Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker Container Image Vulnerability Check - 2021-07-30 #158

Open
chirangaalwis opened this issue Jul 30, 2021 · 1 comment
Open

Docker Container Image Vulnerability Check - 2021-07-30 #158

chirangaalwis opened this issue Jul 30, 2021 · 1 comment
Labels
good first issue Good for newcomers

Comments

@chirangaalwis
Copy link

Is this a BUG REPORT or FEATURE REQUEST?

It is a BUG REPORT.

Choose one: BUG REPORT or FEATURE REQUEST

What happened:
Experienced the following Docker container image vulnerability scan report using Trivy Docker image scan tool.

2021-07-29T13:36:56.4138539Z 2021-07-29T13:36:56.412Z	�[34mINFO�[0m	Detecting RHEL/CentOS vulnerabilities...
2021-07-29T13:36:56.4162131Z 2021-07-29T13:36:56.415Z	�[34mINFO�[0m	Number of language-specific files: 1
2021-07-29T13:36:56.4163072Z 2021-07-29T13:36:56.415Z	�[34mINFO�[0m	Detecting gobinary vulnerabilities...
2021-07-29T13:36:56.4368755Z 
2021-07-29T13:36:56.4370056Z litmuschaos/chaos-runner:1.13.8 (redhat 8.3)
2021-07-29T13:36:56.4372658Z ============================================
2021-07-29T13:36:56.4373323Z Total: 98 (MEDIUM: 92, HIGH: 3, CRITICAL: 3)
2021-07-29T13:36:56.4374841Z 
2021-07-29T13:36:56.4379188Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4383762Z |        LIBRARY         | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  |  FIXED VERSION  |                  TITLE                  |
2021-07-29T13:36:56.4385696Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4389389Z | brotli                 | CVE-2020-8927    | MEDIUM   | 1.0.6-2.el8        | 1.0.6-3.el8     | brotli: buffer overflow when            |
2021-07-29T13:36:56.4395453Z |                        |                  |          |                    |                 | input chunk is larger than 2GiB         |
2021-07-29T13:36:56.4397601Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8927    |
2021-07-29T13:36:56.4398665Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4403269Z | coreutils-single       | CVE-2017-18018   |          | 8.30-8.el8         |                 | coreutils: race condition               |
2021-07-29T13:36:56.4442605Z |                        |                  |          |                    |                 | vulnerability in chown and chgrp        |
2021-07-29T13:36:56.4443821Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2017-18018   |
2021-07-29T13:36:56.4444819Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4453601Z | curl                   | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  | 7.61.1-18.el8   | curl: FTP PASV command                  |
2021-07-29T13:36:56.4454963Z |                        |                  |          |                    |                 | response can cause curl                 |
2021-07-29T13:36:56.4455808Z |                        |                  |          |                    |                 | to connect to arbitrary...              |
2021-07-29T13:36:56.4457051Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8284    |
2021-07-29T13:36:56.4458242Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4459489Z |                        | CVE-2020-8285    |          |                    |                 | curl: Malicious FTP server can          |
2021-07-29T13:36:56.4462362Z |                        |                  |          |                    |                 | trigger stack overflow when             |
2021-07-29T13:36:56.4463302Z |                        |                  |          |                    |                 | CURLOPT_CHUNK_BGN_FUNCTION              |
2021-07-29T13:36:56.4464143Z |                        |                  |          |                    |                 | is used...                              |
2021-07-29T13:36:56.4467629Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8285    |
2021-07-29T13:36:56.4468872Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4470222Z |                        | CVE-2020-8286    |          |                    |                 | curl: Inferior OCSP verification        |
2021-07-29T13:36:56.4471546Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8286    |
2021-07-29T13:36:56.4472641Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4473848Z |                        | CVE-2021-22876   |          |                    |                 | curl: Leak of authentication            |
2021-07-29T13:36:56.4474639Z |                        |                  |          |                    |                 | credentials in URL                      |
2021-07-29T13:36:56.4475322Z |                        |                  |          |                    |                 | via automatic Referer                   |
2021-07-29T13:36:56.4554819Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
2021-07-29T13:36:56.4578785Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4598778Z |                        | CVE-2021-22922   |          |                    |                 | curl: wrong content via                 |
2021-07-29T13:36:56.4605549Z |                        |                  |          |                    |                 | metalink is not being discarded         |
2021-07-29T13:36:56.4638225Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22922   |
2021-07-29T13:36:56.4639636Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4640696Z |                        | CVE-2021-22923   |          |                    |                 | curl: Metalink download                 |
2021-07-29T13:36:56.4641492Z |                        |                  |          |                    |                 | sends credentials                       |
2021-07-29T13:36:56.4642566Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22923   |
2021-07-29T13:36:56.4643567Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4644583Z |                        | CVE-2021-22924   |          |                    |                 | curl: bad connection reuse              |
2021-07-29T13:36:56.4645375Z |                        |                  |          |                    |                 | due to flawed path name checks          |
2021-07-29T13:36:56.4646322Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22924   |
2021-07-29T13:36:56.4647275Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4648291Z | file-libs              | CVE-2019-18218   |          | 5.33-16.el8_3.1    |                 | file: heap-based buffer overflow        |
2021-07-29T13:36:56.4649075Z |                        |                  |          |                    |                 | in cdf_read_property_info in cdf.c      |
2021-07-29T13:36:56.4650018Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-18218   |
2021-07-29T13:36:56.4650981Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4652006Z | glib2                  | CVE-2021-27219   | HIGH     | 2.56.4-8.el8       | 2.56.4-10.el8_4 | glib: integer overflow in               |
2021-07-29T13:36:56.4652784Z |                        |                  |          |                    |                 | g_bytes_new function on                 |
