Open
Description
Is this a BUG REPORT or FEATURE REQUEST?
It is a BUG REPORT.
Choose one: BUG REPORT or FEATURE REQUEST
What happened:
Experienced the following Docker container image vulnerability scan report using Trivy Docker image scan tool.
2021-07-29T13:36:56.4138539Z 2021-07-29T13:36:56.412Z �[34mINFO�[0m Detecting RHEL/CentOS vulnerabilities...
2021-07-29T13:36:56.4162131Z 2021-07-29T13:36:56.415Z �[34mINFO�[0m Number of language-specific files: 1
2021-07-29T13:36:56.4163072Z 2021-07-29T13:36:56.415Z �[34mINFO�[0m Detecting gobinary vulnerabilities...
2021-07-29T13:36:56.4368755Z
2021-07-29T13:36:56.4370056Z litmuschaos/chaos-runner:1.13.8 (redhat 8.3)
2021-07-29T13:36:56.4372658Z ============================================
2021-07-29T13:36:56.4373323Z Total: 98 (MEDIUM: 92, HIGH: 3, CRITICAL: 3)
2021-07-29T13:36:56.4374841Z
2021-07-29T13:36:56.4379188Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4383762Z | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
2021-07-29T13:36:56.4385696Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4389389Z | brotli | CVE-2020-8927 | MEDIUM | 1.0.6-2.el8 | 1.0.6-3.el8 | brotli: buffer overflow when |
2021-07-29T13:36:56.4395453Z | | | | | | input chunk is larger than 2GiB |
2021-07-29T13:36:56.4397601Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8927 |
2021-07-29T13:36:56.4398665Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4403269Z | coreutils-single | CVE-2017-18018 | | 8.30-8.el8 | | coreutils: race condition |
2021-07-29T13:36:56.4442605Z | | | | | | vulnerability in chown and chgrp |
2021-07-29T13:36:56.4443821Z | | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 |
2021-07-29T13:36:56.4444819Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4453601Z | curl | CVE-2020-8284 | | 7.61.1-14.el8_3.1 | 7.61.1-18.el8 | curl: FTP PASV command |
2021-07-29T13:36:56.4454963Z | | | | | | response can cause curl |
2021-07-29T13:36:56.4455808Z | | | | | | to connect to arbitrary... |
2021-07-29T13:36:56.4457051Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 |
2021-07-29T13:36:56.4458242Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4459489Z | | CVE-2020-8285 | | | | curl: Malicious FTP server can |
2021-07-29T13:36:56.4462362Z | | | | | | trigger stack overflow when |
2021-07-29T13:36:56.4463302Z | | | | | | CURLOPT_CHUNK_BGN_FUNCTION |
2021-07-29T13:36:56.4464143Z | | | | | | is used... |
2021-07-29T13:36:56.4467629Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 |
2021-07-29T13:36:56.4468872Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4470222Z | | CVE-2020-8286 | | | | curl: Inferior OCSP verification |
2021-07-29T13:36:56.4471546Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 |
2021-07-29T13:36:56.4472641Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4473848Z | | CVE-2021-22876 | | | | curl: Leak of authentication |
2021-07-29T13:36:56.4474639Z | | | | | | credentials in URL |
2021-07-29T13:36:56.4475322Z | | | | | | via automatic Referer |
2021-07-29T13:36:56.4554819Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 |
2021-07-29T13:36:56.4578785Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4598778Z | | CVE-2021-22922 | | | | curl: wrong content via |
2021-07-29T13:36:56.4605549Z | | | | | | metalink is not being discarded |
2021-07-29T13:36:56.4638225Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 |
2021-07-29T13:36:56.4639636Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4640696Z | | CVE-2021-22923 | | | | curl: Metalink download |
2021-07-29T13:36:56.4641492Z | | | | | | sends credentials |
2021-07-29T13:36:56.4642566Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 |
2021-07-29T13:36:56.4643567Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4644583Z | | CVE-2021-22924 | | | | curl: bad connection reuse |
2021-07-29T13:36:56.4645375Z | | | | | | due to flawed path name checks |
2021-07-29T13:36:56.4646322Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 |
2021-07-29T13:36:56.4647275Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4648291Z | file-libs | CVE-2019-18218 | | 5.33-16.el8_3.1 | | file: heap-based buffer overflow |
