority { + if path != "" { + return &formats.Location{File: path} + } } - return &formats.Location{File: target} + return nil } func GetIssueIdentifier(cvesRow []formats.CveRow, issueId string, delimiter string) string { @@ -466,7 +469,7 @@ func GetCveApplicabilityField(cveId string, applicabilityScanResults []*sarif.Ru case len(applicability.Evidence) == 0: applicability.Status = string(jasutils.NotApplicable) default: - applicability.Status = string(jasutils.NotCovered) + applicability.Status = string(jasutils.Applicable) } return &applicability } @@ -483,7 +486,7 @@ func getEvidence(components map[string]services.Component, result *sarif.Result, StartColumn: sarifutils.GetLocationStartColumn(location), EndLine: sarifutils.GetLocationEndLine(location), EndColumn: sarifutils.GetLocationEndColumn(location), - Snippet: sarifutils.GetLocationSnippet(location), + Snippet: sarifutils.GetLocationSnippetText(location), }, Reason: sarifutils.GetResultMsgText(result), } diff --git a/utils/results/conversion/convertor.go b/utils/results/conversion/convertor.go index ab21bc28..73a37c3a 100644 --- a/utils/results/conversion/convertor.go +++ b/utils/results/conversion/convertor.go @@ -116,7 +116,7 @@ func parseScaResults[T interface{}](params ResultConvertParams, parser ResultsSt return } for _, scaResults := range targetScansResults.ScaResults.XrayResults { - actualTarget := targetScansResults.ScanTarget.Copy(getScaScanTarget(targetScansResults.ScaResults, targetScansResults.Target)) + actualTarget := getScaScanTarget(targetScansResults.ScaResults, targetScansResults.ScanTarget) var applicableRuns []*sarif.Run if jasEntitled && targetScansResults.JasResults != nil { applicableRuns = targetScansResults.JasResults.ApplicabilityScanResults @@ -148,7 +148,7 @@ func parseScaResults[T interface{}](params ResultConvertParams, parser ResultsSt } // Get the best match for the scan target in the sca results -func getScaScanTarget(scaResults *results.ScaScanResults, target string) string { +func getScaScanTarget(scaResults *results.ScaScanResults, target results.ScanTarget) results.ScanTarget { if scaResults == nil || len(scaResults.Descriptors) == 0 { // If No Sca scan or no descriptors discovered, use the scan target (build-scan, binary-scan...) return target @@ -157,12 +157,12 @@ func getScaScanTarget(scaResults *results.ScaScanResults, target string) string // This is for multi module projects where there are multiple sca results for the same target var bestMatch string for _, descriptor := range scaResults.Descriptors { - if strings.HasPrefix(descriptor, target) && (bestMatch == "" || len(descriptor) < len(bestMatch)) { + if strings.HasPrefix(descriptor, target.Target) && (bestMatch == "" || len(descriptor) < len(bestMatch)) { bestMatch = descriptor } } if bestMatch != "" { - return bestMatch + return target.Copy(bestMatch) } return target } diff --git a/utils/results/conversion/convertor_test.go b/utils/results/conversion/convertor_test.go index 5e44af73..94a25c91 100644 --- a/utils/results/conversion/convertor_test.go +++ b/utils/results/conversion/convertor_test.go @@ -42,8 +42,24 @@ func getAuditValidationParams() validations.ValidationParams { } } +// For Summary we count unique CVE finding (issueId), for SARIF and SimpleJson we count all findings (pair of issueId+impactedComponent) +// We have in the result 2 CVE with 2 impacted components each +func getDockerScanValidationParams(unique bool) validations.ValidationParams { + params := validations.ValidationParams{ + ExactResultsMatch: true, + Vulnerabilities: 11, + Applicable: 3, + NotApplicable: 3, + NotCovered: 1, + Undetermined: 1, + Secrets: 3, + } + return params +} + func TestConvertResults(t *testing.T) { auditInputResults := testUtils.ReadCmdScanResults(t, filepath.Join(testDataDir, "audit", "audit_results.json")) + dockerScanInputResults := testUtils.ReadCmdScanResults(t, filepath.Join(testDataDir, "dockerscan", "docker_results.json")) testCases := []struct { contentFormat conversionFormat @@ -65,11 +81,34 @@ func TestConvertResults(t *testing.T) { inputResults: auditInputResults, expectedContentPath: filepath.Join(testDataDir, "audit", "audit_summary.json"), }, + { + contentFormat: SimpleJson, + inputResults: dockerScanInputResults, + expectedContentPath: filepath.Join(testDataDir, "dockerscan", "docker_simple_json.json"), + }, + { + contentFormat: Sarif, + inputResults: dockerScanInputResults, + expectedContentPath: filepath.Join(testDataDir, "dockerscan", "docker_sarif.json"), + }, + { + contentFormat: Summary, + inputResults: dockerScanInputResults, + expectedContentPath: filepath.Join(testDataDir, "dockerscan", "docker_summary.json"), + }, } for _, testCase := range testCases { - t.Run(fmt.Sprintf("Convert to %s", testCase.contentFormat), func(t *testing.T) { - validationParams := getAuditValidationParams() + t.Run(fmt.Sprintf("%s convert to %s", testCase.inputResults.CmdType, testCase.contentFormat), func(t *testing.T) { + var validationParams validations.ValidationParams + switch testCase.inputResults.CmdType { + case utils.SourceCode: + validationParams = getAuditValidationParams() + case utils.DockerImage: + validationParams = getDockerScanValidationParams(testCase.contentFormat == Summary) + default: + t.Fatalf("Unsupported command type: %s", testCase.inputResults.CmdType) + } pretty := false if testCase.contentFormat == Sarif { pretty = true diff --git a/utils/results/conversion/sarifparser/sarifparser.go b/utils/results/conversion/sarifparser/sarifparser.go index dd7e47f9..ef79188c 100644 --- a/utils/results/conversion/sarifparser/sarifparser.go +++ b/utils/results/conversion/sarifparser/sarifparser.go @@ -418,15 +418,21 @@ func patchRunsToPassIngestionRules(cmdType utils.CommandType, subScanType utils. // Since we run in temp directories files should be relative // Patch by converting the file paths to relative paths according to the invocations convertPaths(cmdType, subScanType, runs...) + patchedRuns := []*sarif.Run{} + // Patch changes may alter the original run, so we will create a new run for each for _, run := range runs { + patched := sarifutils.CopyRunMetadata(run) if cmdType.IsTargetBinary() && subScanType == utils.SecretsScan { // Patch the tool name in case of binary scan - sarifutils.SetRunToolName(binarySecretScannerToolName, run) + sarifutils.SetRunToolName(binarySecretScannerToolName, patched) } - run.Tool.Driver.Rules = patchRules(cmdType, subScanType, run.Tool.Driver.Rules...) - run.Results = patchResults(cmdType, subScanType, target, run, run.Results...) + if patched.Tool.Driver != nil { + patched.Tool.Driver.Rules = patchRules(cmdType, subScanType, run.Tool.Driver.Rules...) + } + patched.Results = patchResults(cmdType, subScanType, target, run, run.Results...) + patchedRuns = append(patchedRuns, patched) } - return runs + return patchedRuns } func convertPaths(commandType utils.CommandType, subScanType utils.SubScanType, runs ...*sarif.Run) { @@ -448,37 +454,42 @@ func convertPaths(commandType utils.CommandType, subScanType utils.SubScanType, func patchDockerSecretLocations(result *sarif.Result) { for _, location := range result.Locations { algorithm, layerHash, relativePath := getLayerContentFromPath(sarifutils.GetLocationFileName(location)) - if layerHash != "" { - // Set Logical location kind "layer" with the layer hash - logicalLocation := sarifutils.NewLogicalLocation(layerHash, "layer") - if algorithm != "" { - logicalLocation.Properties = sarif.Properties(map[string]interface{}{"algorithm": algorithm}) - } - location.LogicalLocations = append(location.LogicalLocations, logicalLocation) - } - if relativePath != "" { - sarifutils.SetLocationFileName(location, relativePath) + if algorithm == "" || layerHash == "" || relativePath == "" { + continue } + // Set Logical location kind "layer" with the layer hash + logicalLocation := sarifutils.NewLogicalLocation(layerHash, "layer") + logicalLocation.Properties = sarif.Properties(map[string]interface{}{"algorithm": algorithm}) + location.LogicalLocations = append(location.LogicalLocations, logicalLocation) + sarifutils.SetLocationFileName(location, relativePath) } } func patchRules(commandType utils.CommandType, subScanType utils.SubScanType, rules ...