2021-07-29T13:36:56.4653723Z |                        |                  |          |                    |                 | 64-bit platforms due to an...           |
2021-07-29T13:36:56.4654682Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-27219   |
2021-07-29T13:36:56.4655644Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4656662Z |                        | CVE-2020-13543   | MEDIUM   |                    | 2.56.4-9.el8    | webkitgtk: use-after-free may           |
2021-07-29T13:36:56.4657437Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T13:36:56.4658395Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13543   |
2021-07-29T13:36:56.4659339Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4660345Z |                        | CVE-2020-13584   |          |                    |                 | webkitgtk: use-after-free may           |
2021-07-29T13:36:56.4661122Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T13:36:56.4662154Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13584   |
2021-07-29T13:36:56.4663111Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4664122Z |                        | CVE-2020-9948    |          |                    |                 | webkitgtk: type confusion may           |
2021-07-29T13:36:56.4664899Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T13:36:56.4665921Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9948    |
2021-07-29T13:36:56.4666881Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4667888Z |                        | CVE-2020-9951    |          |                    |                 | webkitgtk: use-after-free may           |
2021-07-29T13:36:56.4668668Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T13:36:56.4669603Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9951    |
2021-07-29T13:36:56.4670554Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4671562Z |                        | CVE-2020-9983    |          |                    |                 | webkitgtk: out-of-bounds write          |
2021-07-29T13:36:56.4672357Z |                        |                  |          |                    |                 | may lead to code execution              |
2021-07-29T13:36:56.4673301Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9983    |
2021-07-29T13:36:56.4674258Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4675260Z |                        | CVE-2021-27218   |          |                    |                 | glib: integer overflow in               |
2021-07-29T13:36:56.4676287Z |                        |                  |          |                    |                 | g_byte_array_new_take function          |
2021-07-29T13:36:56.4677026Z |                        |                  |          |                    |                 | when called with a buffer of...         |
2021-07-29T13:36:56.4678003Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-27218   |
2021-07-29T13:36:56.4679155Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4680192Z | glibc                  | CVE-2019-1010022 | CRITICAL | 2.28-127.el8_3.2   |                 | glibc: stack guard protection bypass    |
2021-07-29T13:36:56.4681204Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4682169Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4683188Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T13:36:56.4683963Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T13:36:56.4684906Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T13:36:56.4685981Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T13:36:56.4686946Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4687984Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T13:36:56.4688768Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T13:36:56.4689567Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T13:36:56.4690512Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T13:36:56.4691479Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T13:36:56.4692433Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4693451Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T13:36:56.4694595Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T13:36:56.4695338Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T13:36:56.4696286Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T13:36:56.4697252Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4698270Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T13:36:56.4712230Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T13:36:56.4713664Z +------------------------+------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4714708Z | glibc-common           | CVE-2019-1010022 | CRITICAL |                    |                 | glibc: stack guard protection bypass    |
2021-07-29T13:36:56.4715805Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4716869Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4723085Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T13:36:56.4723948Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T13:36:56.4726740Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T13:36:56.4729343Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T13:36:56.4730654Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4732083Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T13:36:56.4732809Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T13:36:56.4733438Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T13:36:56.4734969Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T13:36:56.4736342Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T13:36:56.4737633Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4738621Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T13:36:56.4739543Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T13:36:56.4740200Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T13:36:56.4741065Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T13:36:56.4741944Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4742866Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T13:36:56.4743793Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T13:36:56.4744663Z +------------------------+------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4745591Z | glibc-minimal-langpack | CVE-2019-1010022 | CRITICAL |                    |                 | glibc: stack guard protection bypass    |
2021-07-29T13:36:56.4746518Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4747388Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4748315Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T13:36:56.4749017Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T13:36:56.4749876Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T13:36:56.4750748Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T13:36:56.4751612Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4752556Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T13:36:56.4753255Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T13:36:56.4753889Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T13:36:56.4754842Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T13:36:56.4755825Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T13:36:56.4756716Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4757624Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T13:36:56.4758630Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T13:36:56.4759287Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T13:36:56.4760152Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T13:36:56.4761025Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4761946Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T13:36:56.4762861Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T13:36:56.4763730Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4764657Z | gnutls                 | CVE-2021-20231   |          | 3.6.14-8.el8_3     |                 | gnutls: Use after free in               |
