diff --git a/pkg/ctl/ctl_test.go b/pkg/ctl/ctl_test.go index 5e43a46..fc63f8a 100644 --- a/pkg/ctl/ctl_test.go +++ b/pkg/ctl/ctl_test.go @@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0 package ctl import ( - "context" "testing" "github.com/stretchr/testify/require" @@ -16,74 +15,44 @@ import ( ) func TestVexReport(t *testing.T) { - vexDoc, err := vex.OpenJSON("testdata/test.vex.json") - require.NoError(t, err) - require.NotNil(t, vexDoc) - require.Len(t, vexDoc.Statements, 2) - - report, err := sarif.Open("testdata/nginx.sarif.json") - require.NoError(t, err) - require.NotNil(t, report) - require.Len(t, report.Runs, 1) - require.Len(t, report.Runs[0].Results, 123) - - impl := defaultVexCtlImplementation{} - newReport, err := impl.ApplySingleVEX(report, vexDoc) - require.NoError(t, err) - require.Len(t, newReport.Runs, 1) - require.Len(t, newReport.Runs[0].Results, 122) -} - -func TestMerge(t *testing.T) { - ctx := context.Background() - doc1, err := vex.Load("testdata/document1.vex.json") - require.NoError(t, err) - doc2, err := vex.Load("testdata/document1.vex.json") - require.NoError(t, err) - impl := defaultVexCtlImplementation{} for _, tc := range []struct { - opts MergeOptions - docs []*vex.VEX - expectedDoc *vex.VEX - shouldErr bool + vexDoc string + lenStatements int + sarifDoc string + lenRuns int + lenResults int + lenAfterFilter int }{ - // Zero docs should fail - { - opts: MergeOptions{}, - docs: []*vex.VEX{}, - expectedDoc: &vex.VEX{}, - shouldErr: true, - }, - // One doc results in the same doc - { - opts: MergeOptions{}, - docs: []*vex.VEX{doc1}, - expectedDoc: doc1, - shouldErr: false, - }, - // Two docs, as they are - { - opts: MergeOptions{}, - docs: []*vex.VEX{doc1, doc2}, - expectedDoc: &vex.VEX{ - Metadata: vex.Metadata{}, - Statements: []vex.Statement{ - doc1.Statements[0], - doc2.Statements[0], - }, - }, - shouldErr: false, - }, + // One OpenVEX statement, filters one vuln + {"testdata/sarif/sample.openvex.json", 1, "testdata/sarif/nginx-grype.sarif.json", 1, 99, 98}, + {"testdata/sarif/sample.openvex.json", 1, "testdata/sarif/nginx-trivy.sarif.json", 1, 99, 98}, + {"testdata/sarif/sample.openvex.json", 1, "testdata/sarif/nginx-snyk.sarif.json", 2, 65, 64}, + + // Two OpenVEX statements, filters one vuln + {"testdata/sarif/sample-history.json", 2, "testdata/sarif/nginx-grype.sarif.json", 1, 99, 98}, + {"testdata/sarif/sample-history.json", 2, "testdata/sarif/nginx-trivy.sarif.json", 1, 99, 98}, + {"testdata/sarif/sample-history.json", 2, "testdata/sarif/nginx-snyk.sarif.json", 2, 65, 64}, + + // Two OpenVEX statements, filters two vuln + {"testdata/sarif/sample-2vulns.json", 2, "testdata/sarif/nginx-grype.sarif.json", 1, 99, 96}, + {"testdata/sarif/sample-2vulns.json", 2, "testdata/sarif/nginx-trivy.sarif.json", 1, 99, 96}, + {"testdata/sarif/sample-2vulns.json", 2, "testdata/sarif/nginx-snyk.sarif.json", 2, 65, 63}, } { - doc, err := impl.Merge(ctx, &tc.opts, tc.docs) - if tc.shouldErr { - require.Error(t, err) - continue - } - - // Check doc - require.Len(t, doc.Statements, len(tc.expectedDoc.Statements)) - require.Equal(t, doc.Statements, tc.expectedDoc.Statements) + vexDoc, err := vex.Open(tc.vexDoc) + require.NoError(t, err) + require.NotNil(t, vexDoc) + require.Len(t, vexDoc.Statements, tc.lenStatements) + + report, err := sarif.Open(tc.sarifDoc) + require.NoError(t, err) + require.NotNil(t, report) + require.Len(t, report.Runs, tc.lenRuns) + require.Len(t, report.Runs[0].Results, tc.lenResults) + + newReport, err := impl.ApplySingleVEX(report, vexDoc) + require.NoError(t, err) + require.Len(t, newReport.Runs, tc.lenRuns) + require.Len(t, newReport.Runs[0].Results, tc.lenAfterFilter) } } diff --git a/pkg/ctl/implementation_test.go b/pkg/ctl/implementation_test.go index e4c99bc..2162af1 100644 --- a/pkg/ctl/implementation_test.go +++ b/pkg/ctl/implementation_test.go @@ -6,6 +6,7 @@ SPDX-License-Identifier: Apache-2.0 package ctl import ( + "context" "testing" intoto "github.com/in-toto/in-toto-golang/in_toto" @@ -106,11 +107,15 @@ func TestListDocumentProducts(t *testing.T) { }, }, { - "testdata/document1.vex.json", + "testdata/v001-1.vex.json", + []string{"pkg:apk/wolfi/bash@1.0.0"}, + }, + { + "testdata/v020-1.vex.json", []string{"pkg:apk/wolfi/bash@1.0.0"}, }, } { - doc, err := vex.OpenJSON(tc.path) + doc, err := vex.Open(tc.path) require.NoError(t, err) prods, err := impl.ListDocumentProducts(doc) require.NoError(t, err) @@ -155,7 +160,18 @@ func TestVerifyImageSubjects(t *testing.T) { doc := vex.New() for _, p := range tc.products { doc.Statements = append( - doc.Statements, vex.Statement{Products: []string{p}}, + doc.Statements, vex.Statement{ + Products: []vex.Product{ + { + Component: vex.Component{ + ID: p, + Hashes: map[vex.Algorithm]vex.Hash{}, + Identifiers: map[vex.IdentifierType]string{}, + }, + Subcomponents: []vex.Subcomponent{}, + }, + }, + }, ) } err := impl.VerifyImageSubjects(att, &doc) @@ -166,3 +182,90 @@ func TestVerifyImageSubjects(t *testing.T) { } } } + +func TestMerge(t *testing.T) { + ctx := context.Background() + doc1, err := vex.Open("testdata/v001-1.vex.json") + require.NoError(t, err) + doc2, err := vex.Open("testdata/v001-2.vex.json") + require.NoError(t, err) + + doc3, err := vex.Open("testdata/v020-1.vex.json") + require.NoError(t, err) + doc4, err := vex.Open("testdata/v020-2.vex.json") + require.NoError(t, err) + + impl := defaultVexCtlImplementation{} + for _, tc := range []struct { + opts MergeOptions + docs []*vex.VEX + expectedDoc *vex.VEX + shouldErr bool + }{ + // Zero docs should fail + { + opts: MergeOptions{}, + docs: []*vex.VEX{}, + expectedDoc: &vex.VEX{}, + shouldErr: true, + }, + // One doc results in the same doc + { + opts: MergeOptions{}, + docs: []*vex.VEX{doc1}, + expectedDoc: doc1, + shouldErr: false, + }, + // Two docs, as they are + { + opts: MergeOptions{}, + docs: []*vex.VEX{doc1, doc2}, + expectedDoc: &vex.VEX{ + Metadata: vex.Metadata{}, + Statements: []vex.Statement{ + doc1.Statements[0], + doc2.Statements[0], + }, + }, + shouldErr: false, + }, + // Two docs, filter product + { + opts: MergeOptions{ + Products: []string{"pkg:apk/wolfi/git@2.41.0-1"}, + }, + docs: []*vex.VEX{doc3, doc4}, + expectedDoc: &vex.VEX{ + Metadata: vex.Metadata{}, + Statements: []vex.Statement{ + doc4.Statements[0], + }, + }, + shouldErr: false, + }, + // Two docs, filter vulnerability + { + opts: MergeOptions{ + Vulnerabilities: []string{"CVE-9876-54321"}, + }, + docs: []*vex.VEX{doc3, doc4}, + expectedDoc: &vex.VEX{ + Metadata: vex.Metadata{}, + Statements: []vex.Statement{ + doc3.Statements[0], + }, + }, + shouldErr: false, + }, + } { + doc, err := impl.Merge(ctx, &tc.opts, tc.docs) + if tc.shouldErr { + require.Error(t, err) + continue + } + + // Check doc + require.Len(t, doc.Statements, len(tc.expectedDoc.Statements)) + require.Equal(t, doc.Statements, tc.expectedDoc.Statements) + } +} diff --git a/pkg/ctl/testdata/images.vex.json b/pkg/ctl/testdata/images.vex.json index 9a629c0..97ee4c2 100644 --- a/pkg/ctl/testdata/images.vex.json +++ b/pkg/ctl/testdata/images.vex.json @@ -1,6 +1,6 @@ { - "id": "my-vexdoc", - "format": "text/vex+json", + "@context": "https://openvex.dev/ns", + "@id": "https://openvex.dev/docs/public/vex-c387e5e30d92b7a54412468ebc3af98805b5d8a8e60e9b1cabda755ff6a6ae57", "author": "John Doe", "role": "vex issuer", "statements": [ diff --git a/pkg/ctl/testdata/sarif/nginx-grype.sarif.json b/pkg/ctl/testdata/sarif/nginx-grype.sarif.json new file mode 100644 index 0000000..277dc91 --- /dev/null +++ b/pkg/ctl/testdata/sarif/nginx-grype.sarif.json @@ -0,0 +1,5386 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", + "runs": [ + { + "tool": { + "driver": { + "name": "Grype", + "version": "0.63.0", + "informationUri": "https://github.com/anchore/grype", + "rules": [ + { + "id": "CVE-2005-2541-tar", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2005-2541 low vulnerability for tar package" + }, + "fullDescription": { + "text": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2005-2541\nSeverity: low\nPackage: tar\nVersion: 1.34+dfsg-1.2\nFix Version: \nType: deb\nLocation: /usr/share/doc/tar/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2005-2541](https://security-tracker.debian.org/tracker/CVE-2005-2541)", + "markdown": "**Vulnerability CVE-2005-2541**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | tar | 1.34+dfsg-1.2 | | deb | /usr/share/doc/tar/copyright | debian:distro:debian:12 | [CVE-2005-2541](https://security-tracker.debian.org/tracker/CVE-2005-2541) |\n" + }, + "properties": { + "security-severity": "10.0" + } + }, + { + "id": "CVE-2007-5686-login", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2007-5686 low vulnerability for login package" + }, + "fullDescription": { + "text": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2007-5686\nSeverity: low\nPackage: login\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/login/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2007-5686](https://security-tracker.debian.org/tracker/CVE-2007-5686)", + "markdown": "**Vulnerability CVE-2007-5686**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | login | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/login/copyright | debian:distro:debian:12 | [CVE-2007-5686](https://security-tracker.debian.org/tracker/CVE-2007-5686) |\n" + }, + "properties": { + "security-severity": "4.9" + } + }, + { + "id": "CVE-2007-5686-passwd", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2007-5686 low vulnerability for passwd package" + }, + "fullDescription": { + "text": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2007-5686\nSeverity: low\nPackage: passwd\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/passwd/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2007-5686](https://security-tracker.debian.org/tracker/CVE-2007-5686)", + "markdown": "**Vulnerability CVE-2007-5686**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | passwd | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/passwd/copyright | debian:distro:debian:12 | [CVE-2007-5686](https://security-tracker.debian.org/tracker/CVE-2007-5686) |\n" + }, + "properties": { + "security-severity": "4.9" + } + }, + { + "id": "CVE-2007-6755-libssl3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2007-6755 low vulnerability for libssl3 package" + }, + "fullDescription": { + "text": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2007-6755\nSeverity: low\nPackage: libssl3\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libssl3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2007-6755](https://security-tracker.debian.org/tracker/CVE-2007-6755)", + "markdown": "**Vulnerability CVE-2007-6755**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libssl3 | 3.0.9-1 | | deb | /usr/share/doc/libssl3/copyright | debian:distro:debian:12 | [CVE-2007-6755](https://security-tracker.debian.org/tracker/CVE-2007-6755) |\n" + }, + "properties": { + "security-severity": "5.8" + } + }, + { + "id": "CVE-2007-6755-openssl", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2007-6755 low vulnerability for openssl package" + }, + "fullDescription": { + "text": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2007-6755\nSeverity: low\nPackage: openssl\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/openssl/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2007-6755](https://security-tracker.debian.org/tracker/CVE-2007-6755)", + "markdown": "**Vulnerability CVE-2007-6755**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | openssl | 3.0.9-1 | | deb | /usr/share/doc/openssl/copyright | debian:distro:debian:12 | [CVE-2007-6755](https://security-tracker.debian.org/tracker/CVE-2007-6755) |\n" + }, + "properties": { + "security-severity": "5.8" + } + }, + { + "id": "CVE-2009-4487-nginx", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2009-4487 low vulnerability for nginx package" + }, + "fullDescription": { + "text": "nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2009-4487\nSeverity: low\nPackage: nginx\nVersion: 1.25.2-1~bookworm\nFix Version: \nType: deb\nLocation: /usr/share/doc/nginx/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2009-4487](https://security-tracker.debian.org/tracker/CVE-2009-4487)", + "markdown": "**Vulnerability CVE-2009-4487**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | nginx | 1.25.2-1~bookworm | | deb | /usr/share/doc/nginx/copyright | debian:distro:debian:12 | [CVE-2009-4487](https://security-tracker.debian.org/tracker/CVE-2009-4487) |\n" + }, + "properties": { + "security-severity": "6.8" + } + }, + { + "id": "CVE-2010-0928-libssl3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2010-0928 low vulnerability for libssl3 package" + }, + "fullDescription": { + "text": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2010-0928\nSeverity: low\nPackage: libssl3\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libssl3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2010-0928](https://security-tracker.debian.org/tracker/CVE-2010-0928)", + "markdown": "**Vulnerability CVE-2010-0928**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libssl3 | 3.0.9-1 | | deb | /usr/share/doc/libssl3/copyright | debian:distro:debian:12 | [CVE-2010-0928](https://security-tracker.debian.org/tracker/CVE-2010-0928) |\n" + }, + "properties": { + "security-severity": "4.0" + } + }, + { + "id": "CVE-2010-0928-openssl", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2010-0928 low vulnerability for openssl package" + }, + "fullDescription": { + "text": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2010-0928\nSeverity: low\nPackage: openssl\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/openssl/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2010-0928](https://security-tracker.debian.org/tracker/CVE-2010-0928)", + "markdown": "**Vulnerability CVE-2010-0928**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | openssl | 3.0.9-1 | | deb | /usr/share/doc/openssl/copyright | debian:distro:debian:12 | [CVE-2010-0928](https://security-tracker.debian.org/tracker/CVE-2010-0928) |\n" + }, + "properties": { + "security-severity": "4.0" + } + }, + { + "id": "CVE-2010-4756-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2010-4756 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2010-4756\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2010-4756](https://security-tracker.debian.org/tracker/CVE-2010-4756)", + "markdown": "**Vulnerability CVE-2010-4756**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2010-4756](https://security-tracker.debian.org/tracker/CVE-2010-4756) |\n" + }, + "properties": { + "security-severity": "4.0" + } + }, + { + "id": "CVE-2010-4756-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2010-4756 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2010-4756\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2010-4756](https://security-tracker.debian.org/tracker/CVE-2010-4756)", + "markdown": "**Vulnerability CVE-2010-4756**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2010-4756](https://security-tracker.debian.org/tracker/CVE-2010-4756) |\n" + }, + "properties": { + "security-severity": "4.0" + } + }, + { + "id": "CVE-2011-3374-apt", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2011-3374 low vulnerability for apt package" + }, + "fullDescription": { + "text": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2011-3374\nSeverity: low\nPackage: apt\nVersion: 2.6.1\nFix Version: \nType: deb\nLocation: /usr/share/doc/apt/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374)", + "markdown": "**Vulnerability CVE-2011-3374**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | apt | 2.6.1 | | deb | /usr/share/doc/apt/copyright | debian:distro:debian:12 | [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374) |\n" + }, + "properties": { + "security-severity": "4.3" + } + }, + { + "id": "CVE-2011-3374-libapt-pkg6.0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2011-3374 low vulnerability for libapt-pkg6.0 package" + }, + "fullDescription": { + "text": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2011-3374\nSeverity: low\nPackage: libapt-pkg6.0\nVersion: 2.6.1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libapt-pkg6.0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374)", + "markdown": "**Vulnerability CVE-2011-3374**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libapt-pkg6.0 | 2.6.1 | | deb | /usr/share/doc/libapt-pkg6.0/copyright | debian:distro:debian:12 | [CVE-2011-3374](https://security-tracker.debian.org/tracker/CVE-2011-3374) |\n" + }, + "properties": { + "security-severity": "4.3" + } + }, + { + "id": "CVE-2011-3389-libgnutls30", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2011-3389 low vulnerability for libgnutls30 package" + }, + "fullDescription": { + "text": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2011-3389\nSeverity: low\nPackage: libgnutls30\nVersion: 3.7.9-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libgnutls30/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2011-3389](https://security-tracker.debian.org/tracker/CVE-2011-3389)", + "markdown": "**Vulnerability CVE-2011-3389**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libgnutls30 | 3.7.9-2 | | deb | /usr/share/doc/libgnutls30/copyright | debian:distro:debian:12 | [CVE-2011-3389](https://security-tracker.debian.org/tracker/CVE-2011-3389) |\n" + }, + "properties": { + "security-severity": "4.3" + } + }, + { + "id": "CVE-2011-4116-perl-base", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2011-4116 low vulnerability for perl-base package" + }, + "fullDescription": { + "text": "_is_safe in the File::Temp module for Perl does not properly handle symlinks." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2011-4116\nSeverity: low\nPackage: perl-base\nVersion: 5.36.0-7\nFix Version: \nType: deb\nLocation: /usr/share/doc/perl-base/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2011-4116](https://security-tracker.debian.org/tracker/CVE-2011-4116)", + "markdown": "**Vulnerability CVE-2011-4116**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | perl-base | 5.36.0-7 | | deb | /usr/share/doc/perl-base/copyright | debian:distro:debian:12 | [CVE-2011-4116](https://security-tracker.debian.org/tracker/CVE-2011-4116) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2013-0337-nginx", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2013-0337 low vulnerability for nginx package" + }, + "fullDescription": { + "text": "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2013-0337\nSeverity: low\nPackage: nginx\nVersion: 1.25.2-1~bookworm\nFix Version: \nType: deb\nLocation: /usr/share/doc/nginx/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2013-0337](https://security-tracker.debian.org/tracker/CVE-2013-0337)", + "markdown": "**Vulnerability CVE-2013-0337**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | nginx | 1.25.2-1~bookworm | | deb | /usr/share/doc/nginx/copyright | debian:distro:debian:12 | [CVE-2013-0337](https://security-tracker.debian.org/tracker/CVE-2013-0337) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2013-4392-libsystemd0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2013-4392 low vulnerability for libsystemd0 package" + }, + "fullDescription": { + "text": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2013-4392\nSeverity: low\nPackage: libsystemd0\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libsystemd0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2013-4392](https://security-tracker.debian.org/tracker/CVE-2013-4392)", + "markdown": "**Vulnerability CVE-2013-4392**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libsystemd0 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libsystemd0/copyright | debian:distro:debian:12 | [CVE-2013-4392](https://security-tracker.debian.org/tracker/CVE-2013-4392) |\n" + }, + "properties": { + "security-severity": "3.3" + } + }, + { + "id": "CVE-2013-4392-libudev1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2013-4392 low vulnerability for libudev1 package" + }, + "fullDescription": { + "text": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2013-4392\nSeverity: low\nPackage: libudev1\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libudev1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2013-4392](https://security-tracker.debian.org/tracker/CVE-2013-4392)", + "markdown": "**Vulnerability CVE-2013-4392**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libudev1 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libudev1/copyright | debian:distro:debian:12 | [CVE-2013-4392](https://security-tracker.debian.org/tracker/CVE-2013-4392) |\n" + }, + "properties": { + "security-severity": "3.3" + } + }, + { + "id": "CVE-2015-3276-libldap-2.5-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2015-3276 low vulnerability for libldap-2.5-0 package" + }, + "fullDescription": { + "text": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2015-3276\nSeverity: low\nPackage: libldap-2.5-0\nVersion: 2.5.13+dfsg-5\nFix Version: \nType: deb\nLocation: /usr/share/doc/libldap-2.5-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2015-3276](https://security-tracker.debian.org/tracker/CVE-2015-3276)", + "markdown": "**Vulnerability CVE-2015-3276**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libldap-2.5-0 | 2.5.13+dfsg-5 | | deb | /usr/share/doc/libldap-2.5-0/copyright | debian:distro:debian:12 | [CVE-2015-3276](https://security-tracker.debian.org/tracker/CVE-2015-3276) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2015-9019-libxslt1.1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2015-9019 low vulnerability for libxslt1.1 package" + }, + "fullDescription": { + "text": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2015-9019\nSeverity: low\nPackage: libxslt1.1\nVersion: 1.1.35-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libxslt1.1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2015-9019](https://security-tracker.debian.org/tracker/CVE-2015-9019)", + "markdown": "**Vulnerability CVE-2015-9019**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libxslt1.1 | 1.1.35-1 | | deb | /usr/share/doc/libxslt1.1/copyright | debian:distro:debian:12 | [CVE-2015-9019](https://security-tracker.debian.org/tracker/CVE-2015-9019) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2016-2781-coreutils", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2016-2781 low vulnerability for coreutils package" + }, + "fullDescription": { + "text": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2016-2781\nSeverity: low\nPackage: coreutils\nVersion: 9.1-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/coreutils/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2016-2781](https://security-tracker.debian.org/tracker/CVE-2016-2781)", + "markdown": "**Vulnerability CVE-2016-2781**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | coreutils | 9.1-1 | | deb | /usr/share/doc/coreutils/copyright | debian:distro:debian:12 | [CVE-2016-2781](https://security-tracker.debian.org/tracker/CVE-2016-2781) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2017-14159-libldap-2.5-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-14159 low vulnerability for libldap-2.5-0 package" + }, + "fullDescription": { + "text": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-14159\nSeverity: low\nPackage: libldap-2.5-0\nVersion: 2.5.13+dfsg-5\nFix Version: \nType: deb\nLocation: /usr/share/doc/libldap-2.5-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-14159](https://security-tracker.debian.org/tracker/CVE-2017-14159)", + "markdown": "**Vulnerability CVE-2017-14159**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libldap-2.5-0 | 2.5.13+dfsg-5 | | deb | /usr/share/doc/libldap-2.5-0/copyright | debian:distro:debian:12 | [CVE-2017-14159](https://security-tracker.debian.org/tracker/CVE-2017-14159) |\n" + }, + "properties": { + "security-severity": "4.7" + } + }, + { + "id": "CVE-2017-16232-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-16232 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-16232\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-16232](https://security-tracker.debian.org/tracker/CVE-2017-16232)", + "markdown": "**Vulnerability CVE-2017-16232**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2017-16232](https://security-tracker.debian.org/tracker/CVE-2017-16232) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2017-17740-libldap-2.5-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-17740 low vulnerability for libldap-2.5-0 package" + }, + "fullDescription": { + "text": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-17740\nSeverity: low\nPackage: libldap-2.5-0\nVersion: 2.5.13+dfsg-5\nFix Version: \nType: deb\nLocation: /usr/share/doc/libldap-2.5-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-17740](https://security-tracker.debian.org/tracker/CVE-2017-17740)", + "markdown": "**Vulnerability CVE-2017-17740**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libldap-2.5-0 | 2.5.13+dfsg-5 | | deb | /usr/share/doc/libldap-2.5-0/copyright | debian:distro:debian:12 | [CVE-2017-17740](https://security-tracker.debian.org/tracker/CVE-2017-17740) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2017-17973-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-17973 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-17973\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-17973](https://security-tracker.debian.org/tracker/CVE-2017-17973)", + "markdown": "**Vulnerability CVE-2017-17973**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2017-17973](https://security-tracker.debian.org/tracker/CVE-2017-17973) |\n" + }, + "properties": { + "security-severity": "8.8" + } + }, + { + "id": "CVE-2017-18018-coreutils", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2017-18018 low vulnerability for coreutils package" + }, + "fullDescription": { + "text": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-18018\nSeverity: low\nPackage: coreutils\nVersion: 9.1-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/coreutils/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-18018](https://security-tracker.debian.org/tracker/CVE-2017-18018)", + "markdown": "**Vulnerability CVE-2017-18018**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | coreutils | 9.1-1 | | deb | /usr/share/doc/coreutils/copyright | debian:distro:debian:12 | [CVE-2017-18018](https://security-tracker.debian.org/tracker/CVE-2017-18018) |\n" + }, + "properties": { + "security-severity": "4.7" + } + }, + { + "id": "CVE-2017-5563-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-5563 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-5563\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-5563](https://security-tracker.debian.org/tracker/CVE-2017-5563)", + "markdown": "**Vulnerability CVE-2017-5563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2017-5563](https://security-tracker.debian.org/tracker/CVE-2017-5563) |\n" + }, + "properties": { + "security-severity": "8.8" + } + }, + { + "id": "CVE-2017-9117-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-9117 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-9117\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-9117](https://security-tracker.debian.org/tracker/CVE-2017-9117)", + "markdown": "**Vulnerability CVE-2017-9117**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2017-9117](https://security-tracker.debian.org/tracker/CVE-2017-9117) |\n" + }, + "properties": { + "security-severity": "9.8" + } + }, + { + "id": "CVE-2017-9937-libjbig0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2017-9937 low vulnerability for libjbig0 package" + }, + "fullDescription": { + "text": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2017-9937\nSeverity: low\nPackage: libjbig0\nVersion: 2.1-6.1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libjbig0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2017-9937](https://security-tracker.debian.org/tracker/CVE-2017-9937)", + "markdown": "**Vulnerability CVE-2017-9937**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libjbig0 | 2.1-6.1 | | deb | /usr/share/doc/libjbig0/copyright | debian:distro:debian:12 | [CVE-2017-9937](https://security-tracker.debian.org/tracker/CVE-2017-9937) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2018-10126-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-10126 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-10126\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-10126](https://security-tracker.debian.org/tracker/CVE-2018-10126)", + "markdown": "**Vulnerability CVE-2018-10126**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2018-10126](https://security-tracker.debian.org/tracker/CVE-2018-10126) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2018-20796-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-20796 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-20796\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-20796](https://security-tracker.debian.org/tracker/CVE-2018-20796)", + "markdown": "**Vulnerability CVE-2018-20796**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2018-20796](https://security-tracker.debian.org/tracker/CVE-2018-20796) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-20796-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-20796 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-20796\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-20796](https://security-tracker.debian.org/tracker/CVE-2018-20796)", + "markdown": "**Vulnerability CVE-2018-20796**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2018-20796](https://security-tracker.debian.org/tracker/CVE-2018-20796) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-5709-libgssapi-krb5-2", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-5709 low vulnerability for libgssapi-krb5-2 package" + }, + "fullDescription": { + "text": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-5709\nSeverity: low\nPackage: libgssapi-krb5-2\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libgssapi-krb5-2/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709)", + "markdown": "**Vulnerability CVE-2018-5709**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libgssapi-krb5-2 | 1.20.1-2 | | deb | /usr/share/doc/libgssapi-krb5-2/copyright | debian:distro:debian:12 | [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-5709-libk5crypto3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-5709 low vulnerability for libk5crypto3 package" + }, + "fullDescription": { + "text": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-5709\nSeverity: low\nPackage: libk5crypto3\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libk5crypto3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709)", + "markdown": "**Vulnerability CVE-2018-5709**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libk5crypto3 | 1.20.1-2 | | deb | /usr/share/doc/libk5crypto3/copyright | debian:distro:debian:12 | [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-5709-libkrb5-3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-5709 low vulnerability for libkrb5-3 package" + }, + "fullDescription": { + "text": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-5709\nSeverity: low\nPackage: libkrb5-3\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libkrb5-3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709)", + "markdown": "**Vulnerability CVE-2018-5709**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libkrb5-3 | 1.20.1-2 | | deb | /usr/share/doc/libkrb5-3/copyright | debian:distro:debian:12 | [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-5709-libkrb5support0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2018-5709 low vulnerability for libkrb5support0 package" + }, + "fullDescription": { + "text": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-5709\nSeverity: low\nPackage: libkrb5support0\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libkrb5support0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709)", + "markdown": "**Vulnerability CVE-2018-5709**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libkrb5support0 | 1.20.1-2 | | deb | /usr/share/doc/libkrb5support0/copyright | debian:distro:debian:12 | [CVE-2018-5709](https://security-tracker.debian.org/tracker/CVE-2018-5709) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2018-6829-libgcrypt20", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2018-6829 low vulnerability for libgcrypt20 package" + }, + "fullDescription": { + "text": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2018-6829\nSeverity: low\nPackage: libgcrypt20\nVersion: 1.10.1-3\nFix Version: \nType: deb\nLocation: /usr/share/doc/libgcrypt20/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2018-6829](https://security-tracker.debian.org/tracker/CVE-2018-6829)", + "markdown": "**Vulnerability CVE-2018-6829**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libgcrypt20 | 1.10.1-3 | | deb | /usr/share/doc/libgcrypt20/copyright | debian:distro:debian:12 | [CVE-2018-6829](https://security-tracker.debian.org/tracker/CVE-2018-6829) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2019-1010022-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010022 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010022\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010022](https://security-tracker.debian.org/tracker/CVE-2019-1010022)", + "markdown": "**Vulnerability CVE-2019-1010022**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2019-1010022](https://security-tracker.debian.org/tracker/CVE-2019-1010022) |\n" + }, + "properties": { + "security-severity": "9.8" + } + }, + { + "id": "CVE-2019-1010022-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010022 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010022\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010022](https://security-tracker.debian.org/tracker/CVE-2019-1010022)", + "markdown": "**Vulnerability CVE-2019-1010022**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2019-1010022](https://security-tracker.debian.org/tracker/CVE-2019-1010022) |\n" + }, + "properties": { + "security-severity": "9.8" + } + }, + { + "id": "CVE-2019-1010023-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010023 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010023\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010023](https://security-tracker.debian.org/tracker/CVE-2019-1010023)", + "markdown": "**Vulnerability CVE-2019-1010023**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2019-1010023](https://security-tracker.debian.org/tracker/CVE-2019-1010023) |\n" + }, + "properties": { + "security-severity": "8.8" + } + }, + { + "id": "CVE-2019-1010023-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010023 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010023\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010023](https://security-tracker.debian.org/tracker/CVE-2019-1010023)", + "markdown": "**Vulnerability CVE-2019-1010023**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2019-1010023](https://security-tracker.debian.org/tracker/CVE-2019-1010023) |\n" + }, + "properties": { + "security-severity": "8.8" + } + }, + { + "id": "CVE-2019-1010024-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010024 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010024\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010024](https://security-tracker.debian.org/tracker/CVE-2019-1010024)", + "markdown": "**Vulnerability CVE-2019-1010024**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2019-1010024](https://security-tracker.debian.org/tracker/CVE-2019-1010024) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2019-1010024-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010024 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010024\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010024](https://security-tracker.debian.org/tracker/CVE-2019-1010024)", + "markdown": "**Vulnerability CVE-2019-1010024**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2019-1010024](https://security-tracker.debian.org/tracker/CVE-2019-1010024) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2019-1010025-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010025 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010025\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010025](https://security-tracker.debian.org/tracker/CVE-2019-1010025)", + "markdown": "**Vulnerability CVE-2019-1010025**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2019-1010025](https://security-tracker.debian.org/tracker/CVE-2019-1010025) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2019-1010025-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-1010025 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-1010025\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-1010025](https://security-tracker.debian.org/tracker/CVE-2019-1010025)", + "markdown": "**Vulnerability CVE-2019-1010025**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2019-1010025](https://security-tracker.debian.org/tracker/CVE-2019-1010025) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2019-19882-login", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-19882 low vulnerability for login package" + }, + "fullDescription": { + "text": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8)." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-19882\nSeverity: low\nPackage: login\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/login/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-19882](https://security-tracker.debian.org/tracker/CVE-2019-19882)", + "markdown": "**Vulnerability CVE-2019-19882**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | login | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/login/copyright | debian:distro:debian:12 | [CVE-2019-19882](https://security-tracker.debian.org/tracker/CVE-2019-19882) |\n" + }, + "properties": { + "security-severity": "7.8" + } + }, + { + "id": "CVE-2019-19882-passwd", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-19882 low vulnerability for passwd package" + }, + "fullDescription": { + "text": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8)." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-19882\nSeverity: low\nPackage: passwd\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/passwd/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-19882](https://security-tracker.debian.org/tracker/CVE-2019-19882)", + "markdown": "**Vulnerability CVE-2019-19882**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | passwd | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/passwd/copyright | debian:distro:debian:12 | [CVE-2019-19882](https://security-tracker.debian.org/tracker/CVE-2019-19882) |\n" + }, + "properties": { + "security-severity": "7.8" + } + }, + { + "id": "CVE-2019-9192-libc-bin", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-9192 low vulnerability for libc-bin package" + }, + "fullDescription": { + "text": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-9192\nSeverity: low\nPackage: libc-bin\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc-bin/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-9192](https://security-tracker.debian.org/tracker/CVE-2019-9192)", + "markdown": "**Vulnerability CVE-2019-9192**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc-bin | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc-bin/copyright | debian:distro:debian:12 | [CVE-2019-9192](https://security-tracker.debian.org/tracker/CVE-2019-9192) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2019-9192-libc6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2019-9192 low vulnerability for libc6 package" + }, + "fullDescription": { + "text": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2019-9192\nSeverity: low\nPackage: libc6\nVersion: 2.36-9+deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libc6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2019-9192](https://security-tracker.debian.org/tracker/CVE-2019-9192)", + "markdown": "**Vulnerability CVE-2019-9192**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libc6 | 2.36-9+deb12u1 | | deb | /usr/share/doc/libc6/copyright | debian:distro:debian:12 | [CVE-2019-9192](https://security-tracker.debian.org/tracker/CVE-2019-9192) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2020-15719-libldap-2.5-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2020-15719 low vulnerability for libldap-2.5-0 package" + }, + "fullDescription": { + "text": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2020-15719\nSeverity: low\nPackage: libldap-2.5-0\nVersion: 2.5.13+dfsg-5\nFix Version: \nType: deb\nLocation: /usr/share/doc/libldap-2.5-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2020-15719](https://security-tracker.debian.org/tracker/CVE-2020-15719)", + "markdown": "**Vulnerability CVE-2020-15719**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libldap-2.5-0 | 2.5.13+dfsg-5 | | deb | /usr/share/doc/libldap-2.5-0/copyright | debian:distro:debian:12 | [CVE-2020-15719](https://security-tracker.debian.org/tracker/CVE-2020-15719) |\n" + }, + "properties": { + "security-severity": "4.2" + } + }, + { + "id": "CVE-2021-4214-libpng16-16", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2021-4214 low vulnerability for libpng16-16 package" + }, + "fullDescription": { + "text": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2021-4214\nSeverity: low\nPackage: libpng16-16\nVersion: 1.6.39-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libpng16-16/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2021-4214](https://security-tracker.debian.org/tracker/CVE-2021-4214)", + "markdown": "**Vulnerability CVE-2021-4214**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libpng16-16 | 1.6.39-2 | | deb | /usr/share/doc/libpng16-16/copyright | debian:distro:debian:12 | [CVE-2021-4214](https://security-tracker.debian.org/tracker/CVE-2021-4214) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-bsdutils", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for bsdutils package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: bsdutils\nVersion: 1:2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/bsdutils/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | bsdutils | 1:2.38.1-5+b1 | | deb | /usr/share/doc/bsdutils/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-libblkid1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for libblkid1 package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: libblkid1\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libblkid1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libblkid1 | 2.38.1-5+b1 | | deb | /usr/share/doc/libblkid1/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-libmount1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for libmount1 package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: libmount1\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libmount1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libmount1 | 2.38.1-5+b1 | | deb | /usr/share/doc/libmount1/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-libsmartcols1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for libsmartcols1 package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: libsmartcols1\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libsmartcols1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libsmartcols1 | 2.38.1-5+b1 | | deb | /usr/share/doc/libsmartcols1/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-libuuid1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for libuuid1 package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: libuuid1\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libuuid1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libuuid1 | 2.38.1-5+b1 | | deb | /usr/share/doc/libuuid1/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-mount", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for mount package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: mount\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/mount/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | mount | 2.38.1-5+b1 | | deb | /usr/share/doc/mount/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-util-linux", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for util-linux package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: util-linux\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/util-linux/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | util-linux | 2.38.1-5+b1 | | deb | /usr/share/doc/util-linux/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-0563-util-linux-extra", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-0563 low vulnerability for util-linux-extra package" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: low\nPackage: util-linux-extra\nVersion: 2.38.1-5+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/util-linux-extra/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563)", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | util-linux-extra | 2.38.1-5+b1 | | deb | /usr/share/doc/util-linux-extra/copyright | debian:distro:debian:12 | [CVE-2022-0563](https://security-tracker.debian.org/tracker/CVE-2022-0563) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-1210-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-1210 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-1210\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-1210](https://security-tracker.debian.org/tracker/CVE-2022-1210)", + "markdown": "**Vulnerability CVE-2022-1210**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2022-1210](https://security-tracker.debian.org/tracker/CVE-2022-1210) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2022-27943-gcc-12-base", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-27943 low vulnerability for gcc-12-base package" + }, + "fullDescription": { + "text": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-27943\nSeverity: low\nPackage: gcc-12-base\nVersion: 12.2.0-14\nFix Version: \nType: deb\nLocation: /usr/share/doc/gcc-12-base/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943)", + "markdown": "**Vulnerability CVE-2022-27943**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | gcc-12-base | 12.2.0-14 | | deb | /usr/share/doc/gcc-12-base/copyright | debian:distro:debian:12 | [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-27943-libgcc-s1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-27943 low vulnerability for libgcc-s1 package" + }, + "fullDescription": { + "text": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-27943\nSeverity: low\nPackage: libgcc-s1\nVersion: 12.2.0-14\nFix Version: \nType: deb\nLocation: /usr/share/doc/libgcc-s1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943)", + "markdown": "**Vulnerability CVE-2022-27943**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libgcc-s1 | 12.2.0-14 | | deb | /usr/share/doc/libgcc-s1/copyright | debian:distro:debian:12 | [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-27943-libstdc++6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-27943 low vulnerability for libstdc++6 package" + }, + "fullDescription": { + "text": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-27943\nSeverity: low\nPackage: libstdc++6\nVersion: 12.2.0-14\nFix Version: \nType: deb\nLocation: /usr/share/doc/libstdc++6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943)", + "markdown": "**Vulnerability CVE-2022-27943**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libstdc++6 | 12.2.0-14 | | deb | /usr/share/doc/libstdc++6/copyright | debian:distro:debian:12 | [CVE-2022-27943](https://security-tracker.debian.org/tracker/CVE-2022-27943) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2022-3219-gpgv", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2022-3219 low vulnerability for gpgv package" + }, + "fullDescription": { + "text": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-3219\nSeverity: low\nPackage: gpgv\nVersion: 2.2.40-1.1\nFix Version: \nType: deb\nLocation: /usr/share/doc/gpgv/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-3219](https://security-tracker.debian.org/tracker/CVE-2022-3219)", + "markdown": "**Vulnerability CVE-2022-3219**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | gpgv | 2.2.40-1.1 | | deb | /usr/share/doc/gpgv/copyright | debian:distro:debian:12 | [CVE-2022-3219](https://security-tracker.debian.org/tracker/CVE-2022-3219) |\n" + }, + "properties": { + "security-severity": "3.3" + } + }, + { + "id": "CVE-2022-48303-tar", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2022-48303 low vulnerability for tar package" + }, + "fullDescription": { + "text": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2022-48303\nSeverity: low\nPackage: tar\nVersion: 1.34+dfsg-1.2\nFix Version: \nType: deb\nLocation: /usr/share/doc/tar/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2022-48303](https://security-tracker.debian.org/tracker/CVE-2022-48303)", + "markdown": "**Vulnerability CVE-2022-48303**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | tar | 1.34+dfsg-1.2 | | deb | /usr/share/doc/tar/copyright | debian:distro:debian:12 | [CVE-2022-48303](https://security-tracker.debian.org/tracker/CVE-2022-48303) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2023-1916-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-1916 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-1916\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-1916](https://security-tracker.debian.org/tracker/CVE-2023-1916)", + "markdown": "**Vulnerability CVE-2023-1916**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-1916](https://security-tracker.debian.org/tracker/CVE-2023-1916) |\n" + }, + "properties": { + "security-severity": "6.1" + } + }, + { + "id": "CVE-2023-25433-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-25433 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-25433\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-25433](https://security-tracker.debian.org/tracker/CVE-2023-25433)", + "markdown": "**Vulnerability CVE-2023-25433**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-25433](https://security-tracker.debian.org/tracker/CVE-2023-25433) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2023-26965-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-26965 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-26965\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-26965](https://security-tracker.debian.org/tracker/CVE-2023-26965)", + "markdown": "**Vulnerability CVE-2023-26965**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-26965](https://security-tracker.debian.org/tracker/CVE-2023-26965) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2023-26966-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-26966 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-26966\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-26966](https://security-tracker.debian.org/tracker/CVE-2023-26966)", + "markdown": "**Vulnerability CVE-2023-26966**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-26966](https://security-tracker.debian.org/tracker/CVE-2023-26966) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2023-27102-libde265-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-27102 medium vulnerability for libde265-0 package" + }, + "fullDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-27102\nSeverity: medium\nPackage: libde265-0\nVersion: 1.0.11-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libde265-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-27102](https://security-tracker.debian.org/tracker/CVE-2023-27102)", + "markdown": "**Vulnerability CVE-2023-27102**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libde265-0 | 1.0.11-1 | | deb | /usr/share/doc/libde265-0/copyright | debian:distro:debian:12 | [CVE-2023-27102](https://security-tracker.debian.org/tracker/CVE-2023-27102) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-27103-libde265-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-27103 high vulnerability for libde265-0 package" + }, + "fullDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-27103\nSeverity: high\nPackage: libde265-0\nVersion: 1.0.11-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libde265-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-27103](https://security-tracker.debian.org/tracker/CVE-2023-27103)", + "markdown": "**Vulnerability CVE-2023-27103**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | libde265-0 | 1.0.11-1 | | deb | /usr/share/doc/libde265-0/copyright | debian:distro:debian:12 | [CVE-2023-27103](https://security-tracker.debian.org/tracker/CVE-2023-27103) |\n" + }, + "properties": { + "security-severity": "8.8" + } + }, + { + "id": "CVE-2023-2908-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-2908 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-2908\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-2908](https://security-tracker.debian.org/tracker/CVE-2023-2908)", + "markdown": "**Vulnerability CVE-2023-2908**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-2908](https://security-tracker.debian.org/tracker/CVE-2023-2908) |\n" + }, + "properties": { + "security-severity": "5.5" + } + }, + { + "id": "CVE-2023-29383-login", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-29383 low vulnerability for login package" + }, + "fullDescription": { + "text": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-29383\nSeverity: low\nPackage: login\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/login/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-29383](https://security-tracker.debian.org/tracker/CVE-2023-29383)", + "markdown": "**Vulnerability CVE-2023-29383**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | login | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/login/copyright | debian:distro:debian:12 | [CVE-2023-29383](https://security-tracker.debian.org/tracker/CVE-2023-29383) |\n" + }, + "properties": { + "security-severity": "3.3" + } + }, + { + "id": "CVE-2023-29383-passwd", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-29383 low vulnerability for passwd package" + }, + "fullDescription": { + "text": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-29383\nSeverity: low\nPackage: passwd\nVersion: 1:4.13+dfsg1-1+b1\nFix Version: \nType: deb\nLocation: /usr/share/doc/passwd/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-29383](https://security-tracker.debian.org/tracker/CVE-2023-29383)", + "markdown": "**Vulnerability CVE-2023-29383**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | passwd | 1:4.13+dfsg1-1+b1 | | deb | /usr/share/doc/passwd/copyright | debian:distro:debian:12 | [CVE-2023-29383](https://security-tracker.debian.org/tracker/CVE-2023-29383) |\n" + }, + "properties": { + "security-severity": "3.3" + } + }, + { + "id": "CVE-2023-2953-libldap-2.5-0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-2953 high vulnerability for libldap-2.5-0 package" + }, + "fullDescription": { + "text": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-2953\nSeverity: high\nPackage: libldap-2.5-0\nVersion: 2.5.13+dfsg-5\nFix Version: \nType: deb\nLocation: /usr/share/doc/libldap-2.5-0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-2953](https://security-tracker.debian.org/tracker/CVE-2023-2953)", + "markdown": "**Vulnerability CVE-2023-2953**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | libldap-2.5-0 | 2.5.13+dfsg-5 | | deb | /usr/share/doc/libldap-2.5-0/copyright | debian:distro:debian:12 | [CVE-2023-2953](https://security-tracker.debian.org/tracker/CVE-2023-2953) |\n" + }, + "properties": { + "security-severity": "7.5" + } + }, + { + "id": "CVE-2023-29659-libheif1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-29659 medium vulnerability for libheif1 package" + }, + "fullDescription": { + "text": "A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-29659\nSeverity: medium\nPackage: libheif1\nVersion: 1.15.1-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libheif1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-29659](https://security-tracker.debian.org/tracker/CVE-2023-29659)", + "markdown": "**Vulnerability CVE-2023-29659**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libheif1 | 1.15.1-1 | | deb | /usr/share/doc/libheif1/copyright | debian:distro:debian:12 | [CVE-2023-29659](https://security-tracker.debian.org/tracker/CVE-2023-29659) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-2975-libssl3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-2975 medium vulnerability for libssl3 package" + }, + "fullDescription": { + "text": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-2975\nSeverity: medium\nPackage: libssl3\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libssl3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-2975](https://security-tracker.debian.org/tracker/CVE-2023-2975)", + "markdown": "**Vulnerability CVE-2023-2975**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libssl3 | 3.0.9-1 | | deb | /usr/share/doc/libssl3/copyright | debian:distro:debian:12 | [CVE-2023-2975](https://security-tracker.debian.org/tracker/CVE-2023-2975) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-2975-openssl", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2023-2975 medium vulnerability for openssl package" + }, + "fullDescription": { + "text": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-2975\nSeverity: medium\nPackage: openssl\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/openssl/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-2975](https://security-tracker.debian.org/tracker/CVE-2023-2975)", + "markdown": "**Vulnerability CVE-2023-2975**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | openssl | 3.0.9-1 | | deb | /usr/share/doc/openssl/copyright | debian:distro:debian:12 | [CVE-2023-2975](https://security-tracker.debian.org/tracker/CVE-2023-2975) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31437-libsystemd0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31437 low vulnerability for libsystemd0 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31437\nSeverity: low\nPackage: libsystemd0\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libsystemd0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31437](https://security-tracker.debian.org/tracker/CVE-2023-31437)", + "markdown": "**Vulnerability CVE-2023-31437**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libsystemd0 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libsystemd0/copyright | debian:distro:debian:12 | [CVE-2023-31437](https://security-tracker.debian.org/tracker/CVE-2023-31437) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31437-libudev1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31437 low vulnerability for libudev1 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31437\nSeverity: low\nPackage: libudev1\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libudev1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31437](https://security-tracker.debian.org/tracker/CVE-2023-31437)", + "markdown": "**Vulnerability CVE-2023-31437**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libudev1 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libudev1/copyright | debian:distro:debian:12 | [CVE-2023-31437](https://security-tracker.debian.org/tracker/CVE-2023-31437) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31438-libsystemd0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31438 low vulnerability for libsystemd0 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31438\nSeverity: low\nPackage: libsystemd0\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libsystemd0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31438](https://security-tracker.debian.org/tracker/CVE-2023-31438)", + "markdown": "**Vulnerability CVE-2023-31438**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libsystemd0 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libsystemd0/copyright | debian:distro:debian:12 | [CVE-2023-31438](https://security-tracker.debian.org/tracker/CVE-2023-31438) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31438-libudev1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31438 low vulnerability for libudev1 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31438\nSeverity: low\nPackage: libudev1\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libudev1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31438](https://security-tracker.debian.org/tracker/CVE-2023-31438)", + "markdown": "**Vulnerability CVE-2023-31438**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libudev1 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libudev1/copyright | debian:distro:debian:12 | [CVE-2023-31438](https://security-tracker.debian.org/tracker/CVE-2023-31438) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31439-libsystemd0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31439 low vulnerability for libsystemd0 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31439\nSeverity: low\nPackage: libsystemd0\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libsystemd0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31439](https://security-tracker.debian.org/tracker/CVE-2023-31439)", + "markdown": "**Vulnerability CVE-2023-31439**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libsystemd0 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libsystemd0/copyright | debian:distro:debian:12 | [CVE-2023-31439](https://security-tracker.debian.org/tracker/CVE-2023-31439) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31439-libudev1", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31439 low vulnerability for libudev1 package" + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31439\nSeverity: low\nPackage: libudev1\nVersion: 252.12-1~deb12u1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libudev1/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31439](https://security-tracker.debian.org/tracker/CVE-2023-31439)", + "markdown": "**Vulnerability CVE-2023-31439**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libudev1 | 252.12-1~deb12u1 | | deb | /usr/share/doc/libudev1/copyright | debian:distro:debian:12 | [CVE-2023-31439](https://security-tracker.debian.org/tracker/CVE-2023-31439) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-31484-perl-base", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31484 high vulnerability for perl-base package" + }, + "fullDescription": { + "text": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31484\nSeverity: high\nPackage: perl-base\nVersion: 5.36.0-7\nFix Version: \nType: deb\nLocation: /usr/share/doc/perl-base/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31484](https://security-tracker.debian.org/tracker/CVE-2023-31484)", + "markdown": "**Vulnerability CVE-2023-31484**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| high | perl-base | 5.36.0-7 | | deb | /usr/share/doc/perl-base/copyright | debian:distro:debian:12 | [CVE-2023-31484](https://security-tracker.debian.org/tracker/CVE-2023-31484) |\n" + }, + "properties": { + "security-severity": "8.1" + } + }, + { + "id": "CVE-2023-31486-perl-base", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-31486 low vulnerability for perl-base package" + }, + "fullDescription": { + "text": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-31486\nSeverity: low\nPackage: perl-base\nVersion: 5.36.0-7\nFix Version: \nType: deb\nLocation: /usr/share/doc/perl-base/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-31486](https://security-tracker.debian.org/tracker/CVE-2023-31486)", + "markdown": "**Vulnerability CVE-2023-31486**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | perl-base | 5.36.0-7 | | deb | /usr/share/doc/perl-base/copyright | debian:distro:debian:12 | [CVE-2023-31486](https://security-tracker.debian.org/tracker/CVE-2023-31486) |\n" + }, + "properties": { + "security-severity": "8.1" + } + }, + { + "id": "CVE-2023-3164-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-3164 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "Version 4.5.0-6 is affected with no fixes reported yet." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3164\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3164](https://security-tracker.debian.org/tracker/CVE-2023-3164)", + "markdown": "**Vulnerability CVE-2023-3164**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-3164](https://security-tracker.debian.org/tracker/CVE-2023-3164) |\n" + }, + "properties": { + "security-severity": "0.0" + } + }, + { + "id": "CVE-2023-32570-libdav1d6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-32570 medium vulnerability for libdav1d6 package" + }, + "fullDescription": { + "text": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-32570\nSeverity: medium\nPackage: libdav1d6\nVersion: 1.0.0-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libdav1d6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-32570](https://security-tracker.debian.org/tracker/CVE-2023-32570)", + "markdown": "**Vulnerability CVE-2023-32570**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libdav1d6 | 1.0.0-2 | | deb | /usr/share/doc/libdav1d6/copyright | debian:distro:debian:12 | [CVE-2023-32570](https://security-tracker.debian.org/tracker/CVE-2023-32570) |\n" + }, + "properties": { + "security-severity": "5.9" + } + }, + { + "id": "CVE-2023-3316-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-3316 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n" + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3316\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3316](https://security-tracker.debian.org/tracker/CVE-2023-3316)", + "markdown": "**Vulnerability CVE-2023-3316**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-3316](https://security-tracker.debian.org/tracker/CVE-2023-3316) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-3446-libssl3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-3446 medium vulnerability for libssl3 package" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3446\nSeverity: medium\nPackage: libssl3\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libssl3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3446](https://security-tracker.debian.org/tracker/CVE-2023-3446)", + "markdown": "**Vulnerability CVE-2023-3446**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libssl3 | 3.0.9-1 | | deb | /usr/share/doc/libssl3/copyright | debian:distro:debian:12 | [CVE-2023-3446](https://security-tracker.debian.org/tracker/CVE-2023-3446) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-3446-openssl", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2023-3446 medium vulnerability for openssl package" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3446\nSeverity: medium\nPackage: openssl\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/openssl/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3446](https://security-tracker.debian.org/tracker/CVE-2023-3446)", + "markdown": "**Vulnerability CVE-2023-3446**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | openssl | 3.0.9-1 | | deb | /usr/share/doc/openssl/copyright | debian:distro:debian:12 | [CVE-2023-3446](https://security-tracker.debian.org/tracker/CVE-2023-3446) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-36054-libgssapi-krb5-2", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-36054 medium vulnerability for libgssapi-krb5-2 package" + }, + "fullDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-36054\nSeverity: medium\nPackage: libgssapi-krb5-2\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libgssapi-krb5-2/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054)", + "markdown": "**Vulnerability CVE-2023-36054**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libgssapi-krb5-2 | 1.20.1-2 | | deb | /usr/share/doc/libgssapi-krb5-2/copyright | debian:distro:debian:12 | [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-36054-libk5crypto3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-36054 medium vulnerability for libk5crypto3 package" + }, + "fullDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-36054\nSeverity: medium\nPackage: libk5crypto3\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libk5crypto3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054)", + "markdown": "**Vulnerability CVE-2023-36054**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libk5crypto3 | 1.20.1-2 | | deb | /usr/share/doc/libk5crypto3/copyright | debian:distro:debian:12 | [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-36054-libkrb5-3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-36054 medium vulnerability for libkrb5-3 package" + }, + "fullDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-36054\nSeverity: medium\nPackage: libkrb5-3\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libkrb5-3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054)", + "markdown": "**Vulnerability CVE-2023-36054**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libkrb5-3 | 1.20.1-2 | | deb | /usr/share/doc/libkrb5-3/copyright | debian:distro:debian:12 | [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-36054-libkrb5support0", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-36054 medium vulnerability for libkrb5support0 package" + }, + "fullDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-36054\nSeverity: medium\nPackage: libkrb5support0\nVersion: 1.20.1-2\nFix Version: \nType: deb\nLocation: /usr/share/doc/libkrb5support0/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054)", + "markdown": "**Vulnerability CVE-2023-36054**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libkrb5support0 | 1.20.1-2 | | deb | /usr/share/doc/libkrb5support0/copyright | debian:distro:debian:12 | [CVE-2023-36054](https://security-tracker.debian.org/tracker/CVE-2023-36054) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-3618-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-3618 medium vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3618\nSeverity: medium\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3618](https://security-tracker.debian.org/tracker/CVE-2023-3618)", + "markdown": "**Vulnerability CVE-2023-3618**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-3618](https://security-tracker.debian.org/tracker/CVE-2023-3618) |\n" + }, + "properties": { + "security-severity": "6.5" + } + }, + { + "id": "CVE-2023-3817-libssl3", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-3817 medium vulnerability for libssl3 package" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3817\nSeverity: medium\nPackage: libssl3\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/libssl3/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3817](https://security-tracker.debian.org/tracker/CVE-2023-3817)", + "markdown": "**Vulnerability CVE-2023-3817**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | libssl3 | 3.0.9-1 | | deb | /usr/share/doc/libssl3/copyright | debian:distro:debian:12 | [CVE-2023-3817](https://security-tracker.debian.org/tracker/CVE-2023-3817) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-3817-openssl", + "name": "DpkgMatcherExactDirectMatch", + "shortDescription": { + "text": "CVE-2023-3817 medium vulnerability for openssl package" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-3817\nSeverity: medium\nPackage: openssl\nVersion: 3.0.9-1\nFix Version: \nType: deb\nLocation: /usr/share/doc/openssl/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-3817](https://security-tracker.debian.org/tracker/CVE-2023-3817)", + "markdown": "**Vulnerability CVE-2023-3817**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| medium | openssl | 3.0.9-1 | | deb | /usr/share/doc/openssl/copyright | debian:distro:debian:12 | [CVE-2023-3817](https://security-tracker.debian.org/tracker/CVE-2023-3817) |\n" + }, + "properties": { + "security-severity": "5.3" + } + }, + { + "id": "CVE-2023-38288-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-38288 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "Version 4.5.0-6 is affected with no fixes reported yet." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-38288\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-38288](https://security-tracker.debian.org/tracker/CVE-2023-38288)", + "markdown": "**Vulnerability CVE-2023-38288**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-38288](https://security-tracker.debian.org/tracker/CVE-2023-38288) |\n" + }, + "properties": { + "security-severity": "0.0" + } + }, + { + "id": "CVE-2023-38289-libtiff6", + "name": "DpkgMatcherExactIndirectMatch", + "shortDescription": { + "text": "CVE-2023-38289 low vulnerability for libtiff6 package" + }, + "fullDescription": { + "text": "Version 4.5.0-6 is affected with no fixes reported yet." + }, + "helpUri": "https://github.com/anchore/grype", + "help": { + "text": "Vulnerability CVE-2023-38289\nSeverity: low\nPackage: libtiff6\nVersion: 4.5.0-6\nFix Version: \nType: deb\nLocation: /usr/share/doc/libtiff6/copyright\nData Namespace: debian:distro:debian:12\nLink: [CVE-2023-38289](https://security-tracker.debian.org/tracker/CVE-2023-38289)", + "markdown": "**Vulnerability CVE-2023-38289**\n| Severity | Package | Version | Fix Version | Type | Location | Data Namespace | Link |\n| --- | --- | --- | --- | --- | --- | --- | --- |\n| low | libtiff6 | 4.5.0-6 | | deb | /usr/share/doc/libtiff6/copyright | debian:distro:debian:12 | [CVE-2023-38289](https://security-tracker.debian.org/tracker/CVE-2023-38289) |\n" + }, + "properties": { + "security-severity": "0.0" + } + } + ] + } + }, + "results": [ + { + "ruleId": "CVE-2005-2541-tar", + "message": { + "text": "The path /usr/share/doc/tar/copyright reports tar at version 1.34+dfsg-1.2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/tar/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/tar/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/tar/copyright" + }, + { + "name": "/var/lib/dpkg/info/tar.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/tar.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2007-5686-login", + "message": { + "text": "The path /usr/share/doc/login/copyright reports login at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/login/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/login/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/login/copyright" + }, + { + "name": "/var/lib/dpkg/info/login.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.conffiles" + }, + { + "name": "/var/lib/dpkg/info/login.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2007-5686-passwd", + "message": { + "text": "The path /usr/share/doc/passwd/copyright reports passwd at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/passwd/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/passwd/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/passwd/copyright" + }, + { + "name": "/var/lib/dpkg/info/passwd.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.conffiles" + }, + { + "name": "/var/lib/dpkg/info/passwd.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2007-6755-libssl3", + "message": { + "text": "The path /usr/share/doc/libssl3/copyright reports libssl3 at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libssl3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libssl3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libssl3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libssl3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2007-6755-openssl", + "message": { + "text": "The path /usr/share/doc/openssl/copyright reports openssl at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/openssl/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/openssl/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/openssl/copyright" + }, + { + "name": "/var/lib/dpkg/info/openssl.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.conffiles" + }, + { + "name": "/var/lib/dpkg/info/openssl.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2009-4487-nginx", + "message": { + "text": "The path /usr/share/doc/nginx/copyright reports nginx at version 1.25.2-1~bookworm which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/nginx/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/nginx/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/nginx/copyright" + }, + { + "name": "/var/lib/dpkg/info/nginx.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/nginx.conffiles" + }, + { + "name": "/var/lib/dpkg/info/nginx.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/nginx.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2010-0928-libssl3", + "message": { + "text": "The path /usr/share/doc/libssl3/copyright reports libssl3 at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libssl3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libssl3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libssl3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libssl3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2010-0928-openssl", + "message": { + "text": "The path /usr/share/doc/openssl/copyright reports openssl at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/openssl/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/openssl/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/openssl/copyright" + }, + { + "name": "/var/lib/dpkg/info/openssl.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.conffiles" + }, + { + "name": "/var/lib/dpkg/info/openssl.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2010-4756-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2010-4756-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2011-3374-apt", + "message": { + "text": "The path /usr/share/doc/apt/copyright reports apt at version 2.6.1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/apt/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/apt/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/apt/copyright" + }, + { + "name": "/var/lib/dpkg/info/apt.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/apt.conffiles" + }, + { + "name": "/var/lib/dpkg/info/apt.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/apt.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2011-3374-libapt-pkg6.0", + "message": { + "text": "The path /usr/share/doc/libapt-pkg6.0/copyright reports libapt-pkg6.0 at version 2.6.1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libapt-pkg6.0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libapt-pkg6.0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libapt-pkg6.0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libapt-pkg6.0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libapt-pkg6.0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2011-3389-libgnutls30", + "message": { + "text": "The path /usr/share/doc/libgnutls30/copyright reports libgnutls30 at version 3.7.9-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libgnutls30/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libgnutls30/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libgnutls30/copyright" + }, + { + "name": "/var/lib/dpkg/info/libgnutls30:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libgnutls30:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2011-4116-perl-base", + "message": { + "text": "The path /usr/share/doc/perl-base/copyright reports perl-base at version 5.36.0-7 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/perl-base/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/perl-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/perl-base/copyright" + }, + { + "name": "/var/lib/dpkg/info/perl-base.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/perl-base.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2013-0337-nginx", + "message": { + "text": "The path /usr/share/doc/nginx/copyright reports nginx at version 1.25.2-1~bookworm which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/nginx/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/nginx/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/nginx/copyright" + }, + { + "name": "/var/lib/dpkg/info/nginx.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/nginx.conffiles" + }, + { + "name": "/var/lib/dpkg/info/nginx.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/nginx.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2013-4392-libsystemd0", + "message": { + "text": "The path /usr/share/doc/libsystemd0/copyright reports libsystemd0 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libsystemd0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libsystemd0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libsystemd0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libsystemd0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2013-4392-libudev1", + "message": { + "text": "The path /usr/share/doc/libudev1/copyright reports libudev1 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libudev1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libudev1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libudev1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libudev1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2015-3276-libldap-2.5-0", + "message": { + "text": "The path /usr/share/doc/libldap-2.5-0/copyright reports libldap-2.5-0 at version 2.5.13+dfsg-5 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libldap-2.5-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libldap-2.5-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libldap-2.5-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2015-9019-libxslt1.1", + "message": { + "text": "The path /usr/share/doc/libxslt1.1/copyright reports libxslt1.1 at version 1.1.35-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libxslt1.1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libxslt1.1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libxslt1.1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libxslt1.1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libxslt1.1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2016-2781-coreutils", + "message": { + "text": "The path /usr/share/doc/coreutils/copyright reports coreutils at version 9.1-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/coreutils/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/coreutils/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/coreutils/copyright" + }, + { + "name": "/var/lib/dpkg/info/coreutils.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/coreutils.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-14159-libldap-2.5-0", + "message": { + "text": "The path /usr/share/doc/libldap-2.5-0/copyright reports libldap-2.5-0 at version 2.5.13+dfsg-5 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libldap-2.5-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libldap-2.5-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libldap-2.5-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-16232-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-17740-libldap-2.5-0", + "message": { + "text": "The path /usr/share/doc/libldap-2.5-0/copyright reports libldap-2.5-0 at version 2.5.13+dfsg-5 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libldap-2.5-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libldap-2.5-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libldap-2.5-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-17973-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-18018-coreutils", + "message": { + "text": "The path /usr/share/doc/coreutils/copyright reports coreutils at version 9.1-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/coreutils/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/coreutils/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/coreutils/copyright" + }, + { + "name": "/var/lib/dpkg/info/coreutils.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/coreutils.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-5563-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-9117-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2017-9937-libjbig0", + "message": { + "text": "The path /usr/share/doc/libjbig0/copyright reports libjbig0 at version 2.1-6.1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libjbig0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libjbig0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libjbig0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libjbig0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libjbig0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-10126-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-20796-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-20796-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-5709-libgssapi-krb5-2", + "message": { + "text": "The path /usr/share/doc/libgssapi-krb5-2/copyright reports libgssapi-krb5-2 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libgssapi-krb5-2/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libgssapi-krb5-2/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libgssapi-krb5-2/copyright" + }, + { + "name": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-5709-libk5crypto3", + "message": { + "text": "The path /usr/share/doc/libk5crypto3/copyright reports libk5crypto3 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libk5crypto3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libk5crypto3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libk5crypto3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libk5crypto3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-5709-libkrb5-3", + "message": { + "text": "The path /usr/share/doc/libkrb5-3/copyright reports libkrb5-3 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libkrb5-3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libkrb5-3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libkrb5-3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libkrb5-3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-5709-libkrb5support0", + "message": { + "text": "The path /usr/share/doc/libkrb5support0/copyright reports libkrb5support0 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libkrb5support0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libkrb5support0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libkrb5support0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libkrb5support0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2018-6829-libgcrypt20", + "message": { + "text": "The path /usr/share/doc/libgcrypt20/copyright reports libgcrypt20 at version 1.10.1-3 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libgcrypt20/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libgcrypt20/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libgcrypt20/copyright" + }, + { + "name": "/var/lib/dpkg/info/libgcrypt20:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libgcrypt20:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010022-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010022-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010023-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010023-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010024-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010024-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010025-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-1010025-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-19882-login", + "message": { + "text": "The path /usr/share/doc/login/copyright reports login at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/login/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/login/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/login/copyright" + }, + { + "name": "/var/lib/dpkg/info/login.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.conffiles" + }, + { + "name": "/var/lib/dpkg/info/login.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-19882-passwd", + "message": { + "text": "The path /usr/share/doc/passwd/copyright reports passwd at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/passwd/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/passwd/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/passwd/copyright" + }, + { + "name": "/var/lib/dpkg/info/passwd.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.conffiles" + }, + { + "name": "/var/lib/dpkg/info/passwd.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-9192-libc-bin", + "message": { + "text": "The path /usr/share/doc/libc-bin/copyright reports libc-bin at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc-bin/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc-bin/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc-bin/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc-bin.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc-bin.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2019-9192-libc6", + "message": { + "text": "The path /usr/share/doc/libc6/copyright reports libc6 at version 2.36-9+deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libc6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libc6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libc6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.conffiles" + }, + { + "name": "/var/lib/dpkg/info/libc6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libc6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2020-15719-libldap-2.5-0", + "message": { + "text": "The path /usr/share/doc/libldap-2.5-0/copyright reports libldap-2.5-0 at version 2.5.13+dfsg-5 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libldap-2.5-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libldap-2.5-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libldap-2.5-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2021-4214-libpng16-16", + "message": { + "text": "The path /usr/share/doc/libpng16-16/copyright reports libpng16-16 at version 1.6.39-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libpng16-16/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libpng16-16/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libpng16-16/copyright" + }, + { + "name": "/var/lib/dpkg/info/libpng16-16:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libpng16-16:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-bsdutils", + "message": { + "text": "The path /usr/share/doc/bsdutils/copyright reports bsdutils at version 1:2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/bsdutils/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/bsdutils/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/bsdutils/copyright" + }, + { + "name": "/var/lib/dpkg/info/bsdutils.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/bsdutils.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-libblkid1", + "message": { + "text": "The path /usr/share/doc/libblkid1/copyright reports libblkid1 at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libblkid1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libblkid1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libblkid1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libblkid1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libblkid1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-libmount1", + "message": { + "text": "The path /usr/share/doc/libmount1/copyright reports libmount1 at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libmount1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libmount1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libmount1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libmount1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libmount1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-libsmartcols1", + "message": { + "text": "The path /usr/share/doc/libsmartcols1/copyright reports libsmartcols1 at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libsmartcols1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libsmartcols1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libsmartcols1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libsmartcols1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libsmartcols1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-libuuid1", + "message": { + "text": "The path /usr/share/doc/libuuid1/copyright reports libuuid1 at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libuuid1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libuuid1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libuuid1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libuuid1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libuuid1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-mount", + "message": { + "text": "The path /usr/share/doc/mount/copyright reports mount at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/mount/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/mount/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/mount/copyright" + }, + { + "name": "/var/lib/dpkg/info/mount.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/mount.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-util-linux", + "message": { + "text": "The path /usr/share/doc/util-linux/copyright reports util-linux at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/util-linux/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/util-linux/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/util-linux/copyright" + }, + { + "name": "/var/lib/dpkg/info/util-linux.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/util-linux.conffiles" + }, + { + "name": "/var/lib/dpkg/info/util-linux.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/util-linux.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-0563-util-linux-extra", + "message": { + "text": "The path /usr/share/doc/util-linux-extra/copyright reports util-linux-extra at version 2.38.1-5+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/util-linux-extra/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/util-linux-extra/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/util-linux-extra/copyright" + }, + { + "name": "/var/lib/dpkg/info/util-linux-extra.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/util-linux-extra.conffiles" + }, + { + "name": "/var/lib/dpkg/info/util-linux-extra.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/util-linux-extra.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-1210-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-27943-gcc-12-base", + "message": { + "text": "The path /usr/share/doc/gcc-12-base/copyright reports gcc-12-base at version 12.2.0-14 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/gcc-12-base/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/gcc-12-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/gcc-12-base/copyright" + }, + { + "name": "/var/lib/dpkg/info/gcc-12-base:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/gcc-12-base:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-27943-libgcc-s1", + "message": { + "text": "The path /usr/share/doc/libgcc-s1/copyright reports libgcc-s1 at version 12.2.0-14 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libgcc-s1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/gcc-12-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libgcc-s1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libgcc-s1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libgcc-s1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-27943-libstdc++6", + "message": { + "text": "The path /usr/share/doc/libstdc++6/copyright reports libstdc++6 at version 12.2.0-14 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libstdc++6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/gcc-12-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libstdc++6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libstdc++6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libstdc++6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-3219-gpgv", + "message": { + "text": "The path /usr/share/doc/gpgv/copyright reports gpgv at version 2.2.40-1.1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/gpgv/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/gpgv/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/gpgv/copyright" + }, + { + "name": "/var/lib/dpkg/info/gpgv.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/gpgv.