2021-07-29T13:36:56.4649075Z | | | | | | in cdf_read_property_info in cdf.c |
2021-07-29T13:36:56.4650018Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-18218 |
2021-07-29T13:36:56.4650981Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4652006Z | glib2 | CVE-2021-27219 | HIGH | 2.56.4-8.el8 | 2.56.4-10.el8_4 | glib: integer overflow in |
2021-07-29T13:36:56.4652784Z | | | | | | g_bytes_new function on |
2021-07-29T13:36:56.4653723Z | | | | | | 64-bit platforms due to an... |
2021-07-29T13:36:56.4654682Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-27219 |
2021-07-29T13:36:56.4655644Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4656662Z | | CVE-2020-13543 | MEDIUM | | 2.56.4-9.el8 | webkitgtk: use-after-free may |
2021-07-29T13:36:56.4657437Z | | | | | | lead to arbitrary code execution |
2021-07-29T13:36:56.4658395Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-13543 |
2021-07-29T13:36:56.4659339Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4660345Z | | CVE-2020-13584 | | | | webkitgtk: use-after-free may |
2021-07-29T13:36:56.4661122Z | | | | | | lead to arbitrary code execution |
2021-07-29T13:36:56.4662154Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-13584 |
2021-07-29T13:36:56.4663111Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4664122Z | | CVE-2020-9948 | | | | webkitgtk: type confusion may |
2021-07-29T13:36:56.4664899Z | | | | | | lead to arbitrary code execution |
2021-07-29T13:36:56.4665921Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-9948 |
2021-07-29T13:36:56.4666881Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4667888Z | | CVE-2020-9951 | | | | webkitgtk: use-after-free may |
2021-07-29T13:36:56.4668668Z | | | | | | lead to arbitrary code execution |
2021-07-29T13:36:56.4669603Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-9951 |
2021-07-29T13:36:56.4670554Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4671562Z | | CVE-2020-9983 | | | | webkitgtk: out-of-bounds write |
2021-07-29T13:36:56.4672357Z | | | | | | may lead to code execution |
2021-07-29T13:36:56.4673301Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-9983 |
2021-07-29T13:36:56.4674258Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4675260Z | | CVE-2021-27218 | | | | glib: integer overflow in |
2021-07-29T13:36:56.4676287Z | | | | | | g_byte_array_new_take function |
2021-07-29T13:36:56.4677026Z | | | | | | when called with a buffer of... |
2021-07-29T13:36:56.4678003Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-27218 |
2021-07-29T13:36:56.4679155Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4680192Z | glibc | CVE-2019-1010022 | CRITICAL | 2.28-127.el8_3.2 | | glibc: stack guard protection bypass |
2021-07-29T13:36:56.4681204Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4682169Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4683188Z | | CVE-2019-25013 | MEDIUM | | 2.28-151.el8 | glibc: buffer over-read in |
2021-07-29T13:36:56.4683963Z | | | | | | iconv when processing invalid |
2021-07-29T13:36:56.4684906Z | | | | | | multi-byte input sequences in... |
2021-07-29T13:36:56.4685981Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
2021-07-29T13:36:56.4686946Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4687984Z | | CVE-2019-9169 | | | | glibc: regular-expression |
2021-07-29T13:36:56.4688768Z | | | | | | match via proceed_next_node |
2021-07-29T13:36:56.4689567Z | | | | | | in posix/regexec.c leads to |
2021-07-29T13:36:56.4690512Z | | | | | | heap-based buffer over-read... |
2021-07-29T13:36:56.4691479Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-9169 |
2021-07-29T13:36:56.4692433Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4693451Z | | CVE-2021-3326 | | | | glibc: Assertion failure in |
2021-07-29T13:36:56.4694595Z | | | | | | ISO-2022-JP-3 gconv module |
2021-07-29T13:36:56.4695338Z | | | | | | related to combining characters |
2021-07-29T13:36:56.4696286Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
2021-07-29T13:36:56.4697252Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4698270Z | | CVE-2021-35942 | | | | glibc: Arbitrary read in wordexp() |