2021-07-29T13:36:56.4765363Z |                        |                  |          |                    |                 | client key_share extension              |
2021-07-29T13:36:56.4766225Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20231   |
2021-07-29T13:36:56.4767090Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4768006Z |                        | CVE-2021-20232   |          |                    |                 | gnutls: Use after free                  |
2021-07-29T13:36:56.4768704Z |                        |                  |          |                    |                 | in client_send_params in                |
2021-07-29T13:36:56.4769339Z |                        |                  |          |                    |                 | lib/ext/pre_shared_key.c                |
2021-07-29T13:36:56.4770198Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20232   |
2021-07-29T13:36:56.4771065Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4772002Z | json-c                 | CVE-2020-12762   |          | 0.13.1-0.2.el8     |                 | json-c: integer overflow                |
2021-07-29T13:36:56.4772924Z |                        |                  |          |                    |                 | and out-of-bounds write                 |
2021-07-29T13:36:56.4773575Z |                        |                  |          |                    |                 | via a large JSON file                   |
2021-07-29T13:36:56.4774439Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-12762   |
2021-07-29T13:36:56.4775377Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4776307Z | krb5-libs              | CVE-2020-28196   |          | 1.18.2-5.el8       | 1.18.2-8.el8    | krb5: unbounded recursion via an        |
2021-07-29T13:36:56.4777223Z |                        |                  |          |                    |                 | ASN.1-encoded Kerberos message          |
2021-07-29T13:36:56.4777876Z |                        |                  |          |                    |                 | in lib/krb5/asn.1/asn1_encode.c         |
2021-07-29T13:36:56.4778575Z |                        |                  |          |                    |                 | may lead...                             |
2021-07-29T13:36:56.4779430Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-28196   |
2021-07-29T13:36:56.4780301Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4781220Z |                        | CVE-2021-36222   |          |                    |                 | krb5: sending a request containing      |
2021-07-29T13:36:56.4782136Z |                        |                  |          |                    |                 | a PA-ENCRYPTED-CHALLENGE padata         |
2021-07-29T13:36:56.4782788Z |                        |                  |          |                    |                 | element without using FAST...           |
2021-07-29T13:36:56.4783645Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36222   |
2021-07-29T13:36:56.4784511Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4785441Z | libarchive             | CVE-2017-14502   |          | 3.3.2-9.el8        | 3.3.3-1.el8     | libarchive: Off-by-one error            |
2021-07-29T13:36:56.4786143Z |                        |                  |          |                    |                 | in the read_header function             |
2021-07-29T13:36:56.4787007Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2017-14502   |
2021-07-29T13:36:56.4787876Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4788799Z |                        | CVE-2020-21674   |          |                    |                 | libarchive: heap-based                  |
2021-07-29T13:36:56.4790387Z |                        |                  |          |                    |                 | buffer overflow in                      |
2021-07-29T13:36:56.4791177Z |                        |                  |          |                    |                 | archive_string_append_from_wcs          |
2021-07-29T13:36:56.4791981Z |                        |                  |          |                    |                 | function in archive_string.c            |
2021-07-29T13:36:56.4793072Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-21674   |
2021-07-29T13:36:56.4794221Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4796302Z | libcurl                | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  | 7.61.1-18.el8   | curl: FTP PASV command                  |
2021-07-29T13:36:56.4797075Z |                        |                  |          |                    |                 | response can cause curl                 |
2021-07-29T13:36:56.4797717Z |                        |                  |          |                    |                 | to connect to arbitrary...              |
2021-07-29T13:36:56.4798731Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8284    |
2021-07-29T13:36:56.4799604Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4800530Z |                        | CVE-2020-8285    |          |                    |                 | curl: Malicious FTP server can          |
2021-07-29T13:36:56.4801259Z |                        |                  |          |                    |                 | trigger stack overflow when             |
2021-07-29T13:36:56.4801988Z |                        |                  |          |                    |                 | CURLOPT_CHUNK_BGN_FUNCTION              |
2021-07-29T13:36:56.4802626Z |                        |                  |          |                    |                 | is used...                              |
2021-07-29T13:36:56.4803488Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8285    |
2021-07-29T13:36:56.4804358Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4805282Z |                        | CVE-2020-8286    |          |                    |                 | curl: Inferior OCSP verification        |
2021-07-29T13:36:56.4806196Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8286    |
2021-07-29T13:36:56.4807069Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4807988Z |                        | CVE-2021-22876   |          |                    |                 | curl: Leak of authentication            |
2021-07-29T13:36:56.4808689Z |                        |                  |          |                    |                 | credentials in URL                      |
2021-07-29T13:36:56.4809329Z |                        |                  |          |                    |                 | via automatic Referer                   |