*sarif.ReportingDescriptor) (patched []*sarif.ReportingDescriptor) { patched = []*sarif.ReportingDescriptor{} for _, rule := range rules { - // Github code scanning ingestion rules rejects rules without help content. - // Patch by transferring the full description to the help field. - if rule.Help == nil && rule.FullDescription != nil { - rule.Help = rule.FullDescription - } - // SARIF1001 - if both 'id' and 'name' are present, they must be different. If they are identical, the tool must omit the 'name' property. + cloned := sarif.NewRule(rule.ID) if rule.Name != nil && rule.ID == *rule.Name { - rule.Name = nil + // SARIF1001 - if both 'id' and 'name' are present, they must be different. If they are identical, the tool must omit the 'name' property. + cloned.Name = rule.Name } + cloned.ShortDescription = rule.ShortDescription if commandType.IsTargetBinary() && subScanType == utils.SecretsScan { // Patch the rule name in case of binary scan - sarifutils.SetRuleShortDescriptionText(fmt.Sprintf("[Secret in Binary found] %s", sarifutils.GetRuleShortDescriptionText(rule)), rule) + sarifutils.SetRuleShortDescriptionText(fmt.Sprintf("[Secret in Binary found] %s", sarifutils.GetRuleShortDescriptionText(rule)), cloned) } - patched = append(patched, rule) + cloned.FullDescription = rule.FullDescription + cloned.Help = rule.Help + if cloned.Help == nil { + // Github code scanning ingestion rules rejects rules without help content. + // Patch by transferring the full description to the help field. + cloned.Help = rule.FullDescription + } + cloned.HelpURI = rule.HelpURI + cloned.Properties = rule.Properties + cloned.MessageStrings = rule.MessageStrings + + patched = append(patched, cloned) } return } @@ -514,12 +525,17 @@ func patchResults(commandType utils.CommandType, subScanType utils.SubScanType, return patched } +// This method may need to replace the physical location if applicable, to avoid override on the existing object we will return a new object if changed func convertBinaryPhysicalLocations(commandType utils.CommandType, run *sarif.Run, result *sarif.Result) *sarif.Result { if patchedLocation := getPatchedBinaryLocation(commandType, run); patchedLocation != "" { - for _, location := range result.Locations { + patched := sarifutils.CopyResult(result) + for _, location := range patched.Locations { // Patch the location - Reset the uri and region location.PhysicalLocation = sarifutils.NewPhysicalLocation(patchedLocation) } + return patched + } else { + return result } } @@ -659,7 +675,7 @@ func getBinaryLocationMarkdownString(commandType utils.CommandType, subScanType if locationFilePath := sarifutils.GetLocationFileName(location); locationFilePath != "" { content += fmt.Sprintf("\nFilepath: %s", locationFilePath) } - if snippet := sarifutils.GetLocationSnippet(location); snippet != "" { + if snippet := sarifutils.GetLocationSnippetText(location); snippet != "" { content += fmt.Sprintf("\nEvidence: %s", snippet) } return diff --git a/utils/results/conversion/sarifparser/sarifparser_test.go b/utils/results/conversion/sarifparser/sarifparser_test.go index 2613954e..cda59799 100644 --- a/utils/results/conversion/sarifparser/sarifparser_test.go +++ b/utils/results/conversion/sarifparser/sarifparser_test.go @@ -408,14 +408,14 @@ func TestPatchRunsToPassIngestionRules(t *testing.T) { expectedResults: []*sarif.Run{ { Tool: sarif.Tool{ - Driver: sarifutils.CreateDummyDriver(binarySecretScannerToolName, "", &sarif.ReportingDescriptor{ + Driver: sarifutils.CreateDummyDriver(binarySecretScannerToolName, &sarif.ReportingDescriptor{ ID: "rule", ShortDescription: sarif.NewMultiformatMessageString("[Secret in Binary found] "), }), }, Invocations: []*sarif.Invocation{sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation(wd))}, Results: []*sarif.Result{ - sarifutils.CreateDummyResultWithFingerprint(fmt.Sprintf("🔒 Found Secrets in Binary docker scanning:\nImage: dockerImage:imageVersion\nLayer (sha1): 9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0\nFilepath: %s\nEvidence: snippet", filepath.Join("usr", "src", "app", "server", "index.js")), "", jfrogFingerprintAlgorithmName, "dee156c9fd75a4237102dc8fb29277a2", + sarifutils.CreateDummyResultWithFingerprint(fmt.Sprintf("🔒 Found Secrets in Binary docker scanning:\nImage: dockerImage:imageVersion\nLayer (sha1): 9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0\nFilepath: %s\nEvidence: snippet", filepath.Join("usr", "src", "app", "server", "index.js")), "", jfrogFingerprintAlgorithmName, "93d660ebfd39b1220c42c0beb6e4e863", sarifutils.CreateDummyLocationWithPathAndLogicalLocation(filepath.Join("usr", "src", "app", "server", "index.js"), "9e88ea9de1b44baba5e96a79e33e4af64334b2bf129e838e12f6dae71b5c86f0", "layer", "algorithm", "sha1"), ), }, @@ -493,8 +493,8 @@ func TestPatchRunsToPassIngestionRules(t *testing.T) { revertWd := clientTests.ChangeDirWithCallback(t, wd, dockerfileDir) defer revertWd() } - patchRunsToPassIngestionRules(tc.cmdType, tc.subScan, tc.target, tc.input...) - assert.ElementsMatch(t, tc.expectedResults, tc.input) + patchedRuns := patchRunsToPassIngestionRules(tc.cmdType, tc.subScan, tc.target, tc.input...) + assert.ElementsMatch(t, tc.expectedResults, patchedRuns) }) } } diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser.go b/utils/results/conversion/simplejsonparser/simplejsonparser.go index 727418fb..7bf22e47 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser.go @@ -312,7 +312,7 @@ func PrepareSimpleJsonJasIssues(entitledForJas, pretty bool, jasIssues ...*sarif StartColumn: sarifutils.GetLocationStartColumn(location), EndLine: sarifutils.GetLocationEndLine(location), EndColumn: sarifutils.GetLocationEndColumn(location), - Snippet: sarifutils.GetLocationSnippet(location), + Snippet: sarifutils.GetLocationSnippetText(location), }, CodeFlow: codeFlowToLocationFlow(sarifutils.GetLocationRelatedCodeFlowsFromResult(location, result), run.Invocations, pretty), }, @@ -337,7 +337,7 @@ func codeFlowToLocationFlow(flows []*sarif.CodeFlow, invocations []*sarif.Invoca StartColumn: sarifutils.GetLocationStartColumn(stackTraceEntry.Location), EndLine: sarifutils.GetLocationEndLine(stackTraceEntry.Location), EndColumn: sarifutils.GetLocationEndColumn(stackTraceEntry.Location), - Snippet: sarifutils.GetLocationSnippet(stackTraceEntry.Location), + Snippet: sarifutils.GetLocationSnippetText(stackTraceEntry.Location), }) } flowRows = append(flowRows, rowFlow) diff --git a/utils/results/conversion/tableparser/tableparser.go b/utils/results/conversion/tableparser/tableparser.go index fe2925f2..5383946f 100644 --- a/utils/results/conversion/tableparser/tableparser.go +++ b/utils/results/conversion/tableparser/tableparser.go @@ -28,7 +28,7 @@ func (tc *CmdResultsTableConverter) Get() (formats.ResultsTables, error) { } return formats.ResultsTables{ SecurityVulnerabilitiesTable: formats.ConvertToVulnerabilityTableRow(simpleJsonFormat.Vulnerabilities), - SecurityViolationsTable: formats.ConvertToVulnerabilityTableRow(simpleJsonFormat.SecurityViolations), + SecurityViolationsTable: formats.ConvertToVulnerabilityTableRow(simpleJsonFormat.SecurityViolations), LicenseViolationsTable: formats.ConvertToLicenseViolationTableRow(simpleJsonFormat.LicensesViolations), OperationalRiskViolationsTable: formats.ConvertToOperationalRiskViolationTableRow(simpleJsonFormat.OperationalRiskViolations), SecretsTable: formats.ConvertToSecretsTableRow(simpleJsonFormat.Secrets), diff --git a/utils/results/output/resultwriter.go