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2022-48303-tar", + "message": { + "text": "The path /usr/share/doc/tar/copyright reports tar at version 1.34+dfsg-1.2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/tar/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/tar/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/tar/copyright" + }, + { + "name": "/var/lib/dpkg/info/tar.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/tar.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-1916-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-25433-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-26965-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-26966-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-27102-libde265-0", + "message": { + "text": "The path /usr/share/doc/libde265-0/copyright reports libde265-0 at version 1.0.11-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libde265-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libde265-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libde265-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libde265-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libde265-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-27103-libde265-0", + "message": { + "text": "The path /usr/share/doc/libde265-0/copyright reports libde265-0 at version 1.0.11-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libde265-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libde265-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libde265-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libde265-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libde265-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-2908-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-29383-login", + "message": { + "text": "The path /usr/share/doc/login/copyright reports login at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/login/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/login/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/login/copyright" + }, + { + "name": "/var/lib/dpkg/info/login.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.conffiles" + }, + { + "name": "/var/lib/dpkg/info/login.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/login.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-29383-passwd", + "message": { + "text": "The path /usr/share/doc/passwd/copyright reports passwd at version 1:4.13+dfsg1-1+b1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/passwd/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/passwd/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/passwd/copyright" + }, + { + "name": "/var/lib/dpkg/info/passwd.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.conffiles" + }, + { + "name": "/var/lib/dpkg/info/passwd.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/passwd.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-2953-libldap-2.5-0", + "message": { + "text": "The path /usr/share/doc/libldap-2.5-0/copyright reports libldap-2.5-0 at version 2.5.13+dfsg-5 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libldap-2.5-0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libldap-2.5-0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libldap-2.5-0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libldap-2.5-0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-29659-libheif1", + "message": { + "text": "The path /usr/share/doc/libheif1/copyright reports libheif1 at version 1.15.1-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libheif1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libheif1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libheif1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libheif1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libheif1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-2975-libssl3", + "message": { + "text": "The path /usr/share/doc/libssl3/copyright reports libssl3 at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libssl3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libssl3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libssl3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libssl3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-2975-openssl", + "message": { + "text": "The path /usr/share/doc/openssl/copyright reports openssl at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/openssl/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/openssl/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/openssl/copyright" + }, + { + "name": "/var/lib/dpkg/info/openssl.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.conffiles" + }, + { + "name": "/var/lib/dpkg/info/openssl.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31437-libsystemd0", + "message": { + "text": "The path /usr/share/doc/libsystemd0/copyright reports libsystemd0 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libsystemd0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libsystemd0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libsystemd0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libsystemd0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31437-libudev1", + "message": { + "text": "The path /usr/share/doc/libudev1/copyright reports libudev1 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libudev1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libudev1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libudev1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libudev1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31438-libsystemd0", + "message": { + "text": "The path /usr/share/doc/libsystemd0/copyright reports libsystemd0 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libsystemd0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libsystemd0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libsystemd0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libsystemd0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31438-libudev1", + "message": { + "text": "The path /usr/share/doc/libudev1/copyright reports libudev1 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libudev1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libudev1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libudev1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libudev1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31439-libsystemd0", + "message": { + "text": "The path /usr/share/doc/libsystemd0/copyright reports libsystemd0 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libsystemd0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libsystemd0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libsystemd0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libsystemd0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libsystemd0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31439-libudev1", + "message": { + "text": "The path /usr/share/doc/libudev1/copyright reports libudev1 at version 252.12-1~deb12u1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libudev1/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libudev1/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/libudev1/copyright" + }, + { + "name": "/var/lib/dpkg/info/libudev1:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/libudev1:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31484-perl-base", + "message": { + "text": "The path /usr/share/doc/perl-base/copyright reports perl-base at version 5.36.0-7 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/perl-base/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/perl-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/perl-base/copyright" + }, + { + "name": "/var/lib/dpkg/info/perl-base.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/perl-base.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-31486-perl-base", + "message": { + "text": "The path /usr/share/doc/perl-base/copyright reports perl-base at version 5.36.0-7 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/perl-base/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/perl-base/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/usr/share/doc/perl-base/copyright" + }, + { + "name": "/var/lib/dpkg/info/perl-base.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:511780f88f80081112aea1bfdca6c800e1983e401b338e20b2c6e97f384e4299:/var/lib/dpkg/info/perl-base.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3164-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-32570-libdav1d6", + "message": { + "text": "The path /usr/share/doc/libdav1d6/copyright reports libdav1d6 at version 1.0.0-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libdav1d6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libdav1d6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libdav1d6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libdav1d6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libdav1d6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3316-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3446-libssl3", + "message": { + "text": "The path /usr/share/doc/libssl3/copyright reports libssl3 at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libssl3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libssl3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libssl3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libssl3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3446-openssl", + "message": { + "text": "The path /usr/share/doc/openssl/copyright reports openssl at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/openssl/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/openssl/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/openssl/copyright" + }, + { + "name": "/var/lib/dpkg/info/openssl.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.conffiles" + }, + { + "name": "/var/lib/dpkg/info/openssl.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-36054-libgssapi-krb5-2", + "message": { + "text": "The path /usr/share/doc/libgssapi-krb5-2/copyright reports libgssapi-krb5-2 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libgssapi-krb5-2/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libgssapi-krb5-2/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libgssapi-krb5-2/copyright" + }, + { + "name": "/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-36054-libk5crypto3", + "message": { + "text": "The path /usr/share/doc/libk5crypto3/copyright reports libk5crypto3 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libk5crypto3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libk5crypto3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libk5crypto3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libk5crypto3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libk5crypto3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-36054-libkrb5-3", + "message": { + "text": "The path /usr/share/doc/libkrb5-3/copyright reports libkrb5-3 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libkrb5-3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libkrb5-3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libkrb5-3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libkrb5-3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libkrb5-3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-36054-libkrb5support0", + "message": { + "text": "The path /usr/share/doc/libkrb5support0/copyright reports libkrb5support0 at version 1.20.1-2 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libkrb5support0/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libkrb5support0/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libkrb5support0/copyright" + }, + { + "name": "/var/lib/dpkg/info/libkrb5support0:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libkrb5support0:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3618-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3817-libssl3", + "message": { + "text": "The path /usr/share/doc/libssl3/copyright reports libssl3 at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libssl3/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libssl3/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libssl3/copyright" + }, + { + "name": "/var/lib/dpkg/info/libssl3:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libssl3:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-3817-openssl", + "message": { + "text": "The path /usr/share/doc/openssl/copyright reports openssl at version 3.0.9-1 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/openssl/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/openssl/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/openssl/copyright" + }, + { + "name": "/var/lib/dpkg/info/openssl.conffiles", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.conffiles" + }, + { + "name": "/var/lib/dpkg/info/openssl.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/openssl.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-38288-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + }, + { + "ruleId": "CVE-2023-38289-libtiff6", + "message": { + "text": "The path /usr/share/doc/libtiff6/copyright reports libtiff6 at version 4.5.0-6 which is a vulnerable (deb) package installed in the container" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "image//usr/share/doc/libtiff6/copyright" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "logicalLocations": [ + { + "name": "/usr/share/doc/libtiff6/copyright", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/usr/share/doc/libtiff6/copyright" + }, + { + "name": "/var/lib/dpkg/info/libtiff6:amd64.md5sums", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/info/libtiff6:amd64.md5sums" + }, + { + "name": "/var/lib/dpkg/status", + "fullyQualifiedName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0@sha256:4713cb24eeff341d0c36343149beba247572a5ff65c2be5b5d9baafb345c7393:/var/lib/dpkg/status" + } + ] + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/pkg/ctl/testdata/sarif/nginx-snyk.sarif.json b/pkg/ctl/testdata/sarif/nginx-snyk.sarif.json new file mode 100644 index 0000000..160bd55 --- /dev/null +++ b/pkg/ctl/testdata/sarif/nginx-snyk.sarif.json @@ -0,0 +1,2750 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "Snyk Container", + "rules": [ + { + "id": "SNYK-DEBIAN12-APT-1541449", + "shortDescription": { + "text": "Low severity - Improper Verification of Cryptographic Signature vulnerability in apt" + }, + "fullDescription": { + "text": "(CVE-2011-3374) apt/libapt-pkg6.0@2.6.1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `apt` package and not the `apt` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIt was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.\n## Remediation\nThere is no fixed version for `Debian:12` `apt`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2011-3374)\n- [Debian Bug Report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480)\n- [MISC](https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html)\n- [MISC](https://seclists.org/fulldisclosure/2011/Sep/221)\n- [MISC](https://snyk.io/vuln/SNYK-LINUX-APT-116518)\n- [MISC](https://ubuntu.com/security/CVE-2011-3374)\n- [RedHat CVE Database](https://access.redhat.com/security/cve/cve-2011-3374)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-347", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-COREUTILS-1543939", + "shortDescription": { + "text": "Low severity - Improper Input Validation vulnerability in coreutils" + }, + "fullDescription": { + "text": "(CVE-2016-2781) coreutils@9.1-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `coreutils` package and not the `coreutils` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.\n## Remediation\nThere is no fixed version for `Debian:12` `coreutils`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2016-2781)\n- [MLIST](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2016/02/28/2)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2016/02/28/3)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-COREUTILS-1543947", + "shortDescription": { + "text": "Low severity - Race Condition vulnerability in coreutils" + }, + "fullDescription": { + "text": "(CVE-2017-18018) coreutils@9.1-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `coreutils` package and not the `coreutils` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.\n## Remediation\nThere is no fixed version for `Debian:12` `coreutils`.\n## References\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2017-18018)\n- [http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html](http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-362", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-DAV1D-5518047", + "shortDescription": { + "text": "Low severity - Race Condition vulnerability in dav1d" + }, + "fullDescription": { + "text": "(CVE-2023-32570) dav1d/libdav1d6@1.0.0-2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `dav1d` package and not the `dav1d` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nVideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.\n## Remediation\nThere is no fixed version for `Debian:12` `dav1d`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-32570)\n- [cve@mitre.org](https://code.videolan.org/videolan/dav1d/-/commit/cf617fdae0b9bfabd27282854c8e81450d955efa)\n- [cve@mitre.org](https://code.videolan.org/videolan/dav1d/-/tags/1.2.0)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LXZ6CUNJFDJLCFOZHY2TIGMCAEITLCRP/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WGSO7UMOF4MVLQ5H6KIV7OG6ONS377B/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-362", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GCC12-2606941", + "shortDescription": { + "text": "Low severity - Resource Exhaustion vulnerability in gcc-12" + }, + "fullDescription": { + "text": "(CVE-2022-27943) gcc-12/libstdc++6@12.2.0-14" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gcc-12` package and not the `gcc-12` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.\n## Remediation\nThere is no fixed version for `Debian:12` `gcc-12`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2022-27943)\n- [cve@mitre.org](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039)\n- [cve@mitre.org](https://sourceware.org/bugzilla/show_bug.cgi?id=28995)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1546991", + "shortDescription": { + "text": "Low severity - Information Exposure vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2019-1010024) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010024)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22852)\n- [Security Focus](http://www.securityfocus.com/bid/109162)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010024)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-200", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547039", + "shortDescription": { + "text": "Low severity - Uncontrolled Recursion vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2018-20796) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-20796)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141)\n- [MISC](https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190315-0002/)\n- [Security Focus](http://www.securityfocus.com/bid/107160)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20796)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-674", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547069", + "shortDescription": { + "text": "Low severity - Uncontrolled Recursion vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2019-9192) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-9192)\n- [CONFIRM](https://support.f5.com/csp/article/K26346590?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=24269)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9192)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-674", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547135", + "shortDescription": { + "text": "Low severity - Use of Insufficiently Random Values vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2019-1010025) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010025)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097)\n- [CONFIRM](https://support.f5.com/csp/article/K06046097?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22853)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010025)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-330", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547196", + "shortDescription": { + "text": "Low severity - Out-of-Bounds vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2019-1010022) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010022)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010022)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-119", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547293", + "shortDescription": { + "text": "Low severity - Resource Management Errors vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2010-4756) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-4756)\n- [http://cxib.net/stuff/glob-0day.c](http://cxib.net/stuff/glob-0day.c)\n- [http://securityreason.com/achievement_securityalert/89](http://securityreason.com/achievement_securityalert/89)\n- [http://securityreason.com/exploitalert/9223](http://securityreason.com/exploitalert/9223)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=681681)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-399", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GLIBC-1547373", + "shortDescription": { + "text": "Low severity - CVE-2019-1010023 vulnerability in glibc" + }, + "fullDescription": { + "text": "(CVE-2019-1010023) glibc/libc-bin@2.36-9+deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `glibc` package and not the `glibc` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."\n## Remediation\nThere is no fixed version for `Debian:12` `glibc`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-1010023)\n- [CONFIRM](https://support.f5.com/csp/article/K11932200?utm_source=f5support&utm_medium=RSS)\n- [MISC](https://sourceware.org/bugzilla/show_bug.cgi?id=22851)\n- [Security Focus](http://www.securityfocus.com/bid/109167)\n- [UBUNTU](https://ubuntu.com/security/CVE-2019-1010023)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GNUPG2-3330747", + "shortDescription": { + "text": "Low severity - Out-of-bounds Write vulnerability in gnupg2" + }, + "fullDescription": { + "text": "(CVE-2022-3219) gnupg2/gpgv@2.2.40-1.1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gnupg2` package and not the `gnupg2` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.\n## Remediation\nThere is no fixed version for `Debian:12` `gnupg2`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2022-3219)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2022-3219)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2127010)\n- [secalert@redhat.com](https://dev.gnupg.org/D556)\n- [secalert@redhat.com](https://dev.gnupg.org/T5993)\n- [secalert@redhat.com](https://marc.info/?l=oss-security&m=165696590211434&w=4)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20230324-0001/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-787", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-GNUTLS28-1547121", + "shortDescription": { + "text": "Low severity - Improper Input Validation vulnerability in gnutls28" + }, + "fullDescription": { + "text": "(CVE-2011-3389) gnutls28/libgnutls30@3.7.9-2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `gnutls28` package and not the `gnutls28` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.\n## Remediation\nThere is no fixed version for `Debian:12` `gnutls28`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2011-3389)\n- [APPLE](http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html)\n- [APPLE](http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html)\n- [Apple Security Advisory](http://support.apple.com/kb/HT4999)\n- [Apple Security Advisory](http://support.apple.com/kb/HT5001)\n- [Apple Security Advisory](http://support.apple.com/kb/HT5130)\n- [Apple Security Advisory](http://support.apple.com/kb/HT5281)\n- [Apple Security Advisory](http://support.apple.com/kb/HT5501)\n- [Apple Security Advisory](http://support.apple.com/kb/HT6150)\n- [Apple Security Announcement](http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html)\n- [Apple Security Announcement](http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html)\n- [Apple Security Announcement](http://lists.apple.com/archives/security-announce/2012/May/msg00001.html)\n- [Apple Security Announcement](http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html)\n- [Apple Security Announcement](http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html)\n- [CERT](http://www.us-cert.gov/cas/techalerts/TA12-010A.html)\n- [Cert Vulnerability Note](http://www.kb.cert.org/vuls/id/864643)\n- [Chrome Release](http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html)\n- [CONFIRM](http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/)\n- [CONFIRM](http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx)\n- [CONFIRM](http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx)\n- [CONFIRM](http://curl.haxx.se/docs/adv_20120124B.html)\n- [CONFIRM](http://downloads.asterisk.org/pub/security/AST-2016-001.html)\n- [CONFIRM](http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue)\n- [CONFIRM](https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail)\n- [CONFIRM](https://bugzilla.novell.com/show_bug.cgi?id=719047)\n- [CONFIRM](https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf)\n- [CONFIRM](http://technet.microsoft.com/security/advisory/2588513)\n- [CONFIRM](http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf)\n- [CONFIRM](http://www.ibm.com/developerworks/java/jdk/alerts/)\n- [CONFIRM](http://www.imperialviolet.org/2011/09/23/chromeandbeast.html)\n- [CONFIRM](http://www.opera.com/docs/changelogs/mac/1151/)\n- [CONFIRM](http://www.opera.com/docs/changelogs/mac/1160/)\n- [CONFIRM](http://www.opera.com/docs/changelogs/unix/1151/)\n- [CONFIRM](http://www.opera.com/docs/changelogs/unix/1160/)\n- [CONFIRM](http://www.opera.com/docs/changelogs/windows/1151/)\n- [CONFIRM](http://www.opera.com/docs/changelogs/windows/1160/)\n- [CONFIRM](http://www.opera.com/support/kb/view/1004/)\n- [Debian Security Advisory](http://www.debian.org/security/2012/dsa-2398)\n- [Gentoo Security Advisory](http://security.gentoo.org/glsa/glsa-201203-02.xml)\n- [Gentoo Security Advisory](http://security.gentoo.org/glsa/glsa-201406-32.xml)\n- [HP](https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=132750579901589&w=2)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=132872385320240&w=2)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=133365109612558&w=2)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=133728004526190&w=2)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=134254866602253&w=2)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=134254957702612&w=2)\n- [MISC](http://ekoparty.org/2011/juliano-rizzo.php)\n- [MISC](http://eprint.iacr.org/2004/111)\n- [MISC](http://eprint.iacr.org/2006/136)\n- [MISC](http://isc.sans.edu/diary/SSL+TLS+part+3+/11635)\n- [MISC](https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02)\n- [MISC](http://vnhacker.blogspot.com/2011/09/beast.html)\n- [MISC](http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html)\n- [MISC](http://www.insecure.cl/Beast-SSL.rar)\n- [MS](https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006)\n- [MS](http://technet.microsoft.com/security/bulletin/MS12-006)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html)\n- [Oracle Security Bulletin](http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html)\n- [Oracle Security Bulletin](http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html)\n- [Oracle Security Bulletin](http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html)\n- [OSVDB](http://osvdb.org/74829)\n- [Oval Security](https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=737506)\n- [RedHat Security Advisory](http://rhn.redhat.com/errata/RHSA-2012-0508.html)\n- [RedHat Security Advisory](http://rhn.redhat.com/errata/RHSA-2013-1455.html)\n- [Secunia Advisory](http://secunia.com/advisories/45791)\n- [Secunia Advisory](http://secunia.com/advisories/47998)\n- [Secunia Advisory](http://secunia.com/advisories/48256)\n- [Secunia Advisory](http://secunia.com/advisories/48692)\n- [Secunia Advisory](http://secunia.com/advisories/48915)\n- [Secunia Advisory](http://secunia.com/advisories/48948)\n- [Secunia Advisory](http://secunia.com/advisories/49198)\n- [Secunia Advisory](http://secunia.com/advisories/55322)\n- [Secunia Advisory](http://secunia.com/advisories/55350)\n- [Secunia Advisory](http://secunia.com/advisories/55351)\n- [Security Focus](http://www.securityfocus.com/bid/49388)\n- [Security Focus](http://www.securityfocus.com/bid/49778)\n- [Security Tracker](http://www.securitytracker.com/id?1025997)\n- [Security Tracker](http://www.securitytracker.com/id?1026103)\n- [Security Tracker](http://www.securitytracker.com/id?1026704)\n- [Security Tracker](http://www.securitytracker.com/id/1029190)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html)\n- [SUSE](https://hermes.opensuse.org/messages/13154861)\n- [SUSE](https://hermes.opensuse.org/messages/13155432)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2011-3389)\n- [Ubuntu Security Advisory](http://www.ubuntu.com/usn/USN-1263-1)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-20", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-JBIGKIT-1549085", + "shortDescription": { + "text": "Low severity - Out-of-Bounds vulnerability in jbigkit" + }, + "fullDescription": { + "text": "(CVE-2017-9937) jbigkit/libjbig0@2.1-6.1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `jbigkit` package and not the `jbigkit` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.\n## Remediation\nThere is no fixed version for `Debian:12` `jbigkit`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-9937)\n- [MISC](http://bugzilla.maptools.org/show_bug.cgi?id=2707)\n- [MLIST](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [Security Focus](http://www.securityfocus.com/bid/99304)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9937)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-119", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-KRB5-1549480", + "shortDescription": { + "text": "Low severity - Integer Overflow or Wraparound vulnerability in krb5" + }, + "fullDescription": { + "text": "(CVE-2018-5709) krb5/libkrb5support0@1.20.1-2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `krb5` package and not the `krb5` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.\n## Remediation\nThere is no fixed version for `Debian:12` `krb5`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-5709)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709)\n- [GitHub Additional Information](https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow)\n- [MLIST](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-190", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-KRB5-5825659", + "shortDescription": { + "text": "Low severity - Access of Uninitialized Pointer vulnerability in krb5" + }, + "fullDescription": { + "text": "(CVE-2023-36054) krb5/libkrb5support0@1.20.1-2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `krb5` package and not the `krb5` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.