2021-07-29T13:36:56.4810191Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
2021-07-29T13:36:56.4811058Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4811986Z |                        | CVE-2021-22922   |          |                    |                 | curl: wrong content via                 |
2021-07-29T13:36:56.4812678Z |                        |                  |          |                    |                 | metalink is not being discarded         |
2021-07-29T13:36:56.4813541Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22922   |
2021-07-29T13:36:56.4814412Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4815369Z |                        | CVE-2021-22923   |          |                    |                 | curl: Metalink download                 |
2021-07-29T13:36:56.4816071Z |                        |                  |          |                    |                 | sends credentials                       |
2021-07-29T13:36:56.4816938Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22923   |
2021-07-29T13:36:56.4817811Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4818811Z |                        | CVE-2021-22924   |          |                    |                 | curl: bad connection reuse              |
2021-07-29T13:36:56.4819505Z |                        |                  |          |                    |                 | due to flawed path name checks          |
2021-07-29T13:36:56.4820381Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22924   |
2021-07-29T13:36:56.4821249Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4822273Z | libdnf                 | CVE-2021-3445    |          | 0.48.0-5.el8       |                 | libdnf: libdnf does its                 |
2021-07-29T13:36:56.4822969Z |                        |                  |          |                    |                 | own signature verification,             |
2021-07-29T13:36:56.4823610Z |                        |                  |          |                    |                 | but this can be tricked...              |
2021-07-29T13:36:56.4824472Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3445    |
2021-07-29T13:36:56.4825343Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4826250Z | libgcc                 | CVE-2018-20673   |          | 8.3.1-5.1.el8      |                 | libiberty: Integer overflow in          |
2021-07-29T13:36:56.4826948Z |                        |                  |          |                    |                 | demangle_template() function            |
2021-07-29T13:36:56.4827810Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
2021-07-29T13:36:56.4828678Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4829604Z | libgcrypt              | CVE-2019-12904   |          | 1.8.5-4.el8        |                 | Libgcrypt: physical addresses           |
2021-07-29T13:36:56.4830305Z |                        |                  |          |                    |                 | being available to other processes      |
2021-07-29T13:36:56.4831159Z |                        |                  |          |                    |                 | leads to a flush-and-reload...          |
2021-07-29T13:36:56.4832038Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-12904   |
2021-07-29T13:36:56.4832901Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4833822Z |                        | CVE-2021-33560   |          |                    |                 | libgcrypt: mishandles ElGamal           |
2021-07-29T13:36:56.4834525Z |                        |                  |          |                    |                 | encryption because it lacks             |
2021-07-29T13:36:56.4835163Z |                        |                  |          |                    |                 | exponent blinding to address a...       |
2021-07-29T13:36:56.4836551Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-33560   |
2021-07-29T13:36:56.4837555Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4838494Z | libsepol               | CVE-2021-36084   |          | 2.9-1.el8          |                 | libsepol: use-after-free in             |
2021-07-29T13:36:56.4839250Z |                        |                  |          |                    |                 | __cil_verify_classperms()               |
2021-07-29T13:36:56.4840276Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36084   |
2021-07-29T13:36:56.4841209Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4842186Z |                        | CVE-2021-36085   |          |                    |                 | libsepol: use-after-free in             |
2021-07-29T13:36:56.4842936Z |                        |                  |          |                    |                 | __cil_verify_classperms()               |
2021-07-29T13:36:56.4843932Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36085   |
2021-07-29T13:36:56.4844864Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4845850Z |                        | CVE-2021-36086   |          |                    |                 | libsepol: use-after-free in             |
2021-07-29T13:36:56.4846600Z |                        |                  |          |                    |                 | cil_reset_classpermission()             |
2021-07-29T13:36:56.4847513Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36086   |
2021-07-29T13:36:56.4848438Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4849402Z |                        | CVE-2021-36087   |          |                    |                 | libsepol: heap-based buffer             |
2021-07-29T13:36:56.4850159Z |                        |                  |          |                    |                 | overflow in ebitmap_match_any()         |
2021-07-29T13:36:56.4851077Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36087   |
2021-07-29T13:36:56.4851999Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4852974Z | libstdc++              | CVE-2018-20673   |          | 8.3.1-5.1.el8      |                 | libiberty: Integer overflow in          |
2021-07-29T13:36:56.4853724Z |                        |                  |          |                    |                 | demangle_template() function            |
2021-07-29T13:36:56.4854646Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
2021-07-29T13:36:56.4855570Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4856564Z | libxml2                | CVE-2020-24977   |          | 2.9.7-8.el8        | 2.9.7-9.el8     | libxml2: Buffer overflow                |
2021-07-29T13:36:56.4857317Z |                        |                  |          |                    |                 | vulnerability in                        |
2021-07-29T13:36:56.4857996Z |                        |                  |          |                    |                 | xmlEncodeEntitiesInternal()             |
2021-07-29T13:36:56.4858676Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T13:36:56.4859591Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-24977   |