b/utils/results/output/resultwriter.go index fe4243ec..42f1328f 100644 --- a/utils/results/output/resultwriter.go +++ b/utils/results/output/resultwriter.go @@ -15,7 +15,6 @@ import ( "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/jfrog/jfrog-client-go/utils/io/fileutils" "github.com/jfrog/jfrog-client-go/utils/log" - "github.com/jfrog/jfrog-client-go/xray/services" "github.com/owenrumney/go-sarif/v2/sarif" ) @@ -34,8 +33,6 @@ type ResultsWriter struct { isMultipleRoots *bool // PrintExtended, If true, show extended results. printExtended bool - // The scanType (binary,dependency) - scanType services.ScanType // For table format - show table only for the given subScansPreformed subScansPreformed []utils.SubScanType // Messages - Option array of messages, to be displayed if the format is Table @@ -56,11 +53,6 @@ func (rw *ResultsWriter) SetIsMultipleRootProject(isMultipleRootProject bool) *R return rw } -func (rw *ResultsWriter) SetScanType(scanType services.ScanType) *ResultsWriter { - rw.scanType = scanType - return rw -} - func (rw *ResultsWriter) SetSubScansPreformed(subScansPreformed []utils.SubScanType) *ResultsWriter { rw.subScansPreformed = subScansPreformed return rw @@ -108,8 +100,8 @@ func isPrettyOutputSupported() bool { return log.IsStdOutTerminal() && log.IsColorsSupported() || os.Getenv("GITLAB_CI") != "" } -func shouldPrintTable(requestedScans []utils.SubScanType, subScan utils.SubScanType, scanType services.ScanType) bool { - if scanType == services.Binary && (subScan == utils.IacScan || subScan == utils.SastScan) { +func shouldPrintTable(requestedScans []utils.SubScanType, subScan utils.SubScanType, cmdType utils.CommandType) bool { + if cmdType.IsTargetBinary() && (subScan == utils.IacScan || subScan == utils.SastScan) { return false } return len(requestedScans) == 0 || slices.Contains(requestedScans, subScan) @@ -189,7 +181,7 @@ func (rw *ResultsWriter) printOrSaveRawResults(printMsg bool) (err error) { if printMsg && !utils.IsCI() { // Save the results to a file and print a link to it. var resultsPath string - if resultsPath, err = writeJsonResults(rw.commandResults); err != nil { + if resultsPath, err = WriteJsonResults(rw.commandResults); err != nil { return } printMessage(coreutils.PrintTitle("The full scan results are available here: ") + coreutils.PrintLink(resultsPath)) @@ -213,34 +205,34 @@ func (rw *ResultsWriter) printTables() (err error) { if err = rw.printOrSaveRawResults(true); err != nil { return } - if shouldPrintTable(rw.subScansPreformed, utils.ScaScan, rw.scanType) { + if shouldPrintTable(rw.subScansPreformed, utils.ScaScan, rw.commandResults.CmdType) { if rw.hasViolationContext { - if err = PrintViolationsTable(tableContent, rw.scanType, rw.printExtended); err != nil { + if err = PrintViolationsTable(tableContent, rw.commandResults.CmdType, rw.printExtended); err != nil { return } } if rw.includeVulnerabilities { - if err = PrintVulnerabilitiesTable(tableContent, rw.scanType, len(rw.commandResults.GetTechnologies()) > 0, rw.printExtended); err != nil { + if err = PrintVulnerabilitiesTable(tableContent, rw.commandResults.CmdType, len(rw.commandResults.GetTechnologies()) > 0, rw.printExtended); err != nil { return } } if rw.includeLicenses { - if err = PrintLicensesTable(tableContent, rw.printExtended, rw.scanType); err != nil { + if err = PrintLicensesTable(tableContent, rw.printExtended, rw.commandResults.CmdType); err != nil { return } } } - if shouldPrintTable(rw.subScansPreformed, utils.SecretsScan, rw.scanType) { + if shouldPrintTable(rw.subScansPreformed, utils.SecretsScan, rw.commandResults.CmdType) { if err = PrintJasTable(tableContent, rw.commandResults.EntitledForJas, jasutils.Secrets); err != nil { return } } - if shouldPrintTable(rw.subScansPreformed, utils.IacScan, rw.scanType) { + if shouldPrintTable(rw.subScansPreformed, utils.IacScan, rw.commandResults.CmdType) { if err = PrintJasTable(tableContent, rw.commandResults.EntitledForJas, jasutils.IaC); err != nil { return } } - if !shouldPrintTable(rw.subScansPreformed, utils.SastScan, rw.scanType) { + if !shouldPrintTable(rw.subScansPreformed, utils.SastScan, rw.commandResults.CmdType) { return nil } return PrintJasTable(tableContent, rw.commandResults.EntitledForJas, jasutils.Sast) @@ -249,10 +241,10 @@ func (rw *ResultsWriter) printTables() (err error) { // PrintVulnerabilitiesTable prints the vulnerabilities in a table. // Set printExtended to true to print fields with 'extended' tag. // If the scan argument is set to true, print the scan tables. -func PrintVulnerabilitiesTable(tables formats.ResultsTables, scanType services.ScanType, techDetected, printExtended bool) error { +func PrintVulnerabilitiesTable(tables formats.ResultsTables, cmdType utils.CommandType, techDetected, printExtended bool) error { // Space before the tables log.Output() - if scanType == services.Binary { + if cmdType.IsTargetBinary() { return coreutils.PrintTable(formats.ConvertSecurityTableRowToScanTableRow(tables.SecurityVulnerabilitiesTable), "Vulnerable Components", "✨ No vulnerable components were found ✨", @@ -269,10 +261,10 @@ func PrintVulnerabilitiesTable(tables formats.ResultsTables, scanType services.S // PrintViolationsTable prints the violations in 4 tables: security violations, license compliance violations, operational risk violations and ignore rule URLs. // Set printExtended to true to print fields with 'extended' tag. // If the scan argument is set to true, print the scan tables. -func PrintViolationsTable(tables formats.ResultsTables, scanType services.ScanType, printExtended bool) (err error) { +func PrintViolationsTable(tables formats.ResultsTables, cmdType utils.CommandType, printExtended bool) (err error) { // Space before the tables log.Output() - if scanType == services.Binary { + if cmdType.IsTargetBinary() { err = coreutils.PrintTable(formats.ConvertSecurityTableRowToScanTableRow(tables.SecurityViolationsTable), "Security Violations", "No security violations were found", printExtended) if err != nil { return err @@ -305,10 +297,10 @@ func PrintViolationsTable(tables formats.ResultsTables, scanType services.ScanTy // In case multipleRoots is true, the field Component will show the root of each impact path, otherwise it will show the root's child. // Set printExtended to true to print fields with 'extended' tag. // If the scan argument is set to true, print the scan tables. -func PrintLicensesTable(tables formats.ResultsTables, printExtended bool, scanType services.ScanType) error { +func PrintLicensesTable(tables formats.ResultsTables, printExtended bool, cmdType utils.CommandType) error { // Space before the tables log.Output() - if scanType == services.Binary { + if cmdType.IsTargetBinary() { return coreutils.PrintTable(formats.ConvertLicenseTableRowToScanTableRow(tables.LicensesTable), "Licenses", "No licenses were found", printExtended) } return coreutils.PrintTable(tables.LicensesTable, "Licenses", "No licenses were found", printExtended) @@ -334,7 +326,7 @@ func PrintJasTable(tables formats.ResultsTables, entitledForJas bool, scanType j return nil } -func writeJsonResults(results *results.SecurityCommandResults) (resultsPath string, err error) { +func WriteJsonResults(results *results.SecurityCommandResults) (resultsPath string, err error) { out, err := fileutils.CreateTempFile() if errorutils.CheckError(err) != nil { return diff --git a/utils/validations/test_validate_sarif.go b/utils/validations/test_validate_sarif.go index 8e0d4bd6..988b2cb6 100644 --- a/utils/validations/test_validate_sarif.go +++ b/utils/validations/test_validate_sarif.go @@ -13,8 +13,8 @@ import ( ) const ( - SastToolName = "USAF" - IacToolName = "JFrog Terraform scanner" + SastToolName = "USAF" + IacToolName = "JFrog Terraform scanner" // #nosec G101 -- Not credentials. SecretsToolName = "JFrog Secrets scanner" )