\n## Remediation\nThere is no fixed version for `Debian:12` `krb5`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-36054)\n- [cve@mitre.org](https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd)\n- [cve@mitre.org](https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final)\n- [cve@mitre.org](https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final)\n- [cve@mitre.org](https://web.mit.edu/kerberos/www/advisories/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-824", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBDE265-3361563", + "shortDescription": { + "text": "Low severity - Out-of-bounds Write vulnerability in libde265" + }, + "fullDescription": { + "text": "(CVE-2023-27103) libde265/libde265-0@1.0.11-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-27103)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/394)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-787", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBDE265-3361567", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in libde265" + }, + "fullDescription": { + "text": "(CVE-2023-27102) libde265/libde265-0@1.0.11-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-27102)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/393)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBGCRYPT20-1550206", + "shortDescription": { + "text": "Low severity - Use of a Broken or Risky Cryptographic Algorithm vulnerability in libgcrypt20" + }, + "fullDescription": { + "text": "(CVE-2018-6829) libgcrypt20@1.10.1-3" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libgcrypt20` package and not the `libgcrypt20` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\ncipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.\n## Remediation\nThere is no fixed version for `Debian:12` `libgcrypt20`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-6829)\n- [MISC](https://github.com/weikengchen/attack-on-libgcrypt-elgamal)\n- [MISC](https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki)\n- [MISC](https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-327", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBHEIF-5498469", + "shortDescription": { + "text": "Low severity - Divide By Zero vulnerability in libheif" + }, + "fullDescription": { + "text": "(CVE-2023-29659) libheif/libheif1@1.15.1-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libheif` package and not the `libheif` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `libheif`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-29659)\n- [cve@mitre.org](https://github.com/strukturag/libheif/issues/794)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAE6NQBA3Q7GS6VTNDZRZZZVPPEFUEZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LGKHDCS4HRZE3UGXYYDYPTIPNIBRLQ5L/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-369", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBPNG16-2363910", + "shortDescription": { + "text": "Low severity - Buffer Overflow vulnerability in libpng1.6" + }, + "fullDescription": { + "text": "(CVE-2021-4214) libpng1.6/libpng16-16@1.6.39-2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libpng1.6` package and not the `libpng1.6` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `libpng1.6`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2021-4214)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2043393)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2021-4214)\n- [secalert@redhat.com](https://github.com/glennrp/libpng/issues/302)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20221020-0001/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-120", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-LIBXSLT-1551290", + "shortDescription": { + "text": "Low severity - Use of Insufficiently Random Values vulnerability in libxslt" + }, + "fullDescription": { + "text": "(CVE-2015-9019) libxslt/libxslt1.1@1.1.35-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libxslt` package and not the `libxslt` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.\n## Remediation\nThere is no fixed version for `Debian:12` `libxslt`.\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2015-9019)\n- [https://bugzilla.gnome.org/show_bug.cgi?id=758400](https://bugzilla.gnome.org/show_bug.cgi?id=758400)\n- [https://bugzilla.suse.com/show_bug.cgi?id=934119](https://bugzilla.suse.com/show_bug.cgi?id=934119)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-9019)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-330", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-NGINX-1554675", + "shortDescription": { + "text": "Low severity - CVE-2009-4487 vulnerability in nginx" + }, + "fullDescription": { + "text": "(CVE-2009-4487) nginx@1.25.2-1~bookworm" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nginx` package and not the `nginx` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nnginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.\n## Remediation\nThere is no fixed version for `Debian:12` `nginx`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2009-4487)\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/508830/100/0/threaded)\n- [MISC](http://www.ush.it/team/ush/hack_httpd_escape/adv.txt)\n- [Security Focus](http://www.securityfocus.com/bid/37711)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-NGINX-1555042", + "shortDescription": { + "text": "Low severity - Access Restriction Bypass vulnerability in nginx" + }, + "fullDescription": { + "text": "(CVE-2013-0337) nginx@1.25.2-1~bookworm" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nginx` package and not the `nginx` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.\n## Remediation\nThere is no fixed version for `Debian:12` `nginx`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2013-0337)\n- [Gentoo Security Advisory](http://security.gentoo.org/glsa/glsa-201310-04.xml)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2013/02/21/15)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2013/02/22/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2013/02/24/1)\n- [Secunia Advisory](http://secunia.com/advisories/55181)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-264", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENLDAP-1555631", + "shortDescription": { + "text": "Low severity - Improper Initialization vulnerability in openldap" + }, + "fullDescription": { + "text": "(CVE-2017-14159) openldap/libldap-2.5-0@2.5.13+dfsg-5" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openldap` package and not the `openldap` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nslapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.\n## Remediation\nThere is no fixed version for `Debian:12` `openldap`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-14159)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14159)\n- [MISC](http://www.openldap.org/its/index.cgi?findid=8703)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14159)\n- [cve@mitre.org](https://www.oracle.com/security-alerts/cpuapr2022.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-665", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENLDAP-1555724", + "shortDescription": { + "text": "Low severity - Out-of-Bounds vulnerability in openldap" + }, + "fullDescription": { + "text": "(CVE-2017-17740) openldap/libldap-2.5-0@2.5.13+dfsg-5" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openldap` package and not the `openldap` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\ncontrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.\n## Remediation\nThere is no fixed version for `Debian:12` `openldap`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-17740)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17740)\n- [MISC](http://www.openldap.org/its/index.cgi/Incoming?id=8759)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html)\n- [cve@mitre.org](https://kc.mcafee.com/corporate/index?page=content&id=SB10365)\n- [cve@mitre.org](https://www.oracle.com/security-alerts/cpuapr2022.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-119", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENLDAP-1555918", + "shortDescription": { + "text": "Low severity - Improper Certificate Validation vulnerability in openldap" + }, + "fullDescription": { + "text": "(CVE-2020-15719) openldap/libldap-2.5-0@2.5.13+dfsg-5" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openldap` package and not the `openldap` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nlibldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.\n## Remediation\nThere is no fixed version for `Debian:12` `openldap`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2020-15719)\n- [MISC](https://access.redhat.com/errata/RHBA-2019:3674)\n- [MISC](https://bugs.openldap.org/show_bug.cgi?id=9266)\n- [MISC](https://bugzilla.redhat.com/show_bug.cgi?id=1740070)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html)\n- [cve@mitre.org](https://kc.mcafee.com/corporate/index?page=content&id=SB10365)\n- [cve@mitre.org](https://www.oracle.com/security-alerts/cpuapr2022.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-295", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENLDAP-1555941", + "shortDescription": { + "text": "Low severity - Cryptographic Issues vulnerability in openldap" + }, + "fullDescription": { + "text": "(CVE-2015-3276) openldap/libldap-2.5-0@2.5.13+dfsg-5" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openldap` package and not the `openldap` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.\n## Remediation\nThere is no fixed version for `Debian:12` `openldap`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2015-3276)\n- [Oracle Security Bulletin](http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1238322)\n- [RedHat Security Advisory](http://rhn.redhat.com/errata/RHSA-2015-2131.html)\n- [Security Tracker](http://www.securitytracker.com/id/1034221)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2015:2131)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2015-3276)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-310", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENLDAP-5660620", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in openldap" + }, + "fullDescription": { + "text": "(CVE-2023-2953) openldap/libldap-2.5-0@2.5.13+dfsg-5" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openldap` package and not the `openldap` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.\n## Remediation\nThere is no fixed version for `Debian:12` `openldap`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-2953)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-2953)\n- [secalert@redhat.com](https://bugs.openldap.org/show_bug.cgi?id=9904)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20230703-0005/)\n- [secalert@redhat.com](https://support.apple.com/kb/HT213843)\n- [secalert@redhat.com](https://support.apple.com/kb/HT213844)\n- [secalert@redhat.com](https://support.apple.com/kb/HT213845)\n- [secalert@redhat.com](http://seclists.org/fulldisclosure/2023/Jul/47)\n- [secalert@redhat.com](http://seclists.org/fulldisclosure/2023/Jul/48)\n- [secalert@redhat.com](http://seclists.org/fulldisclosure/2023/Jul/52)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENSSL-1555825", + "shortDescription": { + "text": "Low severity - Cryptographic Issues vulnerability in openssl" + }, + "fullDescription": { + "text": "(CVE-2007-6755) openssl/libssl3@3.0.9-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.\n## Remediation\nThere is no fixed version for `Debian:12` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-6755)\n- [http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/](http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/)\n- [http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html](http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html)\n- [http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html](http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html)\n- [http://rump2007.cr.yp.to/15-shumow.pdf](http://rump2007.cr.yp.to/15-shumow.pdf)\n- [http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/](http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/)\n- [https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)\n- [http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect](http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect)\n- [Security Focus](http://www.securityfocus.com/bid/63657)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-310", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENSSL-1555907", + "shortDescription": { + "text": "Low severity - Cryptographic Issues vulnerability in openssl" + }, + "fullDescription": { + "text": "(CVE-2010-0928) openssl/libssl3@3.0.9-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."\n## Remediation\nThere is no fixed version for `Debian:12` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-310", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENSSL-5776700", + "shortDescription": { + "text": "Low severity - Improper Authentication vulnerability in openssl" + }, + "fullDescription": { + "text": "(CVE-2023-2975) openssl/libssl3@3.0.9-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIssue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.\n## Remediation\nThere is no fixed version for `Debian:12` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-2975)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20230714.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/15/1)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/19/5)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20230725-0004/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-287", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENSSL-5788322", + "shortDescription": { + "text": "Low severity - Inefficient Regular Expression Complexity vulnerability in openssl" + }, + "fullDescription": { + "text": "(CVE-2023-3446) openssl/libssl3@3.0.9-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n## Remediation\nThere is no fixed version for `Debian:12` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3446)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20230719.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/19/4)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/19/5)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/19/6)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/31/1)\n- [openssl-security@openssl.org](https://security.netapp.com/advisory/ntap-20230803-0011/)\n- [openssl-security@openssl.org](https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-1333", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-OPENSSL-5812633", + "shortDescription": { + "text": "Low severity - Excessive Iteration vulnerability in openssl" + }, + "fullDescription": { + "text": "(CVE-2023-3817) openssl/libssl3@3.0.9-1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `openssl` package and not the `openssl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the "-check" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n## Remediation\nThere is no fixed version for `Debian:12` `openssl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3817)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f)\n- [openssl-security@openssl.org](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5)\n- [openssl-security@openssl.org](https://www.openssl.org/news/secadv/20230731.txt)\n- [openssl-security@openssl.org](http://www.openwall.com/lists/oss-security/2023/07/31/1)\n- [openssl-security@openssl.org](http://seclists.org/fulldisclosure/2023/Jul/43)\n- [openssl-security@openssl.org](https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-834", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-PERL-1556505", + "shortDescription": { + "text": "Low severity - Link Following vulnerability in perl" + }, + "fullDescription": { + "text": "(CVE-2011-4116) perl/perl-base@5.36.0-7" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `perl` package and not the `perl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n_is_safe in the File::Temp module for Perl does not properly handle symlinks.\n## Remediation\nThere is no fixed version for `Debian:12` `perl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2011-4116)\n- [GitHub Issue](https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14)\n- [MISC](https://rt.cpan.org/Public/Bug/Display.html?id=69106)\n- [Oss-Sec Mailing List](https://seclists.org/oss-sec/2011/q4/238)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2011/11/04/2)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2011/11/04/4)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-59", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-PERL-5489184", + "shortDescription": { + "text": "Low severity - Improper Certificate Validation vulnerability in perl" + }, + "fullDescription": { + "text": "(CVE-2023-31486) perl/perl-base@5.36.0-7" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `perl` package and not the `perl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.\n## Remediation\nThere is no fixed version for `Debian:12` `perl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-31486)\n- [cve@mitre.org](https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/)\n- [cve@mitre.org](https://hackeriet.github.io/cpan-http-tiny-overview/)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/04/18/14)\n- [cve@mitre.org](https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/04/29/1)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/03/3)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/03/5)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/05/03/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/07/2)\n- [cve@mitre.org](https://github.com/chansen/p5-http-tiny/pull/153)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-295", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-PERL-5489190", + "shortDescription": { + "text": "Low severity - Improper Certificate Validation vulnerability in perl" + }, + "fullDescription": { + "text": "(CVE-2023-31484) perl/perl-base@5.36.0-7" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `perl` package and not the `perl` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nCPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.\n## Remediation\nThere is no fixed version for `Debian:12` `perl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-31484)\n- [cve@mitre.org](https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/)\n- [cve@mitre.org](https://github.com/andk/cpanpm/pull/175)\n- [cve@mitre.org](https://metacpan.org/dist/CPAN/changes)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/04/18/14)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/04/29/1)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/03/3)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/03/5)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/05/07/2)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-295", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SHADOW-1559391", + "shortDescription": { + "text": "Low severity - Access Restriction Bypass vulnerability in shadow" + }, + "fullDescription": { + "text": "(CVE-2007-5686) shadow/passwd@1:4.13+dfsg1-1+b1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `shadow` package and not the `shadow` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\ninitscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.\n## Remediation\nThere is no fixed version for `Debian:12` `shadow`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2007-5686)\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/482129/100/100/threaded)\n- [BUGTRAQ](http://www.securityfocus.com/archive/1/482857/100/0/threaded)\n- [CONFIRM](https://issues.rpath.com/browse/RPL-1825)\n- [Secunia Advisory](http://secunia.com/advisories/27215)\n- [Security Focus](http://www.securityfocus.com/bid/26048)\n- [VUPEN](http://www.vupen.com/english/advisories/2007/3474)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-264", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SHADOW-1559403", + "shortDescription": { + "text": "Low severity - Incorrect Permission Assignment for Critical Resource vulnerability in shadow" + }, + "fullDescription": { + "text": "(CVE-2019-19882) shadow/passwd@1:4.13+dfsg1-1+b1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `shadow` package and not the `shadow` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nshadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).\n## Remediation\nThere is no fixed version for `Debian:12` `shadow`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2019-19882)\n- [GENTOO](https://security.gentoo.org/glsa/202008-09)\n- [GitHub Commit](https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75)\n- [GitHub PR](https://github.com/shadow-maint/shadow/pull/199)\n- [GitHub PR](https://github.com/void-linux/void-packages/pull/17580)\n- [MISC](https://bugs.archlinux.org/task/64836)\n- [MISC](https://bugs.gentoo.org/702252)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-732", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SHADOW-3310897", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in shadow" + }, + "fullDescription": { + "text": "(CVE-2023-0634) shadow/passwd@1:4.13+dfsg1-1+b1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `shadow` package and not the `shadow` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.\n## Remediation\nThere is no fixed version for `Debian:12` `shadow`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-0634)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-0634)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2166544)\n- [secalert@redhat.com](https://codeql.github.com/codeql-query-help/cpp/cpp-uncontrolled-process-operation/)\n- [secalert@redhat.com](https://github.com/shadow-maint/shadow/pull/642)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SHADOW-5423923", + "shortDescription": { + "text": "Low severity - Arbitrary Code Injection vulnerability in shadow" + }, + "fullDescription": { + "text": "(CVE-2023-29383) shadow/passwd@1:4.13+dfsg1-1+b1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `shadow` package and not the `shadow` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.\n## Remediation\nThere is no fixed version for `Debian:12` `shadow`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-29383)\n- [cve@mitre.org](https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d)\n- [cve@mitre.org](https://github.com/shadow-maint/shadow/pull/687)\n- [cve@mitre.org](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/)\n- [cve@mitre.org](https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-74", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SYSTEMD-1560739", + "shortDescription": { + "text": "Low severity - Link Following vulnerability in systemd" + }, + "fullDescription": { + "text": "(CVE-2013-4392) systemd/libsystemd0@252.12-1~deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nsystemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.\n## Remediation\nThere is no fixed version for `Debian:12` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2013-4392)\n- [Debian Bug Report](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2013/10/01/9)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=859060)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-59", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SYSTEMD-5733385", + "shortDescription": { + "text": "Low severity - Improper Validation of Integrity Check Value vulnerability in systemd" + }, + "fullDescription": { + "text": "(CVE-2023-31437) systemd/libsystemd0@252.12-1~deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."\n## Remediation\nThere is no fixed version for `Debian:12` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-31437)\n- [cve@mitre.org](https://github.com/kastel-security/Journald)\n- [cve@mitre.org](https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf)\n- [cve@mitre.org](https://github.com/systemd/systemd/releases)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-354", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SYSTEMD-5733390", + "shortDescription": { + "text": "Low severity - Improper Validation of Integrity Check Value vulnerability in systemd" + }, + "fullDescription": { + "text": "(CVE-2023-31438) systemd/libsystemd0@252.12-1~deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."\n## Remediation\nThere is no fixed version for `Debian:12` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-31438)\n- [cve@mitre.org](https://github.com/kastel-security/Journald)\n- [cve@mitre.org](https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf)\n- [cve@mitre.org](https://github.com/systemd/systemd/releases)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-354", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-SYSTEMD-5733398", + "shortDescription": { + "text": "Low severity - Improper Validation of Integrity Check Value vulnerability in systemd" + }, + "fullDescription": { + "text": "(CVE-2023-31439) systemd/libsystemd0@252.12-1~deb12u1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `systemd` package and not the `systemd` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."\n## Remediation\nThere is no fixed version for `Debian:12` `systemd`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-31439)\n- [cve@mitre.org](https://github.com/kastel-security/Journald)\n- [cve@mitre.org](https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf)\n- [cve@mitre.org](https://github.com/systemd/systemd/releases)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-354", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TAR-1560620", + "shortDescription": { + "text": "Low severity - CVE-2005-2541 vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2005-2541) tar@1.34+dfsg-1.2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tar` package and not the `tar` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nTar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.\n## Remediation\nThere is no fixed version for `Debian:12` `tar`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2005-2541)\n- [HP Security Bulletin](http://marc.info/?l=bugtraq&m=112327628230258&w=2)\n- [MLIST](https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TAR-3253526", + "shortDescription": { + "text": "Low severity - Out-of-bounds Read vulnerability in tar" + }, + "fullDescription": { + "text": "(CVE-2022-48303) tar@1.34+dfsg-1.2" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tar` package and not the `tar` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.\n## Remediation\nThere is no fixed version for `Debian:12` `tar`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2022-48303)\n- [cve@mitre.org](https://savannah.gnu.org/bugs/?62387)\n- [cve@mitre.org](https://savannah.gnu.org/patch/?10307)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-125", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-1560922", + "shortDescription": { + "text": "Low severity - Missing Release of Resource after Effective Lifetime vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2017-16232) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-16232)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232)\n- [MISC](http://packetstormsecurity.com/files/150896/LibTIFF-4.0.8-Memory-Leak.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00036.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00041.html)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/11/01/11)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/11/01/3)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/11/01/7)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2017/11/01/8)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2018/Dec/32)\n- [Seclists Full Disclosure](http://seclists.org/fulldisclosure/2018/Dec/47)\n- [Security Focus](http://www.securityfocus.com/bid/101696)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-772", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-1561093", + "shortDescription": { + "text": "Low severity - Out-of-bounds Read vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2017-5563) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-5563)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/201709-27)\n- [MISC](http://bugzilla.maptools.org/show_bug.cgi?id=2664)\n- [Security Focus](http://www.securityfocus.com/bid/95705)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-5563)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3606-1/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-125", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-1561130", + "shortDescription": { + "text": "Low severity - Use After Free vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2017-17973) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\n** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-17973)\n- [http://bugzilla.maptools.org/show_bug.cgi?id=2769](http://bugzilla.maptools.org/show_bug.cgi?id=2769)\n- [https://bugzilla.novell.com/show_bug.cgi?id=1074318](https://bugzilla.novell.com/show_bug.cgi?id=1074318)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1530912)\n- [Security Focus](http://www.securityfocus.com/bid/102331)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-416", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-1561402", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2018-10126) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2018-10126)\n- [MISC](http://bugzilla.maptools.org/show_bug.cgi?id=2786)\n- [MLIST](https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-10126)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-1561632", + "shortDescription": { + "text": "Low severity - Out-of-bounds Read vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2017-9117) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nIn LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2017-9117)\n- [MISC](http://bugzilla.maptools.org/show_bug.cgi?id=2690)\n- [Security Focus](http://www.securityfocus.com/bid/98581)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9117)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/3606-1/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-125", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-2440572", + "shortDescription": { + "text": "Low severity - Resource Exhaustion vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2022-1210) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2022-1210)\n- [cna@vuldb.com](https://gitlab.com/libtiff/libtiff/uploads/c3da94e53cf1e1e8e6d4d3780dc8c42f/example.tiff)\n- [cna@vuldb.com](https://gitlab.com/libtiff/libtiff/-/issues/402)\n- [cna@vuldb.com](https://vuldb.com/?id.196363)\n- [cna@vuldb.com](https://security.netapp.com/advisory/ntap-20220513-0005/)\n- [cna@vuldb.com](https://security.gentoo.org/glsa/202210-10)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-400", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5416364", + "shortDescription": { + "text": "Low severity - Out-of-bounds Read vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-1916) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-1916)\n- [secalert@redhat.com](https://gitlab.com/libtiff/libtiff/-/issues/536,)\n- [secalert@redhat.com](https://gitlab.com/libtiff/libtiff/-/issues/537)\n- [nvd@nist.gov](https://gitlab.com/libtiff/libtiff/-/issues/536)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-125", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5673710", + "shortDescription": { + "text": "Low severity - CVE-2023-3164 vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-3164) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n_This vulnerability has not been analyzed by NVD yet._\n\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3164)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5724640", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-3316) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3316)\n- [reefs@jfrog.com](https://research.jfrog.com/vulnerabilities/libtiff-nullderef-dos-xray-522144/)\n- [reefs@jfrog.com](https://gitlab.com/libtiff/libtiff/-/issues/515)\n- [reefs@jfrog.com](https://gitlab.com/libtiff/libtiff/-/merge_requests/468)\n- [reefs@jfrog.com](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5747599", + "shortDescription": { + "text": "Low severity - Out-of-bounds Write vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-26965) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nloadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-26965)\n- [cve@mitre.org](https://gitlab.com/libtiff/libtiff/-/merge_requests/472)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20230706-0009/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-787", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5749338", + "shortDescription": { + "text": "Low severity - Buffer Overflow vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-26966) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-26966)\n- [cve@mitre.org](https://gitlab.com/libtiff/libtiff/-/issues/530)\n- [cve@mitre.org](https://gitlab.com/libtiff/libtiff/-/merge_requests/473)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-120", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5750144", + "shortDescription": { + "text": "Low severity - NULL Pointer Dereference vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-2908) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-2908)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-2908)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2218830)\n- [secalert@redhat.com](https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f)\n- [secalert@redhat.com](https://gitlab.com/libtiff/libtiff/-/merge_requests/479)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20230731-0004/)\n- [secalert@redhat.com](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-476", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5767899", + "shortDescription": { + "text": "Low severity - Buffer Overflow vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-25433) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-25433)\n- [cve@mitre.org](https://gitlab.com/libtiff/libtiff/-/issues/520)\n- [cve@mitre.org](https://gitlab.com/libtiff/libtiff/-/merge_requests/467)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-120", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5773187", + "shortDescription": { + "text": "Low severity - Buffer Overflow vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-3618) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3618)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3618)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2215865)\n- [secalert@redhat.com](https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-120", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5804844", + "shortDescription": { + "text": "Low severity - CVE-2023-38288 vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-38288) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n_This vulnerability has not been analyzed by NVD yet._\n\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-38288)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-TIFF-5804846", + "shortDescription": { + "text": "Low severity - CVE-2023-38289 vulnerability in tiff" + }, + "fullDescription": { + "text": "(CVE-2023-38289) tiff/libtiff6@4.5.0-6" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n_This vulnerability has not been analyzed by NVD yet._\n\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-38289)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "deb" + ] + } + }, + { + "id": "SNYK-DEBIAN12-UTILLINUX-2401083", + "shortDescription": { + "text": "Low severity - Information Exposure vulnerability in util-linux" + }, + "fullDescription": { + "text": "(CVE-2022-0563) util-linux/libblkid1@2.38.1-5+b1" + }, + "help": { + "text": "", + "markdown": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `util-linux` package and not the `util-linux` package as distributed by `Debian:12`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.