2021-07-29T13:36:56.4860508Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4861558Z |                        | CVE-2021-3516    |          |                    | 2.9.7-9.el8_4.2 | libxml2: Use-after-free in              |
2021-07-29T13:36:56.4862304Z |                        |                  |          |                    |                 | xmlEncodeEntitiesInternal()             |
2021-07-29T13:36:56.4862990Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T13:36:56.4863904Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3516    |
2021-07-29T13:36:56.4864890Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4865866Z |                        | CVE-2021-3517    |          |                    |                 | libxml2: Heap-based buffer overflow     |
2021-07-29T13:36:56.4866611Z |                        |                  |          |                    |                 | in xmlEncodeEntitiesInternal()          |
2021-07-29T13:36:56.4867304Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T13:36:56.4868217Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3517    |
2021-07-29T13:36:56.4869141Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4870128Z |                        | CVE-2021-3518    |          |                    |                 | libxml2: Use-after-free in              |
2021-07-29T13:36:56.4870878Z |                        |                  |          |                    |                 | xmlXIncludeDoProcess() in xinclude.c    |
2021-07-29T13:36:56.4871786Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3518    |
2021-07-29T13:36:56.4872717Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4873695Z |                        | CVE-2021-3537    |          |                    |                 | libxml2: NULL pointer dereference       |
2021-07-29T13:36:56.4874671Z |                        |                  |          |                    |                 | when post-validating mixed              |
2021-07-29T13:36:56.4875380Z |                        |                  |          |                    |                 | content parsed in recovery mode...      |
2021-07-29T13:36:56.4877262Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3537    |
2021-07-29T13:36:56.4878190Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4879178Z |                        | CVE-2021-3541    |          |                    |                 | libxml2: Exponential entity             |
2021-07-29T13:36:56.4879927Z |                        |                  |          |                    |                 | expansion attack bypasses all           |
2021-07-29T13:36:56.4880573Z |                        |                  |          |                    |                 | existing protection mechanisms          |
2021-07-29T13:36:56.4881824Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3541    |
2021-07-29T13:36:56.4882927Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4885116Z | lua-libs               | CVE-2020-15945   |          | 5.3.4-11.el8       |                 | lua: segmentation fault                 |
2021-07-29T13:36:56.4886163Z |                        |                  |          |                    |                 | in changedline in ldebug.c              |
2021-07-29T13:36:56.4887380Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-15945   |
2021-07-29T13:36:56.4888464Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4889714Z | lz4-libs               | CVE-2019-17543   |          | 1.8.3-2.el8        |                 | lz4: heap-based buffer                  |
2021-07-29T13:36:56.4890704Z |                        |                  |          |                    |                 | overflow in LZ4_write32                 |
2021-07-29T13:36:56.4891852Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17543   |
2021-07-29T13:36:56.4892905Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4894103Z |                        | CVE-2021-3520    |          |                    | 1.8.3-3.el8_4   | lz4: memory corruption                  |
2021-07-29T13:36:56.4894987Z |                        |                  |          |                    |                 | due to an integer overflow              |
2021-07-29T13:36:56.4895795Z |                        |                  |          |                    |                 | bug caused by memmove...                |
2021-07-29T13:36:56.4896836Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3520    |
2021-07-29T13:36:56.4899824Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4900816Z | ncurses-base           | CVE-2019-17594   |          | 6.1-7.20180224.el8 |                 | ncurses: heap-based buffer              |
2021-07-29T13:36:56.4901505Z |                        |                  |          |                    |                 | overflow in the _nc_find_entry          |
2021-07-29T13:36:56.4902150Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T13:36:56.4903084Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
2021-07-29T13:36:56.4904015Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4904988Z |                        | CVE-2019-17595   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T13:36:56.4905735Z |                        |                  |          |                    |                 | overflow in the fmt_entry               |
2021-07-29T13:36:56.4906413Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T13:36:56.4913053Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
2021-07-29T13:36:56.4946506Z +------------------------+------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4947807Z | ncurses-libs           | CVE-2019-17594   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T13:36:56.4948691Z |                        |                  |          |                    |                 | overflow in the _nc_find_entry          |
2021-07-29T13:36:56.4949497Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T13:36:56.4950510Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
2021-07-29T13:36:56.4961463Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4962668Z |                        | CVE-2019-17595   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T13:36:56.4963545Z |                        |                  |          |                    |                 | overflow in the fmt_entry               |
2021-07-29T13:36:56.4964287Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T13:36:56.4965233Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
2021-07-29T13:36:56.4966168Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4967162Z | nettle                 | CVE-2021-3580    |          | 3.4.1-4.el8_3      |                 | nettle: Remote crash                    |
2021-07-29T13:36:56.4967913Z |                        |                  |          |                    |                 | in RSA decryption via                   |
2021-07-29T13:36:56.4968604Z |                        |                  |          |                    |                 | manipulated ciphertext                  |
2021-07-29T13:36:56.4969521Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3580    |
2021-07-29T13:36:56.4970457Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4971456Z | openssl-libs           | CVE-2021-23840   |          | 1:1.1.1g-15.el8_3  |                 | openssl: integer                        |
2021-07-29T13:36:56.4972211Z |                        |                  |          |                    |                 | overflow in CipherUpdate                |
2021-07-29T13:36:56.4973115Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-23840   |
2021-07-29T13:36:56.4974041Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4975018Z |                        | CVE-2021-23841   |          |                    |                 | openssl: NULL pointer dereference       |
2021-07-29T13:36:56.4975769Z |                        |                  |          |                    |                 | in X509_issuer_and_serial_hash()        |
2021-07-29T13:36:56.4976688Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-23841   |
2021-07-29T13:36:56.4977610Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4978602Z | p11-kit                | CVE-2020-29361   |          | 0.23.14-5.el8_0    | 0.23.22-1.el8   | p11-kit: integer overflow when          |
2021-07-29T13:36:56.4979355Z |                        |                  |          |                    |                 | allocating memory for arrays            |
2021-07-29T13:36:56.4980048Z |                        |                  |          |                    |                 | or attributes and object...             |
2021-07-29T13:36:56.4980966Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29361   |
2021-07-29T13:36:56.4981997Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4982982Z |                        | CVE-2020-29362   |          |                    |                 | p11-kit: out-of-bounds read in          |
2021-07-29T13:36:56.4983733Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array           |
2021-07-29T13:36:56.4984640Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T13:36:56.4985665Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29362   |
2021-07-29T13:36:56.4986592Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4987569Z |                        | CVE-2020-29363   |          |                    |                 | p11-kit: out-of-bounds write in         |
2021-07-29T13:36:56.4988320Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array_value     |
2021-07-29T13:36:56.4989227Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T13:36:56.4990155Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29363   |
2021-07-29T13:36:56.4991083Z +------------------------+------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4992065Z | p11-kit-trust          | CVE-2020-29361   |          |                    |                 | p11-kit: integer overflow when          |
2021-07-29T13:36:56.4992816Z |                        |                  |          |                    |                 | allocating memory for arrays            |
2021-07-29T13:36:56.4993499Z |                        |                  |          |                    |                 | or attributes and object...             |
2021-07-29T13:36:56.4994408Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29361   |
2021-07-29T13:36:56.4995333Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.4996529Z |                        | CVE-2020-29362   |          |                    |                 | p11-kit: out-of-bounds read in          |
2021-07-29T13:36:56.4997293Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array           |
2021-07-29T13:36:56.4998215Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T13:36:56.4999141Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29362   |
2021-07-29T13:36:56.5000064Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.5001042Z |                        | CVE-2020-29363   |          |                    |                 | p11-kit: out-of-bounds write in         |
2021-07-29T13:36:56.5001794Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array_value     |
2021-07-29T13:36:56.5002699Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T13:36:56.5003722Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29363   |
2021-07-29T13:36:56.5004644Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5005624Z | rpm                    | CVE-2021-20271   |          | 4.14.3-4.el8       | 4.14.3-14.el8_4 | rpm: Signature checks bypass            |
2021-07-29T13:36:56.5006373Z |                        |                  |          |                    |                 | via corrupted rpm package               |
2021-07-29T13:36:56.5007363Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
2021-07-29T13:36:56.5008288Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5009263Z |                        | CVE-2021-3421    |          |                    |                 | rpm: unsigned signature header          |
2021-07-29T13:36:56.5010006Z |                        |                  |          |                    |                 | leads to string injection               |
2021-07-29T13:36:56.5010689Z |                        |                  |          |                    |                 | into an rpm database...                 |
2021-07-29T13:36:56.5011602Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
2021-07-29T13:36:56.5012530Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5013501Z |                        | CVE-2021-35937   |          |                    |                 | rpm: TOCTOU race in                     |
2021-07-29T13:36:56.5014250Z |                        |                  |          |                    |                 | checks for unsafe symlinks              |
2021-07-29T13:36:56.5015166Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35937   |
2021-07-29T13:36:56.5016119Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5017091Z |                        | CVE-2021-35938   |          |                    |                 | rpm: races with                         |
2021-07-29T13:36:56.5017838Z |                        |                  |          |                    |                 | chown/chmod/capabilities                |
2021-07-29T13:36:56.5018525Z |                        |                  |          |                    |                 | calls during installation               |
2021-07-29T13:36:56.5019439Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35938   |
2021-07-29T13:36:56.5020348Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5021317Z |                        | CVE-2021-35939   |          |                    |                 | rpm: checks for unsafe                  |
2021-07-29T13:36:56.5022065Z |                        |                  |          |                    |                 | symlinks are not performed              |
2021-07-29T13:36:56.5022745Z |                        |                  |          |                    |                 | for intermediary directories            |
2021-07-29T13:36:56.5023658Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35939   |
2021-07-29T13:36:56.5024573Z +------------------------+------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5025633Z | rpm-libs               | CVE-2021-20271   |          |                    | 4.14.3-14.el8_4 | rpm: Signature checks bypass            |