\n## Remediation\nThere is no fixed version for `Debian:12` `util-linux`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2022-0563)\n- [secalert@redhat.com](https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20220331-0002/)\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "properties": { + "tags": [ + "security", + "CWE-209", + "deb" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "SNYK-DEBIAN12-APT-1541449", + "level": "note", + "message": { + "text": "This file introduces a vulnerable apt package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-COREUTILS-1543939", + "level": "note", + "message": { + "text": "This file introduces a vulnerable coreutils package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-COREUTILS-1543947", + "level": "note", + "message": { + "text": "This file introduces a vulnerable coreutils package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-DAV1D-5518047", + "level": "note", + "message": { + "text": "This file introduces a vulnerable dav1d package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GCC12-2606941", + "level": "note", + "message": { + "text": "This file introduces a vulnerable gcc-12 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1546991", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547039", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547069", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547135", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547196", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547293", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GLIBC-1547373", + "level": "note", + "message": { + "text": "This file introduces a vulnerable glibc package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GNUPG2-3330747", + "level": "note", + "message": { + "text": "This file introduces a vulnerable gnupg2 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-GNUTLS28-1547121", + "level": "note", + "message": { + "text": "This file introduces a vulnerable gnutls28 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-JBIGKIT-1549085", + "level": "note", + "message": { + "text": "This file introduces a vulnerable jbigkit package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-KRB5-1549480", + "level": "note", + "message": { + "text": "This file introduces a vulnerable krb5 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-KRB5-5825659", + "level": "note", + "message": { + "text": "This file introduces a vulnerable krb5 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBDE265-3361563", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libde265 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBDE265-3361567", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libde265 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBGCRYPT20-1550206", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libgcrypt20 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBHEIF-5498469", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libheif package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBPNG16-2363910", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libpng1.6 package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-LIBXSLT-1551290", + "level": "note", + "message": { + "text": "This file introduces a vulnerable libxslt package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-NGINX-1554675", + "level": "note", + "message": { + "text": "This file introduces a vulnerable nginx package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-NGINX-1555042", + "level": "note", + "message": { + "text": "This file introduces a vulnerable nginx package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENLDAP-1555631", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openldap package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENLDAP-1555724", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openldap package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENLDAP-1555918", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openldap package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENLDAP-1555941", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openldap package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENLDAP-5660620", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openldap package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENSSL-1555825", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openssl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENSSL-1555907", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openssl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENSSL-5776700", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openssl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENSSL-5788322", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openssl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-OPENSSL-5812633", + "level": "note", + "message": { + "text": "This file introduces a vulnerable openssl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-PERL-1556505", + "level": "note", + "message": { + "text": "This file introduces a vulnerable perl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-PERL-5489184", + "level": "note", + "message": { + "text": "This file introduces a vulnerable perl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-PERL-5489190", + "level": "note", + "message": { + "text": "This file introduces a vulnerable perl package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SHADOW-1559391", + "level": "note", + "message": { + "text": "This file introduces a vulnerable shadow package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SHADOW-1559403", + "level": "note", + "message": { + "text": "This file introduces a vulnerable shadow package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SHADOW-3310897", + "level": "note", + "message": { + "text": "This file introduces a vulnerable shadow package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SHADOW-5423923", + "level": "note", + "message": { + "text": "This file introduces a vulnerable shadow package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SYSTEMD-1560739", + "level": "note", + "message": { + "text": "This file introduces a vulnerable systemd package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SYSTEMD-5733385", + "level": "note", + "message": { + "text": "This file introduces a vulnerable systemd package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SYSTEMD-5733390", + "level": "note", + "message": { + "text": "This file introduces a vulnerable systemd package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-SYSTEMD-5733398", + "level": "note", + "message": { + "text": "This file introduces a vulnerable systemd package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TAR-1560620", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tar package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TAR-3253526", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tar package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-1560922", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-1561093", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-1561130", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-1561402", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-1561632", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-2440572", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5416364", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5673710", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5724640", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5747599", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5749338", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5750144", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5767899", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5773187", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5804844", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-TIFF-5804846", + "level": "note", + "message": { + "text": "This file introduces a vulnerable tiff package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + }, + { + "ruleId": "SNYK-DEBIAN12-UTILLINUX-2401083", + "level": "note", + "message": { + "text": "This file introduces a vulnerable util-linux package with a low severity vulnerability." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "nginx@sha256_13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + }, + "region": { + "startLine": 1 + } + } + } + ] + } + ] + }, + { + "tool": { + "driver": { + "name": "Snyk Container", + "rules": [] + } + }, + "results": [] + } + ] +} diff --git a/pkg/ctl/testdata/sarif/nginx-trivy.sarif.json b/pkg/ctl/testdata/sarif/nginx-trivy.sarif.json new file mode 100644 index 0000000..7e7586c --- /dev/null +++ b/pkg/ctl/testdata/sarif/nginx-trivy.sarif.json @@ -0,0 +1,4434 @@ +{ + "version": "2.1.0", + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "runs": [ + { + "tool": { + "driver": { + "fullName": "Trivy Vulnerability Scanner", + "informationUri": "https://github.com/aquasecurity/trivy", + "name": "Trivy", + "rules": [ + { + "id": "CVE-2011-3374", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "It was found that apt-key in apt, all versions, do not correctly valid ..." + }, + "fullDescription": { + "text": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2011-3374", + "help": { + "text": "Vulnerability CVE-2011-3374\nSeverity: LOW\nPackage: libapt-pkg6.0\nFixed Version: \nLink: [CVE-2011-3374](https://avd.aquasec.com/nvd/cve-2011-3374)\nIt was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", + "markdown": "**Vulnerability CVE-2011-3374**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libapt-pkg6.0||[CVE-2011-3374](https://avd.aquasec.com/nvd/cve-2011-3374)|\n\nIt was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2022-0563", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline" + }, + "fullDescription": { + "text": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \u0026#34;INPUTRC\u0026#34; environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-0563", + "help": { + "text": "Vulnerability CVE-2022-0563\nSeverity: LOW\nPackage: util-linux-extra\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)\nA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", + "markdown": "**Vulnerability CVE-2022-0563**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|util-linux-extra||[CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)|\n\nA flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2016-2781", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "coreutils: Non-privileged session can escape to the parent session in chroot" + }, + "fullDescription": { + "text": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\u0026#39;s input buffer." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2016-2781", + "help": { + "text": "Vulnerability CVE-2016-2781\nSeverity: LOW\nPackage: coreutils\nFixed Version: \nLink: [CVE-2016-2781](https://avd.aquasec.com/nvd/cve-2016-2781)\nchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", + "markdown": "**Vulnerability CVE-2016-2781**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|coreutils||[CVE-2016-2781](https://avd.aquasec.com/nvd/cve-2016-2781)|\n\nchroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-18018", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "coreutils: race condition vulnerability in chown and chgrp" + }, + "fullDescription": { + "text": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \u0026#34;-R -L\u0026#34; options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-18018", + "help": { + "text": "Vulnerability CVE-2017-18018\nSeverity: LOW\nPackage: coreutils\nFixed Version: \nLink: [CVE-2017-18018](https://avd.aquasec.com/nvd/cve-2017-18018)\nIn GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", + "markdown": "**Vulnerability CVE-2017-18018**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|coreutils||[CVE-2017-18018](https://avd.aquasec.com/nvd/cve-2017-18018)|\n\nIn GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2022-27943", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack exhaustion in demangle_const" + }, + "fullDescription": { + "text": "libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-27943", + "help": { + "text": "Vulnerability CVE-2022-27943\nSeverity: LOW\nPackage: libstdc++6\nFixed Version: \nLink: [CVE-2022-27943](https://avd.aquasec.com/nvd/cve-2022-27943)\nlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.", + "markdown": "**Vulnerability CVE-2022-27943**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libstdc++6||[CVE-2022-27943](https://avd.aquasec.com/nvd/cve-2022-27943)|\n\nlibiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2022-3219", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "denial of service issue (resource consumption) using compressed packets" + }, + "fullDescription": { + "text": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-3219", + "help": { + "text": "Vulnerability CVE-2022-3219\nSeverity: LOW\nPackage: gpgv\nFixed Version: \nLink: [CVE-2022-3219](https://avd.aquasec.com/nvd/cve-2022-3219)\nGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", + "markdown": "**Vulnerability CVE-2022-3219**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|gpgv||[CVE-2022-3219](https://avd.aquasec.com/nvd/cve-2022-3219)|\n\nGnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2010-4756", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions" + }, + "fullDescription": { + "text": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2010-4756", + "help": { + "text": "Vulnerability CVE-2010-4756\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2010-4756](https://avd.aquasec.com/nvd/cve-2010-4756)\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "markdown": "**Vulnerability CVE-2010-4756**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2010-4756](https://avd.aquasec.com/nvd/cve-2010-4756)|\n\nThe glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2018-20796", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c" + }, + "fullDescription": { + "text": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \u0026#39;(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+\u0026#39; in grep." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2018-20796", + "help": { + "text": "Vulnerability CVE-2018-20796\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2018-20796](https://avd.aquasec.com/nvd/cve-2018-20796)\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", + "markdown": "**Vulnerability CVE-2018-20796**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2018-20796](https://avd.aquasec.com/nvd/cve-2018-20796)|\n\nIn the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-1010022", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: stack guard protection bypass" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \u0026#34;this is being treated as a non-security bug and no real threat.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1010022", + "help": { + "text": "Vulnerability CVE-2019-1010022\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2019-1010022](https://avd.aquasec.com/nvd/cve-2019-1010022)\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", + "markdown": "**Vulnerability CVE-2019-1010022**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2019-1010022](https://avd.aquasec.com/nvd/cve-2019-1010022)|\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-1010023", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \u0026#34;this is being treated as a non-security bug and no real threat.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1010023", + "help": { + "text": "Vulnerability CVE-2019-1010023\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2019-1010023](https://avd.aquasec.com/nvd/cve-2019-1010023)\n** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", + "markdown": "**Vulnerability CVE-2019-1010023**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2019-1010023](https://avd.aquasec.com/nvd/cve-2019-1010023)|\n\n** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-1010024", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: ASLR bypass using cache of thread stack and heap" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \u0026#34;this is being treated as a non-security bug and no real threat.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1010024", + "help": { + "text": "Vulnerability CVE-2019-1010024\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2019-1010024](https://avd.aquasec.com/nvd/cve-2019-1010024)\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", + "markdown": "**Vulnerability CVE-2019-1010024**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2019-1010024](https://avd.aquasec.com/nvd/cve-2019-1010024)|\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-1010025", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: information disclosure of heap addresses of pthread_created thread" + }, + "fullDescription": { + "text": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor\u0026#39;s position is \u0026#34;ASLR bypass itself is not a vulnerability.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1010025", + "help": { + "text": "Vulnerability CVE-2019-1010025\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2019-1010025](https://avd.aquasec.com/nvd/cve-2019-1010025)\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", + "markdown": "**Vulnerability CVE-2019-1010025**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2019-1010025](https://avd.aquasec.com/nvd/cve-2019-1010025)|\n\n** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-9192", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c" + }, + "fullDescription": { + "text": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \u0026#39;(|)(\\\\1\\\\1)*\u0026#39; in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-9192", + "help": { + "text": "Vulnerability CVE-2019-9192\nSeverity: LOW\nPackage: libc6\nFixed Version: \nLink: [CVE-2019-9192](https://avd.aquasec.com/nvd/cve-2019-9192)\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", + "markdown": "**Vulnerability CVE-2019-9192**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libc6||[CVE-2019-9192](https://avd.aquasec.com/nvd/cve-2019-9192)|\n\n** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-32570", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that ca ..." + }, + "fullDescription": { + "text": "VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-32570", + "help": { + "text": "Vulnerability CVE-2023-32570\nSeverity: MEDIUM\nPackage: libdav1d6\nFixed Version: \nLink: [CVE-2023-32570](https://avd.aquasec.com/nvd/cve-2023-32570)\nVideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.", + "markdown": "**Vulnerability CVE-2023-32570**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libdav1d6||[CVE-2023-32570](https://avd.aquasec.com/nvd/cve-2023-32570)|\n\nVideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.9", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-27103", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ..." + }, + "fullDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-27103", + "help": { + "text": "Vulnerability CVE-2023-27103\nSeverity: HIGH\nPackage: libde265-0\nFixed Version: \nLink: [CVE-2023-27103](https://avd.aquasec.com/nvd/cve-2023-27103)\nLibde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.", + "markdown": "**Vulnerability CVE-2023-27103**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|libde265-0||[CVE-2023-27103](https://avd.aquasec.com/nvd/cve-2023-27103)|\n\nLibde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.8", + "tags": [ + "vulnerability", + "security", + "HIGH" + ] + } + }, + { + "id": "CVE-2023-27102", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a segmentation violation vi ..." + }, + "fullDescription": { + "text": "Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-27102", + "help": { + "text": "Vulnerability CVE-2023-27102\nSeverity: MEDIUM\nPackage: libde265-0\nFixed Version: \nLink: [CVE-2023-27102](https://avd.aquasec.com/nvd/cve-2023-27102)\nLibde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.", + "markdown": "**Vulnerability CVE-2023-27102**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libde265-0||[CVE-2023-27102](https://avd.aquasec.com/nvd/cve-2023-27102)|\n\nLibde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc." + }, + "properties": { + "precision": "very-high", + "security-severity": "6.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2018-6829", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libgcrypt: ElGamal implementation doesn\u0026#39;t have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information" + }, + "fullDescription": { + "text": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt\u0026#39;s ElGamal implementation." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2018-6829", + "help": { + "text": "Vulnerability CVE-2018-6829\nSeverity: LOW\nPackage: libgcrypt20\nFixed Version: \nLink: [CVE-2018-6829](https://avd.aquasec.com/nvd/cve-2018-6829)\ncipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "markdown": "**Vulnerability CVE-2018-6829**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libgcrypt20||[CVE-2018-6829](https://avd.aquasec.com/nvd/cve-2018-6829)|\n\ncipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2011-3389", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)" + }, + "fullDescription": { + "text": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \u0026#34;BEAST\u0026#34; attack." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2011-3389", + "help": { + "text": "Vulnerability CVE-2011-3389\nSeverity: LOW\nPackage: libgnutls30\nFixed Version: \nLink: [CVE-2011-3389](https://avd.aquasec.com/nvd/cve-2011-3389)\nThe SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", + "markdown": "**Vulnerability CVE-2011-3389**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libgnutls30||[CVE-2011-3389](https://avd.aquasec.com/nvd/cve-2011-3389)|\n\nThe SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-36054", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ..." + }, + "fullDescription": { + "text": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-36054", + "help": { + "text": "Vulnerability CVE-2023-36054\nSeverity: MEDIUM\nPackage: libkrb5support0\nFixed Version: \nLink: [CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", + "markdown": "**Vulnerability CVE-2023-36054**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libkrb5support0||[CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)|\n\nlib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count." + }, + "properties": { + "precision": "very-high", + "security-severity": "6.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2018-5709", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "krb5: integer overflow in dbentry-\u0026gt;n_key_data in kadmin/dbutil/dump.c" + }, + "fullDescription": { + "text": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \u0026#34;dbentry-\u0026gt;n_key_data\u0026#34; in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \u0026#34;u4\u0026#34; variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2018-5709", + "help": { + "text": "Vulnerability CVE-2018-5709\nSeverity: LOW\nPackage: libkrb5support0\nFixed Version: \nLink: [CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)\nAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", + "markdown": "**Vulnerability CVE-2018-5709**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libkrb5support0||[CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)|\n\nAn issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry-\u003en_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-29659", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "A Segmentation fault caused by a floating point exception exists in li ..." + }, + "fullDescription": { + "text": "A Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-29659", + "help": { + "text": "Vulnerability CVE-2023-29659\nSeverity: MEDIUM\nPackage: libheif1\nFixed Version: \nLink: [CVE-2023-29659](https://avd.aquasec.com/nvd/cve-2023-29659)\nA Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service.", + "markdown": "**Vulnerability CVE-2023-29659**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libheif1||[CVE-2023-29659](https://avd.aquasec.com/nvd/cve-2023-29659)|\n\nA Segmentation fault caused by a floating point exception exists in libheif 1.15.1 using crafted heif images via the heif::Fraction::round() function in box.cc, which causes a denial of service." + }, + "properties": { + "precision": "very-high", + "security-severity": "6.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2017-9937", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: memory malloc failure in tif_jbig.c could cause DOS." + }, + "fullDescription": { + "text": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-9937", + "help": { + "text": "Vulnerability CVE-2017-9937\nSeverity: LOW\nPackage: libjbig0\nFixed Version: \nLink: [CVE-2017-9937](https://avd.aquasec.com/nvd/cve-2017-9937)\nIn LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.", + "markdown": "**Vulnerability CVE-2017-9937**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libjbig0||[CVE-2017-9937](https://avd.aquasec.com/nvd/cve-2017-9937)|\n\nIn LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-2953", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "null pointer dereference in ber_memalloc_x function" + }, + "fullDescription": { + "text": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-2953", + "help": { + "text": "Vulnerability CVE-2023-2953\nSeverity: HIGH\nPackage: libldap-2.5-0\nFixed Version: \nLink: [CVE-2023-2953](https://avd.aquasec.com/nvd/cve-2023-2953)\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", + "markdown": "**Vulnerability CVE-2023-2953**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|libldap-2.5-0||[CVE-2023-2953](https://avd.aquasec.com/nvd/cve-2023-2953)|\n\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function." + }, + "properties": { + "precision": "very-high", + "security-severity": "7.5", + "tags": [ + "vulnerability", + "security", + "HIGH" + ] + } + }, + { + "id": "CVE-2015-3276", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "incorrect multi-keyword mode cipherstring parsing" + }, + "fullDescription": { + "text": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2015-3276", + "help": { + "text": "Vulnerability CVE-2015-3276\nSeverity: LOW\nPackage: libldap-2.5-0\nFixed Version: \nLink: [CVE-2015-3276](https://avd.aquasec.com/nvd/cve-2015-3276)\nThe nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", + "markdown": "**Vulnerability CVE-2015-3276**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libldap-2.5-0||[CVE-2015-3276](https://avd.aquasec.com/nvd/cve-2015-3276)|\n\nThe nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-14159", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "openldap: Privilege escalation via PID file manipulation" + }, + "fullDescription": { + "text": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \u0026#34;kill `cat /pathname`\u0026#34; command, as demonstrated by openldap-initscript." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-14159", + "help": { + "text": "Vulnerability CVE-2017-14159\nSeverity: LOW\nPackage: libldap-2.5-0\nFixed Version: \nLink: [CVE-2017-14159](https://avd.aquasec.com/nvd/cve-2017-14159)\nslapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", + "markdown": "**Vulnerability CVE-2017-14159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libldap-2.5-0||[CVE-2017-14159](https://avd.aquasec.com/nvd/cve-2017-14159)|\n\nslapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-17740", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service" + }, + "fullDescription": { + "text": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-17740", + "help": { + "text": "Vulnerability CVE-2017-17740\nSeverity: LOW\nPackage: libldap-2.5-0\nFixed Version: \nLink: [CVE-2017-17740](https://avd.aquasec.com/nvd/cve-2017-17740)\ncontrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", + "markdown": "**Vulnerability CVE-2017-17740**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libldap-2.5-0||[CVE-2017-17740](https://avd.aquasec.com/nvd/cve-2017-17740)|\n\ncontrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2020-15719", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "openldap: Certificate validation incorrectly matches name against CN-ID" + }, + "fullDescription": { + "text": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2020-15719", + "help": { + "text": "Vulnerability CVE-2020-15719\nSeverity: LOW\nPackage: libldap-2.5-0\nFixed Version: \nLink: [CVE-2020-15719](https://avd.aquasec.com/nvd/cve-2020-15719)\nlibldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", + "markdown": "**Vulnerability CVE-2020-15719**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libldap-2.5-0||[CVE-2020-15719](https://avd.aquasec.com/nvd/cve-2020-15719)|\n\nlibldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2021-4214", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libpng: hardcoded value leads to heap-overflow" + }, + "fullDescription": { + "text": "A heap overflow flaw was found in libpngs\u0026#39; pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2021-4214", + "help": { + "text": "Vulnerability CVE-2021-4214\nSeverity: LOW\nPackage: libpng16-16\nFixed Version: \nLink: [CVE-2021-4214](https://avd.aquasec.com/nvd/cve-2021-4214)\nA heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.", + "markdown": "**Vulnerability CVE-2021-4214**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libpng16-16||[CVE-2021-4214](https://avd.aquasec.com/nvd/cve-2021-4214)|\n\nA heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-2975", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries" + }, + "fullDescription": { + "text": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-2975", + "help": { + "text": "Vulnerability CVE-2023-2975\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: \nLink: [CVE-2023-2975](https://avd.aquasec.com/nvd/cve-2023-2975)\nIssue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "markdown": "**Vulnerability CVE-2023-2975**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl||[CVE-2023-2975](https://avd.aquasec.com/nvd/cve-2023-2975)|\n\nIssue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.3", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-3446", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Excessive time spent checking DH keys and parameters" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus (\u0026#39;p\u0026#39; parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \u0026#39;-check\u0026#39; option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-3446", + "help": { + "text": "Vulnerability CVE-2023-3446\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: \nLink: [CVE-2023-3446](https://avd.aquasec.com/nvd/cve-2023-3446)\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "markdown": "**Vulnerability CVE-2023-3446**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl||[CVE-2023-3446](https://avd.aquasec.com/nvd/cve-2023-3446)|\n\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.3", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-3817", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Excessive time spent checking DH q parameter value" + }, + "fullDescription": { + "text": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \u0026#34;-check\u0026#34; option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-3817", + "help": { + "text": "Vulnerability CVE-2023-3817\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: \nLink: [CVE-2023-3817](https://avd.aquasec.com/nvd/cve-2023-3817)\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "markdown": "**Vulnerability CVE-2023-3817**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl||[CVE-2023-3817](https://avd.aquasec.com/nvd/cve-2023-3817)|\n\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.3", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2007-6755", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Dual_EC_DRBG: weak pseudo random number generator" + }, + "fullDescription": { + "text": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \u0026#34;skeleton key\u0026#34; values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2007-6755", + "help": { + "text": "Vulnerability CVE-2007-6755\nSeverity: LOW\nPackage: openssl\nFixed Version: \nLink: [CVE-2007-6755](https://avd.aquasec.com/nvd/cve-2007-6755)\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", + "markdown": "**Vulnerability CVE-2007-6755**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|openssl||[CVE-2007-6755](https://avd.aquasec.com/nvd/cve-2007-6755)|\n\nThe NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2010-0928", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "openssl: RSA authentication weakness" + }, + "fullDescription": { + "text": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \u0026#34;fault-based attack.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2010-0928", + "help": { + "text": "Vulnerability CVE-2010-0928\nSeverity: LOW\nPackage: openssl\nFixed Version: \nLink: [CVE-2010-0928](https://avd.aquasec.com/nvd/cve-2010-0928)\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", + "markdown": "**Vulnerability CVE-2010-0928**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|openssl||[CVE-2010-0928](https://avd.aquasec.com/nvd/cve-2010-0928)|\n\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2013-4392", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "TOCTOU race condition when updating file permissions and SELinux security contexts" + }, + "fullDescription": { + "text": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2013-4392", + "help": { + "text": "Vulnerability CVE-2013-4392\nSeverity: LOW\nPackage: libudev1\nFixed Version: \nLink: [CVE-2013-4392](https://avd.aquasec.com/nvd/cve-2013-4392)\nsystemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", + "markdown": "**Vulnerability CVE-2013-4392**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libudev1||[CVE-2013-4392](https://avd.aquasec.com/nvd/cve-2013-4392)|\n\nsystemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-31437", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "An issue was discovered in systemd 253. An attacker can modify a seale ..." + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \u0026#34;a reply denying that any of the finding was a security vulnerability.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-31437", + "help": { + "text": "Vulnerability CVE-2023-31437\nSeverity: LOW\nPackage: libudev1\nFixed Version: \nLink: [CVE-2023-31437](https://avd.aquasec.com/nvd/cve-2023-31437)\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "markdown": "**Vulnerability CVE-2023-31437**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libudev1||[CVE-2023-31437](https://avd.aquasec.com/nvd/cve-2023-31437)|\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-31438", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "An issue was discovered in systemd 253. An attacker can truncate a sea ..." + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \u0026#34;a reply denying that any of the finding was a security vulnerability.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-31438", + "help": { + "text": "Vulnerability CVE-2023-31438\nSeverity: LOW\nPackage: libudev1\nFixed Version: \nLink: [CVE-2023-31438](https://avd.aquasec.com/nvd/cve-2023-31438)\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "markdown": "**Vulnerability CVE-2023-31438**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libudev1||[CVE-2023-31438](https://avd.aquasec.com/nvd/cve-2023-31438)|\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-31439", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "An issue was discovered in systemd 253. An attacker can modify the con ..." + }, + "fullDescription": { + "text": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \u0026#34;a reply denying that any of the finding was a security vulnerability.\u0026#34;" + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-31439", + "help": { + "text": "Vulnerability CVE-2023-31439\nSeverity: LOW\nPackage: libudev1\nFixed Version: \nLink: [CVE-2023-31439](https://avd.aquasec.com/nvd/cve-2023-31439)\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"", + "markdown": "**Vulnerability CVE-2023-31439**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libudev1||[CVE-2023-31439](https://avd.aquasec.com/nvd/cve-2023-31439)|\n\n** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent \"a reply denying that any of the finding was a security vulnerability.\"" + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-25433", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Buffer Overflow via /libtiff/tools/tiffcrop.c" + }, + "fullDescription": { + "text": "libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-25433", + "help": { + "text": "Vulnerability CVE-2023-25433\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-25433](https://avd.aquasec.com/nvd/cve-2023-25433)\nlibtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.", + "markdown": "**Vulnerability CVE-2023-25433**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-25433](https://avd.aquasec.com/nvd/cve-2023-25433)|\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-26965", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "heap-based use after free via a crafted TIFF image in loadImage() in tiffcrop.c" + }, + "fullDescription": { + "text": "loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-26965", + "help": { + "text": "Vulnerability CVE-2023-26965\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-26965](https://avd.aquasec.com/nvd/cve-2023-26965)\nloadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.", + "markdown": "**Vulnerability CVE-2023-26965**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-26965](https://avd.aquasec.com/nvd/cve-2023-26965)|\n\nloadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-26966", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Buffer Overflow in uv_encode()" + }, + "fullDescription": { + "text": "libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-26966", + "help": { + "text": "Vulnerability CVE-2023-26966\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-26966](https://avd.aquasec.com/nvd/cve-2023-26966)\nlibtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.", + "markdown": "**Vulnerability CVE-2023-26966**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-26966](https://avd.aquasec.com/nvd/cve-2023-26966)|\n\nlibtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-2908", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "null pointer dereference in tif_dir.c" + }, + "fullDescription": { + "text": "A null pointer dereference issue was found in Libtiff\u0026#39;s tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-2908", + "help": { + "text": "Vulnerability CVE-2023-2908\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-2908](https://avd.aquasec.com/nvd/cve-2023-2908)\nA null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.", + "markdown": "**Vulnerability CVE-2023-2908**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-2908](https://avd.aquasec.com/nvd/cve-2023-2908)|\n\nA null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-3316", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "null pointer dereference in TIFFClose()" + }, + "fullDescription": { + "text": "A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n" + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-3316", + "help": { + "text": "Vulnerability CVE-2023-3316\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-3316](https://avd.aquasec.com/nvd/cve-2023-3316)\nA NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n", + "markdown": "**Vulnerability CVE-2023-3316**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-3316](https://avd.aquasec.com/nvd/cve-2023-3316)|\n\nA NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.\n\n" + }, + "properties": { + "precision": "very-high", + "security-severity": "6.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-3618", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "segmentation fault in Fax3Encode in libtiff/tif_fax3.c" + }, + "fullDescription": { + "text": "A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-3618", + "help": { + "text": "Vulnerability CVE-2023-3618\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-3618](https://avd.aquasec.com/nvd/cve-2023-3618)\nA flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.", + "markdown": "**Vulnerability CVE-2023-3618**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-3618](https://avd.aquasec.com/nvd/cve-2023-3618)|\n\nA flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service." + }, + "properties": { + "precision": "very-high", + "security-severity": "6.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-38288", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "potential integer overflow in raw2tiff.c" + }, + "fullDescription": { + "text": "No description is available for this CVE." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-38288", + "help": { + "text": "Vulnerability CVE-2023-38288\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-38288](https://avd.aquasec.com/nvd/cve-2023-38288)\nNo description is available for this CVE.", + "markdown": "**Vulnerability CVE-2023-38288**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-38288](https://avd.aquasec.com/nvd/cve-2023-38288)|\n\nNo description is available for this CVE." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2023-38289", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "integer overflow in tiffcp.c" + }, + "fullDescription": { + "text": "No description is available for this CVE." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-38289", + "help": { + "text": "Vulnerability CVE-2023-38289\nSeverity: MEDIUM\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-38289](https://avd.aquasec.com/nvd/cve-2023-38289)\nNo description is available for this CVE.", + "markdown": "**Vulnerability CVE-2023-38289**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libtiff6||[CVE-2023-38289](https://avd.aquasec.com/nvd/cve-2023-38289)|\n\nNo description is available for this CVE." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2017-16232", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: Memory leaks in tif_open.c, tif_lzw.c, and tif_aux.c" + }, + "fullDescription": { + "text": "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-16232", + "help": { + "text": "Vulnerability CVE-2017-16232\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2017-16232](https://avd.aquasec.com/nvd/cve-2017-16232)\n** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.", + "markdown": "**Vulnerability CVE-2017-16232**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2017-16232](https://avd.aquasec.com/nvd/cve-2017-16232)|\n\n** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-17973", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: heap-based use after free in tiff2pdf.c:t2p_writeproc" + }, + "fullDescription": { + "text": "** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-17973", + "help": { + "text": "Vulnerability CVE-2017-17973\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2017-17973](https://avd.aquasec.com/nvd/cve-2017-17973)\n** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue.", + "markdown": "**Vulnerability CVE-2017-17973**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2017-17973](https://avd.aquasec.com/nvd/cve-2017-17973)|\n\n** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-5563", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: Heap-buffer overflow in LZWEncode tif_lzw.c" + }, + "fullDescription": { + "text": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-5563", + "help": { + "text": "Vulnerability CVE-2017-5563\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2017-5563](https://avd.aquasec.com/nvd/cve-2017-5563)\nLibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.", + "markdown": "**Vulnerability CVE-2017-5563**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2017-5563](https://avd.aquasec.com/nvd/cve-2017-5563)|\n\nLibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2017-9117", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: Heap-based buffer over-read in bmp2tiff" + }, + "fullDescription": { + "text": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2017-9117", + "help": { + "text": "Vulnerability CVE-2017-9117\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2017-9117](https://avd.aquasec.com/nvd/cve-2017-9117)\nIn LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.", + "markdown": "**Vulnerability CVE-2017-9117**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2017-9117](https://avd.aquasec.com/nvd/cve-2017-9117)|\n\nIn LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2018-10126", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libtiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c" + }, + "fullDescription": { + "text": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2018-10126", + "help": { + "text": "Vulnerability CVE-2018-10126\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2018-10126](https://avd.aquasec.com/nvd/cve-2018-10126)\nLibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.", + "markdown": "**Vulnerability CVE-2018-10126**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2018-10126](https://avd.aquasec.com/nvd/cve-2018-10126)|\n\nLibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2022-1210", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "tiff: Malicious file leads to a denial of service in TIFF File Handler" + }, + "fullDescription": { + "text": "A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-1210", + "help": { + "text": "Vulnerability CVE-2022-1210\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2022-1210](https://avd.aquasec.com/nvd/cve-2022-1210)\nA vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.", + "markdown": "**Vulnerability CVE-2022-1210**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2022-1210](https://avd.aquasec.com/nvd/cve-2022-1210)|\n\nA vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-1916", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "out-of-bounds read in extractImageSection() in tools/tiffcrop.c" + }, + "fullDescription": { + "text": "A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-1916", + "help": { + "text": "Vulnerability CVE-2023-1916\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-1916](https://avd.aquasec.com/nvd/cve-2023-1916)\nA flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.", + "markdown": "**Vulnerability CVE-2023-1916**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2023-1916](https://avd.aquasec.com/nvd/cve-2023-1916)|\n\nA flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-3164", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "heap-buffer-overflow in extractImageSection()" + }, + "fullDescription": { + "text": "A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-3164", + "help": { + "text": "Vulnerability CVE-2023-3164\nSeverity: LOW\nPackage: libtiff6\nFixed Version: \nLink: [CVE-2023-3164](https://avd.aquasec.com/nvd/cve-2023-3164)\nA heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.", + "markdown": "**Vulnerability CVE-2023-3164**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libtiff6||[CVE-2023-3164](https://avd.aquasec.com/nvd/cve-2023-3164)|\n\nA heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2015-9019", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "libxslt: math.random() in xslt uses unseeded randomness" + }, + "fullDescription": { + "text": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2015-9019", + "help": { + "text": "Vulnerability CVE-2015-9019\nSeverity: LOW\nPackage: libxslt1.1\nFixed Version: \nLink: [CVE-2015-9019](https://avd.aquasec.com/nvd/cve-2015-9019)\nIn libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.", + "markdown": "**Vulnerability CVE-2015-9019**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|libxslt1.1||[CVE-2015-9019](https://avd.aquasec.com/nvd/cve-2015-9019)|\n\nIn libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2007-5686", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ..." + }, + "fullDescription": { + "text": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2007-5686", + "help": { + "text": "Vulnerability CVE-2007-5686\nSeverity: LOW\nPackage: passwd\nFixed Version: \nLink: [CVE-2007-5686](https://avd.aquasec.com/nvd/cve-2007-5686)\ninitscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", + "markdown": "**Vulnerability CVE-2007-5686**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|passwd||[CVE-2007-5686](https://avd.aquasec.com/nvd/cve-2007-5686)|\n\ninitscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2019-19882", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "shadow-utils: local users can obtain root access because setuid programs are misconfigured" + }, + "fullDescription": { + "text": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8)." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2019-19882", + "help": { + "text": "Vulnerability CVE-2019-19882\nSeverity: LOW\nPackage: passwd\nFixed Version: \nLink: [CVE-2019-19882](https://avd.aquasec.com/nvd/cve-2019-19882)\nshadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", + "markdown": "**Vulnerability CVE-2019-19882**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|passwd||[CVE-2019-19882](https://avd.aquasec.com/nvd/cve-2019-19882)|\n\nshadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8)." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-29383", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "Improper input validation in shadow-utils package utility chfn" + }, + "fullDescription": { + "text": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \u0026#34;cat /etc/passwd\u0026#34; shows a rogue user account." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-29383", + "help": { + "text": "Vulnerability CVE-2023-29383\nSeverity: LOW\nPackage: passwd\nFixed Version: \nLink: [CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383)\nIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.", + "markdown": "**Vulnerability CVE-2023-29383**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|passwd||[CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383)|\n\nIn Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account." + }, + "properties": { + "precision": "very-high", + "security-severity": "3.3", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2009-4487", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "nginx: Absent sanitation of escape sequences in web server log" + }, + "fullDescription": { + "text": "nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window\u0026#39;s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2009-4487", + "help": { + "text": "Vulnerability CVE-2009-4487\nSeverity: LOW\nPackage: nginx\nFixed Version: \nLink: [CVE-2009-4487](https://avd.aquasec.com/nvd/cve-2009-4487)\nnginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", + "markdown": "**Vulnerability CVE-2009-4487**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|nginx||[CVE-2009-4487](https://avd.aquasec.com/nvd/cve-2009-4487)|\n\nnginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2013-0337", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "The default configuration of nginx, possibly 1.3.13 and earlier, uses ..." + }, + "fullDescription": { + "text": "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2013-0337", + "help": { + "text": "Vulnerability CVE-2013-0337\nSeverity: LOW\nPackage: nginx\nFixed Version: \nLink: [CVE-2013-0337](https://avd.aquasec.com/nvd/cve-2013-0337)\nThe default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.", + "markdown": "**Vulnerability CVE-2013-0337**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|nginx||[CVE-2013-0337](https://avd.aquasec.com/nvd/cve-2013-0337)|\n\nThe default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-31484", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS" + }, + "fullDescription": { + "text": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-31484", + "help": { + "text": "Vulnerability CVE-2023-31484\nSeverity: HIGH\nPackage: perl-base\nFixed Version: \nLink: [CVE-2023-31484](https://avd.aquasec.com/nvd/cve-2023-31484)\nCPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", + "markdown": "**Vulnerability CVE-2023-31484**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|perl-base||[CVE-2023-31484](https://avd.aquasec.com/nvd/cve-2023-31484)|\n\nCPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS." + }, + "properties": { + "precision": "very-high", + "security-severity": "8.1", + "tags": [ + "vulnerability", + "security", + "HIGH" + ] + } + }, + { + "id": "CVE-2011-4116", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "perl: File::Temp insecure temporary file handling" + }, + "fullDescription": { + "text": "_is_safe in the File::Temp module for Perl does not properly handle symlinks." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2011-4116", + "help": { + "text": "Vulnerability CVE-2011-4116\nSeverity: LOW\nPackage: perl-base\nFixed Version: \nLink: [CVE-2011-4116](https://avd.aquasec.com/nvd/cve-2011-4116)\n_is_safe in the File::Temp module for Perl does not properly handle symlinks.", + "markdown": "**Vulnerability CVE-2011-4116**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|perl-base||[CVE-2011-4116](https://avd.aquasec.com/nvd/cve-2011-4116)|\n\n_is_safe in the File::Temp module for Perl does not properly handle symlinks." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2023-31486", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "insecure TLS cert default" + }, + "fullDescription": { + "text": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-31486", + "help": { + "text": "Vulnerability CVE-2023-31486\nSeverity: LOW\nPackage: perl-base\nFixed Version: \nLink: [CVE-2023-31486](https://avd.aquasec.com/nvd/cve-2023-31486)\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", + "markdown": "**Vulnerability CVE-2023-31486**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|perl-base||[CVE-2023-31486](https://avd.aquasec.com/nvd/cve-2023-31486)|\n\nHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2005-2541", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "tar: does not properly warn the user when extracting setuid or setgid files" + }, + "fullDescription": { + "text": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2005-2541", + "help": { + "text": "Vulnerability CVE-2005-2541\nSeverity: LOW\nPackage: tar\nFixed Version: \nLink: [CVE-2005-2541](https://avd.aquasec.com/nvd/cve-2005-2541)\nTar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", + "markdown": "**Vulnerability CVE-2005-2541**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|tar||[CVE-2005-2541](https://avd.aquasec.com/nvd/cve-2005-2541)|\n\nTar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + }, + { + "id": "CVE-2022-48303", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "heap buffer overflow at from_header() in list.c via specially crafted checksum" + }, + "fullDescription": { + "text": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-48303", + "help": { + "text": "Vulnerability CVE-2022-48303\nSeverity: LOW\nPackage: tar\nFixed Version: \nLink: [CVE-2022-48303](https://avd.aquasec.com/nvd/cve-2022-48303)\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", + "markdown": "**Vulnerability CVE-2022-48303**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|tar||[CVE-2022-48303](https://avd.aquasec.com/nvd/cve-2022-48303)|\n\nGNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "vulnerability", + "security", + "LOW" + ] + } + } + ], + "version": "0.42.1" + } + }, + "results": [ + { + "ruleId": "CVE-2011-3374", + "ruleIndex": 0, + "level": "note", + "message": { + "text": "Package: apt\nInstalled Version: 2.6.1\nVulnerability CVE-2011-3374\nSeverity: LOW\nFixed Version: \nLink: [CVE-2011-3374](https://avd.aquasec.com/nvd/cve-2011-3374)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: apt@2.6.1" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: bsdutils\nInstalled Version: 1:2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: bsdutils@1:2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2016-2781", + "ruleIndex": 2, + "level": "note", + "message": { + "text": "Package: coreutils\nInstalled Version: 9.1-1\nVulnerability CVE-2016-2781\nSeverity: LOW\nFixed Version: \nLink: [CVE-2016-2781](https://avd.aquasec.com/nvd/cve-2016-2781)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: coreutils@9.1-1" + } + } + ] + }, + { + "ruleId": "CVE-2017-18018", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "Package: coreutils\nInstalled Version: 9.1-1\nVulnerability CVE-2017-18018\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-18018](https://avd.aquasec.com/nvd/cve-2017-18018)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: coreutils@9.1-1" + } + } + ] + }, + { + "ruleId": "CVE-2022-27943", + "ruleIndex": 4, + "level": "note", + "message": { + "text": "Package: gcc-12-base\nInstalled Version: 12.2.0-14\nVulnerability CVE-2022-27943\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-27943](https://avd.aquasec.com/nvd/cve-2022-27943)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: gcc-12-base@12.2.0-14" + } + } + ] + }, + { + "ruleId": "CVE-2022-3219", + "ruleIndex": 5, + "level": "note", + "message": { + "text": "Package: gpgv\nInstalled Version: 2.2.40-1.1\nVulnerability CVE-2022-3219\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-3219](https://avd.aquasec.com/nvd/cve-2022-3219)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: gpgv@2.2.40-1.1" + } + } + ] + }, + { + "ruleId": "CVE-2011-3374", + "ruleIndex": 0, + "level": "note", + "message": { + "text": "Package: libapt-pkg6.0\nInstalled Version: 2.6.1\nVulnerability CVE-2011-3374\nSeverity: LOW\nFixed Version: \nLink: [CVE-2011-3374](https://avd.aquasec.com/nvd/cve-2011-3374)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libapt-pkg6.0@2.6.1" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: libblkid1\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libblkid1@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2010-4756", + "ruleIndex": 6, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2010-4756\nSeverity: LOW\nFixed Version: \nLink: [CVE-2010-4756](https://avd.aquasec.com/nvd/cve-2010-4756)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2018-20796", + "ruleIndex": 7, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2018-20796\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-20796](https://avd.aquasec.com/nvd/cve-2018-20796)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010022", + "ruleIndex": 8, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010022\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010022](https://avd.aquasec.com/nvd/cve-2019-1010022)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010023", + "ruleIndex": 9, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010023\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010023](https://avd.aquasec.com/nvd/cve-2019-1010023)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010024", + "ruleIndex": 10, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010024\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010024](https://avd.aquasec.com/nvd/cve-2019-1010024)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010025", + "ruleIndex": 11, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010025\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010025](https://avd.aquasec.com/nvd/cve-2019-1010025)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-9192", + "ruleIndex": 12, + "level": "note", + "message": { + "text": "Package: libc-bin\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-9192\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-9192](https://avd.aquasec.com/nvd/cve-2019-9192)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc-bin@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2010-4756", + "ruleIndex": 6, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2010-4756\nSeverity: LOW\nFixed Version: \nLink: [CVE-2010-4756](https://avd.aquasec.com/nvd/cve-2010-4756)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2018-20796", + "ruleIndex": 7, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2018-20796\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-20796](https://avd.aquasec.com/nvd/cve-2018-20796)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010022", + "ruleIndex": 8, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010022\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010022](https://avd.aquasec.com/nvd/cve-2019-1010022)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010023", + "ruleIndex": 9, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010023\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010023](https://avd.aquasec.com/nvd/cve-2019-1010023)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010024", + "ruleIndex": 10, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010024\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010024](https://avd.aquasec.com/nvd/cve-2019-1010024)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-1010025", + "ruleIndex": 11, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-1010025\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-1010025](https://avd.aquasec.com/nvd/cve-2019-1010025)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2019-9192", + "ruleIndex": 12, + "level": "note", + "message": { + "text": "Package: libc6\nInstalled Version: 2.36-9+deb12u1\nVulnerability CVE-2019-9192\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-9192](https://avd.aquasec.com/nvd/cve-2019-9192)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libc6@2.36-9+deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-32570", + "ruleIndex": 13, + "level": "warning", + "message": { + "text": "Package: libdav1d6\nInstalled Version: 1.0.0-2\nVulnerability CVE-2023-32570\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-32570](https://avd.aquasec.com/nvd/cve-2023-32570)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libdav1d6@1.0.0-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-27103", + "ruleIndex": 14, + "level": "error", + "message": { + "text": "Package: libde265-0\nInstalled Version: 1.0.11-1\nVulnerability CVE-2023-27103\nSeverity: HIGH\nFixed Version: \nLink: [CVE-2023-27103](https://avd.aquasec.com/nvd/cve-2023-27103)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libde265-0@1.0.11-1" + } + } + ] + }, + { + "ruleId": "CVE-2023-27102", + "ruleIndex": 15, + "level": "warning", + "message": { + "text": "Package: libde265-0\nInstalled Version: 1.0.11-1\nVulnerability CVE-2023-27102\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-27102](https://avd.aquasec.com/nvd/cve-2023-27102)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libde265-0@1.0.11-1" + } + } + ] + }, + { + "ruleId": "CVE-2022-27943", + "ruleIndex": 4, + "level": "note", + "message": { + "text": "Package: libgcc-s1\nInstalled Version: 12.2.0-14\nVulnerability CVE-2022-27943\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-27943](https://avd.aquasec.com/nvd/cve-2022-27943)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libgcc-s1@12.2.0-14" + } + } + ] + }, + { + "ruleId": "CVE-2018-6829", + "ruleIndex": 16, + "level": "note", + "message": { + "text": "Package: libgcrypt20\nInstalled Version: 1.10.1-3\nVulnerability CVE-2018-6829\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-6829](https://avd.aquasec.com/nvd/cve-2018-6829)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libgcrypt20@1.10.1-3" + } + } + ] + }, + { + "ruleId": "CVE-2011-3389", + "ruleIndex": 17, + "level": "note", + "message": { + "text": "Package: libgnutls30\nInstalled Version: 3.7.9-2\nVulnerability CVE-2011-3389\nSeverity: LOW\nFixed Version: \nLink: [CVE-2011-3389](https://avd.aquasec.com/nvd/cve-2011-3389)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libgnutls30@3.7.9-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-36054", + "ruleIndex": 18, + "level": "warning", + "message": { + "text": "Package: libgssapi-krb5-2\nInstalled Version: 1.20.1-2\nVulnerability CVE-2023-36054\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libgssapi-krb5-2@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2018-5709", + "ruleIndex": 19, + "level": "note", + "message": { + "text": "Package: libgssapi-krb5-2\nInstalled Version: 1.20.1-2\nVulnerability CVE-2018-5709\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libgssapi-krb5-2@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-29659", + "ruleIndex": 20, + "level": "warning", + "message": { + "text": "Package: libheif1\nInstalled Version: 1.15.1-1\nVulnerability CVE-2023-29659\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-29659](https://avd.aquasec.com/nvd/cve-2023-29659)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libheif1@1.15.1-1" + } + } + ] + }, + { + "ruleId": "CVE-2017-9937", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Package: libjbig0\nInstalled Version: 2.1-6.1\nVulnerability CVE-2017-9937\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-9937](https://avd.aquasec.com/nvd/cve-2017-9937)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libjbig0@2.1-6.1" + } + } + ] + }, + { + "ruleId": "CVE-2023-36054", + "ruleIndex": 18, + "level": "warning", + "message": { + "text": "Package: libk5crypto3\nInstalled Version: 1.20.1-2\nVulnerability CVE-2023-36054\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libk5crypto3@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2018-5709", + "ruleIndex": 19, + "level": "note", + "message": { + "text": "Package: libk5crypto3\nInstalled Version: 1.20.1-2\nVulnerability CVE-2018-5709\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libk5crypto3@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-36054", + "ruleIndex": 18, + "level": "warning", + "message": { + "text": "Package: libkrb5-3\nInstalled Version: 1.20.1-2\nVulnerability CVE-2023-36054\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libkrb5-3@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2018-5709", + "ruleIndex": 19, + "level": "note", + "message": { + "text": "Package: libkrb5-3\nInstalled Version: 1.20.1-2\nVulnerability CVE-2018-5709\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libkrb5-3@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-36054", + "ruleIndex": 18, + "level": "warning", + "message": { + "text": "Package: libkrb5support0\nInstalled Version: 1.20.1-2\nVulnerability CVE-2023-36054\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-36054](https://avd.aquasec.com/nvd/cve-2023-36054)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libkrb5support0@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2018-5709", + "ruleIndex": 19, + "level": "note", + "message": { + "text": "Package: libkrb5support0\nInstalled Version: 1.20.1-2\nVulnerability CVE-2018-5709\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-5709](https://avd.aquasec.com/nvd/cve-2018-5709)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libkrb5support0@1.20.1-2" + } + } + ] + }, + { + "ruleId": "CVE-2023-2953", + "ruleIndex": 22, + "level": "error", + "message": { + "text": "Package: libldap-2.5-0\nInstalled Version: 2.5.13+dfsg-5\nVulnerability CVE-2023-2953\nSeverity: HIGH\nFixed Version: \nLink: [CVE-2023-2953](https://avd.aquasec.com/nvd/cve-2023-2953)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libldap-2.5-0@2.5.13+dfsg-5" + } + } + ] + }, + { + "ruleId": "CVE-2015-3276", + "ruleIndex": 23, + "level": "note", + "message": { + "text": "Package: libldap-2.5-0\nInstalled Version: 2.5.13+dfsg-5\nVulnerability CVE-2015-3276\nSeverity: LOW\nFixed Version: \nLink: [CVE-2015-3276](https://avd.aquasec.com/nvd/cve-2015-3276)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libldap-2.5-0@2.5.13+dfsg-5" + } + } + ] + }, + { + "ruleId": "CVE-2017-14159", + "ruleIndex": 24, + "level": "note", + "message": { + "text": "Package: libldap-2.5-0\nInstalled Version: 2.5.13+dfsg-5\nVulnerability CVE-2017-14159\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-14159](https://avd.aquasec.com/nvd/cve-2017-14159)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libldap-2.5-0@2.5.13+dfsg-5" + } + } + ] + }, + { + "ruleId": "CVE-2017-17740", + "ruleIndex": 25, + "level": "note", + "message": { + "text": "Package: libldap-2.5-0\nInstalled Version: 2.5.13+dfsg-5\nVulnerability CVE-2017-17740\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-17740](https://avd.aquasec.com/nvd/cve-2017-17740)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libldap-2.5-0@2.5.13+dfsg-5" + } + } + ] + }, + { + "ruleId": "CVE-2020-15719", + "ruleIndex": 26, + "level": "note", + "message": { + "text": "Package: libldap-2.5-0\nInstalled Version: 2.5.13+dfsg-5\nVulnerability CVE-2020-15719\nSeverity: LOW\nFixed Version: \nLink: [CVE-2020-15719](https://avd.aquasec.com/nvd/cve-2020-15719)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libldap-2.5-0@2.5.13+dfsg-5" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: libmount1\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libmount1@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2021-4214", + "ruleIndex": 27, + "level": "note", + "message": { + "text": "Package: libpng16-16\nInstalled Version: 1.6.39-2\nVulnerability CVE-2021-4214\nSeverity: LOW\nFixed Version: \nLink: [CVE-2021-4214](https://avd.aquasec.com/nvd/cve-2021-4214)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libpng16-16@1.6.39-2" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: libsmartcols1\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libsmartcols1@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2023-2975", + "ruleIndex": 28, + "level": "warning", + "message": { + "text": "Package: libssl3\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-2975\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-2975](https://avd.aquasec.com/nvd/cve-2023-2975)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libssl3@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2023-3446", + "ruleIndex": 29, + "level": "warning", + "message": { + "text": "Package: libssl3\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-3446\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3446](https://avd.aquasec.com/nvd/cve-2023-3446)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libssl3@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2023-3817", + "ruleIndex": 30, + "level": "warning", + "message": { + "text": "Package: libssl3\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-3817\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3817](https://avd.aquasec.com/nvd/cve-2023-3817)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libssl3@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2007-6755", + "ruleIndex": 31, + "level": "note", + "message": { + "text": "Package: libssl3\nInstalled Version: 3.0.9-1\nVulnerability CVE-2007-6755\nSeverity: LOW\nFixed Version: \nLink: [CVE-2007-6755](https://avd.aquasec.com/nvd/cve-2007-6755)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libssl3@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2010-0928", + "ruleIndex": 32, + "level": "note", + "message": { + "text": "Package: libssl3\nInstalled Version: 3.0.9-1\nVulnerability CVE-2010-0928\nSeverity: LOW\nFixed Version: \nLink: [CVE-2010-0928](https://avd.aquasec.com/nvd/cve-2010-0928)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libssl3@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2022-27943", + "ruleIndex": 4, + "level": "note", + "message": { + "text": "Package: libstdc++6\nInstalled Version: 12.2.0-14\nVulnerability CVE-2022-27943\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-27943](https://avd.aquasec.com/nvd/cve-2022-27943)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libstdc++6@12.2.0-14" + } + } + ] + }, + { + "ruleId": "CVE-2013-4392", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Package: libsystemd0\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2013-4392\nSeverity: LOW\nFixed Version: \nLink: [CVE-2013-4392](https://avd.aquasec.com/nvd/cve-2013-4392)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libsystemd0@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31437", + "ruleIndex": 34, + "level": "note", + "message": { + "text": "Package: libsystemd0\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31437\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31437](https://avd.aquasec.com/nvd/cve-2023-31437)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libsystemd0@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31438", + "ruleIndex": 35, + "level": "note", + "message": { + "text": "Package: libsystemd0\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31438\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31438](https://avd.aquasec.com/nvd/cve-2023-31438)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libsystemd0@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31439", + "ruleIndex": 36, + "level": "note", + "message": { + "text": "Package: libsystemd0\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31439\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31439](https://avd.aquasec.com/nvd/cve-2023-31439)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libsystemd0@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-25433", + "ruleIndex": 37, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-25433\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-25433](https://avd.aquasec.com/nvd/cve-2023-25433)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-26965", + "ruleIndex": 38, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-26965\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-26965](https://avd.aquasec.com/nvd/cve-2023-26965)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-26966", + "ruleIndex": 39, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-26966\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-26966](https://avd.aquasec.com/nvd/cve-2023-26966)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-2908", + "ruleIndex": 40, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-2908\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-2908](https://avd.aquasec.com/nvd/cve-2023-2908)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-3316", + "ruleIndex": 41, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-3316\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3316](https://avd.aquasec.com/nvd/cve-2023-3316)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-3618", + "ruleIndex": 42, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-3618\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3618](https://avd.aquasec.com/nvd/cve-2023-3618)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-38288", + "ruleIndex": 43, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-38288\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-38288](https://avd.aquasec.com/nvd/cve-2023-38288)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-38289", + "ruleIndex": 44, + "level": "warning", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-38289\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-38289](https://avd.aquasec.com/nvd/cve-2023-38289)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2017-16232", + "ruleIndex": 45, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2017-16232\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-16232](https://avd.aquasec.com/nvd/cve-2017-16232)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2017-17973", + "ruleIndex": 46, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2017-17973\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-17973](https://avd.aquasec.com/nvd/cve-2017-17973)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2017-5563", + "ruleIndex": 47, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2017-5563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-5563](https://avd.aquasec.com/nvd/cve-2017-5563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2017-9117", + "ruleIndex": 48, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2017-9117\nSeverity: LOW\nFixed Version: \nLink: [CVE-2017-9117](https://avd.aquasec.com/nvd/cve-2017-9117)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2018-10126", + "ruleIndex": 49, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2018-10126\nSeverity: LOW\nFixed Version: \nLink: [CVE-2018-10126](https://avd.aquasec.com/nvd/cve-2018-10126)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2022-1210", + "ruleIndex": 50, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2022-1210\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-1210](https://avd.aquasec.com/nvd/cve-2022-1210)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-1916", + "ruleIndex": 51, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-1916\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-1916](https://avd.aquasec.com/nvd/cve-2023-1916)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2023-3164", + "ruleIndex": 52, + "level": "note", + "message": { + "text": "Package: libtiff6\nInstalled Version: 4.5.0-6\nVulnerability CVE-2023-3164\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-3164](https://avd.aquasec.com/nvd/cve-2023-3164)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libtiff6@4.5.0-6" + } + } + ] + }, + { + "ruleId": "CVE-2013-4392", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Package: libudev1\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2013-4392\nSeverity: LOW\nFixed Version: \nLink: [CVE-2013-4392](https://avd.aquasec.com/nvd/cve-2013-4392)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libudev1@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31437", + "ruleIndex": 34, + "level": "note", + "message": { + "text": "Package: libudev1\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31437\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31437](https://avd.aquasec.com/nvd/cve-2023-31437)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libudev1@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31438", + "ruleIndex": 35, + "level": "note", + "message": { + "text": "Package: libudev1\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31438\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31438](https://avd.aquasec.com/nvd/cve-2023-31438)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libudev1@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31439", + "ruleIndex": 36, + "level": "note", + "message": { + "text": "Package: libudev1\nInstalled Version: 252.12-1~deb12u1\nVulnerability CVE-2023-31439\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31439](https://avd.aquasec.com/nvd/cve-2023-31439)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libudev1@252.12-1~deb12u1" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: libuuid1\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libuuid1@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2015-9019", + "ruleIndex": 53, + "level": "note", + "message": { + "text": "Package: libxslt1.1\nInstalled Version: 1.1.35-1\nVulnerability CVE-2015-9019\nSeverity: LOW\nFixed Version: \nLink: [CVE-2015-9019](https://avd.aquasec.com/nvd/cve-2015-9019)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: libxslt1.1@1.1.35-1" + } + } + ] + }, + { + "ruleId": "CVE-2007-5686", + "ruleIndex": 54, + "level": "note", + "message": { + "text": "Package: login\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2007-5686\nSeverity: LOW\nFixed Version: \nLink: [CVE-2007-5686](https://avd.aquasec.com/nvd/cve-2007-5686)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: login@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2019-19882", + "ruleIndex": 55, + "level": "note", + "message": { + "text": "Package: login\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2019-19882\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-19882](https://avd.aquasec.com/nvd/cve-2019-19882)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: login@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2023-29383", + "ruleIndex": 56, + "level": "note", + "message": { + "text": "Package: login\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2023-29383\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: login@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: mount\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: mount@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2009-4487", + "ruleIndex": 57, + "level": "note", + "message": { + "text": "Package: nginx\nInstalled Version: 1.25.2-1~bookworm\nVulnerability CVE-2009-4487\nSeverity: LOW\nFixed Version: \nLink: [CVE-2009-4487](https://avd.aquasec.com/nvd/cve-2009-4487)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: nginx@1.25.2-1~bookworm" + } + } + ] + }, + { + "ruleId": "CVE-2013-0337", + "ruleIndex": 58, + "level": "note", + "message": { + "text": "Package: nginx\nInstalled Version: 1.25.2-1~bookworm\nVulnerability CVE-2013-0337\nSeverity: LOW\nFixed Version: \nLink: [CVE-2013-0337](https://avd.aquasec.com/nvd/cve-2013-0337)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: nginx@1.25.2-1~bookworm" + } + } + ] + }, + { + "ruleId": "CVE-2023-2975", + "ruleIndex": 28, + "level": "warning", + "message": { + "text": "Package: openssl\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-2975\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-2975](https://avd.aquasec.com/nvd/cve-2023-2975)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: openssl@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2023-3446", + "ruleIndex": 29, + "level": "warning", + "message": { + "text": "Package: openssl\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-3446\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3446](https://avd.aquasec.com/nvd/cve-2023-3446)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: openssl@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2023-3817", + "ruleIndex": 30, + "level": "warning", + "message": { + "text": "Package: openssl\nInstalled Version: 3.0.9-1\nVulnerability CVE-2023-3817\nSeverity: MEDIUM\nFixed Version: \nLink: [CVE-2023-3817](https://avd.aquasec.com/nvd/cve-2023-3817)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: openssl@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2007-6755", + "ruleIndex": 31, + "level": "note", + "message": { + "text": "Package: openssl\nInstalled Version: 3.0.9-1\nVulnerability CVE-2007-6755\nSeverity: LOW\nFixed Version: \nLink: [CVE-2007-6755](https://avd.aquasec.com/nvd/cve-2007-6755)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: openssl@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2010-0928", + "ruleIndex": 32, + "level": "note", + "message": { + "text": "Package: openssl\nInstalled Version: 3.0.9-1\nVulnerability CVE-2010-0928\nSeverity: LOW\nFixed Version: \nLink: [CVE-2010-0928](https://avd.aquasec.com/nvd/cve-2010-0928)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: openssl@3.0.9-1" + } + } + ] + }, + { + "ruleId": "CVE-2007-5686", + "ruleIndex": 54, + "level": "note", + "message": { + "text": "Package: passwd\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2007-5686\nSeverity: LOW\nFixed Version: \nLink: [CVE-2007-5686](https://avd.aquasec.com/nvd/cve-2007-5686)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: passwd@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2019-19882", + "ruleIndex": 55, + "level": "note", + "message": { + "text": "Package: passwd\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2019-19882\nSeverity: LOW\nFixed Version: \nLink: [CVE-2019-19882](https://avd.aquasec.com/nvd/cve-2019-19882)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: passwd@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2023-29383", + "ruleIndex": 56, + "level": "note", + "message": { + "text": "Package: passwd\nInstalled Version: 1:4.13+dfsg1-1+b1\nVulnerability CVE-2023-29383\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: passwd@1:4.13+dfsg1-1+b1" + } + } + ] + }, + { + "ruleId": "CVE-2023-31484", + "ruleIndex": 59, + "level": "error", + "message": { + "text": "Package: perl-base\nInstalled Version: 5.36.0-7\nVulnerability CVE-2023-31484\nSeverity: HIGH\nFixed Version: \nLink: [CVE-2023-31484](https://avd.aquasec.com/nvd/cve-2023-31484)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: perl-base@5.36.0-7" + } + } + ] + }, + { + "ruleId": "CVE-2011-4116", + "ruleIndex": 60, + "level": "note", + "message": { + "text": "Package: perl-base\nInstalled Version: 5.36.0-7\nVulnerability CVE-2011-4116\nSeverity: LOW\nFixed Version: \nLink: [CVE-2011-4116](https://avd.aquasec.com/nvd/cve-2011-4116)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: perl-base@5.36.0-7" + } + } + ] + }, + { + "ruleId": "CVE-2023-31486", + "ruleIndex": 61, + "level": "note", + "message": { + "text": "Package: perl-base\nInstalled Version: 5.36.0-7\nVulnerability CVE-2023-31486\nSeverity: LOW\nFixed Version: \nLink: [CVE-2023-31486](https://avd.aquasec.com/nvd/cve-2023-31486)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: perl-base@5.36.0-7" + } + } + ] + }, + { + "ruleId": "CVE-2005-2541", + "ruleIndex": 62, + "level": "note", + "message": { + "text": "Package: tar\nInstalled Version: 1.34+dfsg-1.2\nVulnerability CVE-2005-2541\nSeverity: LOW\nFixed Version: \nLink: [CVE-2005-2541](https://avd.aquasec.com/nvd/cve-2005-2541)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: tar@1.34+dfsg-1.2" + } + } + ] + }, + { + "ruleId": "CVE-2022-48303", + "ruleIndex": 63, + "level": "note", + "message": { + "text": "Package: tar\nInstalled Version: 1.34+dfsg-1.2\nVulnerability CVE-2022-48303\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-48303](https://avd.aquasec.com/nvd/cve-2022-48303)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: tar@1.34+dfsg-1.2" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: util-linux\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: util-linux@2.38.1-5+b1" + } + } + ] + }, + { + "ruleId": "CVE-2022-0563", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Package: util-linux-extra\nInstalled Version: 2.38.1-5+b1\nVulnerability CVE-2022-0563\nSeverity: LOW\nFixed Version: \nLink: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "library/nginx", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "library/nginx: util-linux-extra@2.38.1-5+b1" + } + } + ] + } + ], + "columnKind": "utf16CodeUnits", + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///" + } + }, + "properties": { + "imageName": "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0", + "repoDigests": [ + "nginx@sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" + ], + "repoTags": [] + } + } + ] +} \ No newline at end of file diff --git a/pkg/ctl/testdata/sarif/sample-2vulns.json b/pkg/ctl/testdata/sarif/sample-2vulns.json new file mode 100644 index 0000000..b095492 --- /dev/null +++ b/pkg/ctl/testdata/sarif/sample-2vulns.json @@ -0,0 +1,34 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-cbce60e4c921512c381e3234db5f9bd19704658a1b670e196d42a96f3dd80cd3", + "author": "The OpenVEX Project", + "timestamp": "2023-08-16T19:55:22.076684217-06:00", + "version": 1, + "statements": [ + { + "timestamp": "2023-08-15T19:55:22.076684217-06:00", + "vulnerability": { + "name": "CVE-2023-27103", + "aliases": ["SNYK-DEBIAN12-LIBDE265-3361563"] + }, + "products": [ + { "@id": "pkg:oci/nginx@sha256%3A13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" } + ], + "status": "not_affected", + "justification": "component_not_present", + "statement": "This is a sample OpenVEX file, it is not a real security assessment." + }, + { + "vulnerability": { + "name": "CVE-2007-5686", + "description": "Access Restriction Bypass vulnerability in shadow", + "aliases": ["SNYK-DEBIAN12-SHADOW-1559391"] + }, + "products": [ + { "@id": "pkg:oci/nginx@sha256%3A13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" } + ], + "status": "fixed", + "statement": "This is a sample OpenVEX file, it is not a real security assessment." + } + ] +} diff --git a/pkg/ctl/testdata/sarif/sample-history.json b/pkg/ctl/testdata/sarif/sample-history.json new file mode 100644 index 0000000..9f5bbac --- /dev/null +++ b/pkg/ctl/testdata/sarif/sample-history.json @@ -0,0 +1,34 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-cbce60e4c921512c381e3234db5f9bd19704658a1b670e196d42a96f3dd80cd3", + "author": "The OpenVEX Project", + "timestamp": "2023-08-16T19:55:22.076684217-06:00", + "version": 1, + "statements": [ + { + "timestamp": "2023-08-15T19:55:22.076684217-06:00", + "vulnerability": { + "name": "CVE-2023-27103", + "aliases": ["SNYK-DEBIAN12-LIBDE265-3361563"] + }, + "products": [ + { "@id": "pkg:oci/nginx@sha256%3A13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" } + ], + "status": "not_affected", + "justification": "component_not_present", + "statement": "This is a sample OpenVEX file, it is not a real security assessment." + }, + { + "vulnerability": { + "name": "CVE-2023-27103", + "aliases": ["SNYK-DEBIAN12-LIBDE265-3361563"] + }, + "products": [ + { "@id": "pkg:oci/nginx@sha256%3A13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" } + ], + "status": "not_affected", + "justification": "component_not_present", + "statement": "This is a sample OpenVEX file, it is not a real security assessment." + } + ] +} diff --git a/pkg/ctl/testdata/sarif/sample.openvex.json b/pkg/ctl/testdata/sarif/sample.openvex.json new file mode 100644 index 0000000..9b7b494 --- /dev/null +++ b/pkg/ctl/testdata/sarif/sample.openvex.json @@ -0,0 +1,21 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-cbce60e4c921512c381e3234db5f9bd19704658a1b670e196d42a96f3dd80cd3", + "author": "The OpenVEX Project", + "timestamp": "2023-08-16T19:55:22.076684217-06:00", + "version": 1, + "statements": [ + { + "vulnerability": { + "name": "CVE-2023-27103", + "aliases": ["SNYK-DEBIAN12-LIBDE265-3361563"] + }, + "products": [ + { "@id": "pkg:oci/nginx@sha256%3A13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0" } + ], + "status": "not_affected", + "justification": "component_not_present", + "statement": "This is a sample OpenVEX file, it is not a real security assessment." + } + ] +} diff --git a/pkg/ctl/testdata/test.vex.json b/pkg/ctl/testdata/test.vex.json index 08507b5..4f7ce37 100644 --- a/pkg/ctl/testdata/test.vex.json +++ b/pkg/ctl/testdata/test.vex.json @@ -1,5 +1,6 @@ { - "id": "", + "@context": "https://openvex.dev/ns", + "@id": "https://openvex.dev/docs/public/vex-6e8e4d52daffc0b12212095c2fd5d0d5265a551ba0029e2a20fc35f58537730d", "author": "Chainguard", "role": "author", "timestamp": "2022-08-29T17:48:53.697543267-05:00", diff --git a/pkg/ctl/testdata/v001-1.vex.json b/pkg/ctl/testdata/v001-1.vex.json index b7cc51c..f4c0c08 100644 --- a/pkg/ctl/testdata/v001-1.vex.json +++ b/pkg/ctl/testdata/v001-1.vex.json @@ -1,5 +1,6 @@ { - "id": "my-vexdoc", + "@context": "https://openvex.dev/ns", + "@id": "my-vexdoc2", "format": "text/vex+json", "author": "John Doe", "role": "vex issuer", diff --git a/pkg/ctl/testdata/v001-2.vex.json b/pkg/ctl/testdata/v001-2.vex.json index 7b4de4c..65b4060 100644 --- a/pkg/ctl/testdata/v001-2.vex.json +++ b/pkg/ctl/testdata/v001-2.vex.json @@ -1,5 +1,6 @@ { - "id": "my-vexdoc", + "@context": "https://openvex.dev/ns", + "@id": "my-vexdoc2", "format": "text/vex+json", "author": "John Doe", "role": "vex issuer", diff --git a/pkg/ctl/testdata/v020-1.vex.json b/pkg/ctl/testdata/v020-1.vex.json new file mode 100644 index 0000000..a90b0cd --- /dev/null +++ b/pkg/ctl/testdata/v020-1.vex.json @@ -0,0 +1,16 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-3f59b4dffdeae0183e5e6a9d7a2461fdf86a03c079f4129050bb462eca366beb", + "author": "John Doe", + "role": "Senior Trusted VEX Issuer", + "statements": [ + { + "timestamp": "2022-12-22T16:36:43-05:00", + "products": [ + { "@id": "pkg:apk/wolfi/bash@1.0.0" } + ], + "vulnerability": { "name": "CVE-9876-54321" }, + "status": "under_investigation" + } + ] +} diff --git a/pkg/ctl/testdata/v020-2.vex.json b/pkg/ctl/testdata/v020-2.vex.json new file mode 100644 index 0000000..1e52561 --- /dev/null +++ b/pkg/ctl/testdata/v020-2.vex.json @@ -0,0 +1,16 @@ +{ + "@context": "https://openvex.dev/ns/v0.2.0", + "@id": "https://openvex.dev/docs/public/vex-99f523e8cec348eb9917eefe85cd335410946391b959a8b6dab80f3514c8546c", + "author": "John Doe", + "role": "Senior Trusted VEX Issuer", + "statements": [ + { + "timestamp": "2022-12-22T16:36:43-05:00", + "products": [ + { "@id": "pkg:apk/wolfi/git@2.41.0-1" } + ], + "vulnerability": { "name": "CVE-1234-5678" }, + "status": "under_investigation" + } + ] +}