2021-07-29T13:36:56.5026377Z |                        |                  |          |                    |                 | via corrupted rpm package               |
2021-07-29T13:36:56.5027294Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
2021-07-29T13:36:56.5028211Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5029253Z |                        | CVE-2021-3421    |          |                    |                 | rpm: unsigned signature header          |
2021-07-29T13:36:56.5029996Z |                        |                  |          |                    |                 | leads to string injection               |
2021-07-29T13:36:56.5030683Z |                        |                  |          |                    |                 | into an rpm database...                 |
2021-07-29T13:36:56.5031591Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
2021-07-29T13:36:56.5032513Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5033489Z |                        | CVE-2021-35937   |          |                    |                 | rpm: TOCTOU race in                     |
2021-07-29T13:36:56.5034239Z |                        |                  |          |                    |                 | checks for unsafe symlinks              |
2021-07-29T13:36:56.5035150Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35937   |
2021-07-29T13:36:56.5036626Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5037628Z |                        | CVE-2021-35938   |          |                    |                 | rpm: races with                         |
2021-07-29T13:36:56.5038379Z |                        |                  |          |                    |                 | chown/chmod/capabilities                |
2021-07-29T13:36:56.5039070Z |                        |                  |          |                    |                 | calls during installation               |
2021-07-29T13:36:56.5039984Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35938   |
2021-07-29T13:36:56.5040906Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5041881Z |                        | CVE-2021-35939   |          |                    |                 | rpm: checks for unsafe                  |
2021-07-29T13:36:56.5042627Z |                        |                  |          |                    |                 | symlinks are not performed              |
2021-07-29T13:36:56.5043300Z |                        |                  |          |                    |                 | for intermediary directories            |
2021-07-29T13:36:56.5044210Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35939   |
2021-07-29T13:36:56.5045133Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5046114Z | sqlite-libs            | CVE-2019-5827    | HIGH     | 3.26.0-11.el8      |                 | chromium-browser:                       |
2021-07-29T13:36:56.5047085Z |                        |                  |          |                    |                 | out-of-bounds access in SQLite          |
2021-07-29T13:36:56.5048110Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-5827    |
2021-07-29T13:36:56.5049030Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5050006Z |                        | CVE-2019-13750   | MEDIUM   |                    |                 | sqlite: dropping of shadow tables       |
2021-07-29T13:36:56.5050829Z |                        |                  |          |                    |                 | not restricted in defensive mode        |
2021-07-29T13:36:56.5051744Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-13750   |
2021-07-29T13:36:56.5052663Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5053643Z |                        | CVE-2019-13751   |          |                    |                 | sqlite: fts3: improve                   |
2021-07-29T13:36:56.5054394Z |                        |                  |          |                    |                 | detection of corrupted records          |
2021-07-29T13:36:56.5055306Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-13751   |
2021-07-29T13:36:56.5056228Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5057202Z |                        | CVE-2019-19603   |          |                    |                 | sqlite: mishandles certain SELECT       |
2021-07-29T13:36:56.5057950Z |                        |                  |          |                    |                 | statements with a nonexistent           |
2021-07-29T13:36:56.5058636Z |                        |                  |          |                    |                 | VIEW, leading to DoS...                 |
2021-07-29T13:36:56.5059547Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-19603   |
2021-07-29T13:36:56.5060467Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5061441Z |                        | CVE-2020-13434   |          |                    | 3.26.0-13.el8   | sqlite: integer overflow                |
2021-07-29T13:36:56.5062191Z |                        |                  |          |                    |                 | in sqlite3_str_vappendf                 |
2021-07-29T13:36:56.5062874Z |                        |                  |          |                    |                 | function in printf.c                    |
2021-07-29T13:36:56.5063794Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13434   |
2021-07-29T13:36:56.5064715Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5065683Z |                        | CVE-2020-13435   |          |                    |                 | sqlite: NULL pointer dereference        |
2021-07-29T13:36:56.5066414Z |                        |                  |          |                    |                 | leads to segmentation fault in          |
2021-07-29T13:36:56.5067105Z |                        |                  |          |                    |                 | sqlite3ExprCodeTarget in expr.c...      |
2021-07-29T13:36:56.5068015Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13435   |
2021-07-29T13:36:56.5069013Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5069991Z |                        | CVE-2020-15358   |          |                    | 3.26.0-13.el8   | sqlite: heap-based buffer overflow in   |
2021-07-29T13:36:56.5070735Z |                        |                  |          |                    |                 | multiSelectOrderBy due to mishandling   |
2021-07-29T13:36:56.5071644Z |                        |                  |          |                    |                 | of query-flattener optimization...      |
2021-07-29T13:36:56.5072636Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-15358   |
2021-07-29T13:36:56.5073557Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5074546Z | systemd-libs           | CVE-2021-33910   | HIGH     | 239-41.el8_3.2     | 239-45.el8_4.2  | systemd: uncontrolled                   |
2021-07-29T13:36:56.5075295Z |                        |                  |          |                    |                 | allocation on the stack in              |
2021-07-29T13:36:56.5076081Z |                        |                  |          |                    |                 | function unit_name_path_escape          |
2021-07-29T13:36:56.5076729Z |                        |                  |          |                    |                 | leads to crash...                       |
2021-07-29T13:36:56.5077605Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-33910   |
2021-07-29T13:36:56.5081111Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5082318Z |                        | CVE-2018-20839   | MEDIUM   |                    |                 | systemd: mishandling of the             |
2021-07-29T13:36:56.5083095Z |                        |                  |          |                    |                 | current keyboard mode check             |
2021-07-29T13:36:56.5083791Z |                        |                  |          |                    |                 | leading to passwords being...           |
2021-07-29T13:36:56.5084715Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20839   |
2021-07-29T13:36:56.5085646Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5086627Z |                        | CVE-2019-3842    |          |                    | 239-45.el8      | systemd: Spoofing of XDG_SEAT           |
2021-07-29T13:36:56.5087380Z |                        |                  |          |                    |                 | allows for actions to be checked        |
2021-07-29T13:36:56.5088069Z |                        |                  |          |                    |                 | against "allow_active"...               |
2021-07-29T13:36:56.5088987Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-3842    |
2021-07-29T13:36:56.5089915Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T13:36:56.5090896Z |                        | CVE-2020-13776   |          |                    |                 | systemd: Mishandles numerical           |
2021-07-29T13:36:56.5091630Z |                        |                  |          |                    |                 | usernames beginning with decimal        |
2021-07-29T13:36:56.5092317Z |                        |                  |          |                    |                 | digits or 0x followed by...             |
2021-07-29T13:36:56.5093346Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13776   |
2021-07-29T13:36:56.5094270Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5094671Z 
2021-07-29T13:36:56.5095172Z usr/local/bin/chaos-runner (gobinary)
2021-07-29T13:36:56.5095599Z =====================================
2021-07-29T13:36:56.5096106Z Total: 4 (MEDIUM: 2, HIGH: 2, CRITICAL: 0)
2021-07-29T13:36:56.5096384Z 
2021-07-29T13:36:56.5097188Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5098020Z |         LIBRARY          | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION            |                 TITLE                 |
2021-07-29T13:36:56.5099093Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5100168Z | github.com/gogo/protobuf | CVE-2021-3121    | HIGH     | v1.3.1                             | v1.3.2                             | gogo/protobuf:                        |
2021-07-29T13:36:56.5100979Z |                          |                  |          |                                    |                                    | plugin/unmarshal/unmarshal.go         |
2021-07-29T13:36:56.5101769Z |                          |                  |          |                                    |                                    | lacks certain index validation        |
2021-07-29T13:36:56.5102814Z |                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2021-3121  |
2021-07-29T13:36:56.5103871Z +--------------------------+------------------+          +------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5105007Z | golang.org/x/crypto      | CVE-2020-29652   |          | v0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
2021-07-29T13:36:56.5105872Z |                          |                  |          |                                    |                                    | authentication request can            |
2021-07-29T13:36:56.5106664Z |                          |                  |          |                                    |                                    | lead to nil pointer dereference       |
2021-07-29T13:36:56.5107703Z |                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
2021-07-29T13:36:56.5108757Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5109889Z | k8s.io/client-go         | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0                            | kubernetes: Bearer tokens             |
2021-07-29T13:36:56.5110750Z |                          |                  |          |                                    |                                    | written to logs at high               |
2021-07-29T13:36:56.5111535Z |                          |                  |          |                                    |                                    | verbosity levels (>= 7)...            |
2021-07-29T13:36:56.5112567Z |                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2019-11250 |
2021-07-29T13:36:56.5113702Z +                          +------------------+          +                                    +------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5114825Z |                          | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2                    | kubernetes: Incomplete fix            |
2021-07-29T13:36:56.5116334Z |                          |                  |          |                                    |                                    | for CVE-2019-11250 allows for         |
2021-07-29T13:36:56.5117270Z |                          |                  |          |                                    |                                    | token leak in logs when...            |
2021-07-29T13:36:56.5118336Z |                          |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-8565  |
2021-07-29T13:36:56.5119392Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5959433Z Vulnerabilities found.
2021-07-29T13:36:56.5994000Z ##[error]Bash exited with code '1'.
2021-07-29T13:36:56.6049663Z ##[section]Finishing: Scan Docker container image

What you expected to happen:
Since, maintenance of a tested version of Chaos Runner Docker container image in a user specific, private container registry is a best practice in a production grade container deployment (instead of using the publicly available version from a public image registry), it would be ideal to provide the users with an image which is vulnerability free, as much as possible.

Appreciate if you could look into the detected vulnerabilities. If LitmusChaos uses a different, image scan tool, would appreciate details about its vulnerability check.

How to reproduce it (as minimally and precisely as possible):
Using Trivy Docker image scan tool.

@ksatchit
Copy link
Member

Thanks for opening the issue . We are in the process of hardening the images - with mitigation for at least severity high CVEs as much as possible. Eta will be updated here (expected to take some time due to test efforts involved)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

3 participants