2021-07-29T13:36:56.4712230Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35942 |
2021-07-29T13:36:56.4713664Z +------------------------+------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4714708Z | glibc-common | CVE-2019-1010022 | CRITICAL | | | glibc: stack guard protection bypass |
2021-07-29T13:36:56.4715805Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4716869Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4723085Z | | CVE-2019-25013 | MEDIUM | | 2.28-151.el8 | glibc: buffer over-read in |
2021-07-29T13:36:56.4723948Z | | | | | | iconv when processing invalid |
2021-07-29T13:36:56.4726740Z | | | | | | multi-byte input sequences in... |
2021-07-29T13:36:56.4729343Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
2021-07-29T13:36:56.4730654Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4732083Z | | CVE-2019-9169 | | | | glibc: regular-expression |
2021-07-29T13:36:56.4732809Z | | | | | | match via proceed_next_node |
2021-07-29T13:36:56.4733438Z | | | | | | in posix/regexec.c leads to |
2021-07-29T13:36:56.4734969Z | | | | | | heap-based buffer over-read... |
2021-07-29T13:36:56.4736342Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-9169 |
2021-07-29T13:36:56.4737633Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4738621Z | | CVE-2021-3326 | | | | glibc: Assertion failure in |
2021-07-29T13:36:56.4739543Z | | | | | | ISO-2022-JP-3 gconv module |
2021-07-29T13:36:56.4740200Z | | | | | | related to combining characters |
2021-07-29T13:36:56.4741065Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
2021-07-29T13:36:56.4741944Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4742866Z | | CVE-2021-35942 | | | | glibc: Arbitrary read in wordexp() |
2021-07-29T13:36:56.4743793Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35942 |
2021-07-29T13:36:56.4744663Z +------------------------+------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4745591Z | glibc-minimal-langpack | CVE-2019-1010022 | CRITICAL | | | glibc: stack guard protection bypass |
2021-07-29T13:36:56.4746518Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T13:36:56.4747388Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4748315Z | | CVE-2019-25013 | MEDIUM | | 2.28-151.el8 | glibc: buffer over-read in |
2021-07-29T13:36:56.4749017Z | | | | | | iconv when processing invalid |
2021-07-29T13:36:56.4749876Z | | | | | | multi-byte input sequences in... |
2021-07-29T13:36:56.4750748Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 |
2021-07-29T13:36:56.4751612Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4752556Z | | CVE-2019-9169 | | | | glibc: regular-expression |
2021-07-29T13:36:56.4753255Z | | | | | | match via proceed_next_node |
2021-07-29T13:36:56.4753889Z | | | | | | in posix/regexec.c leads to |
2021-07-29T13:36:56.4754842Z | | | | | | heap-based buffer over-read... |
2021-07-29T13:36:56.4755825Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-9169 |
2021-07-29T13:36:56.4756716Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4757624Z | | CVE-2021-3326 | | | | glibc: Assertion failure in |
2021-07-29T13:36:56.4758630Z | | | | | | ISO-2022-JP-3 gconv module |
2021-07-29T13:36:56.4759287Z | | | | | | related to combining characters |
2021-07-29T13:36:56.4760152Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 |
2021-07-29T13:36:56.4761025Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4761946Z | | CVE-2021-35942 | | | | glibc: Arbitrary read in wordexp() |
2021-07-29T13:36:56.4762861Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35942 |
2021-07-29T13:36:56.4763730Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4764657Z | gnutls | CVE-2021-20231 | | 3.6.14-8.el8_3 | | gnutls: Use after free in |
2021-07-29T13:36:56.4765363Z | | | | | | client key_share extension |
2021-07-29T13:36:56.4766225Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 |
2021-07-29T13:36:56.4767090Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4768006Z | | CVE-2021-20232 | | | | gnutls: Use after free |
2021-07-29T13:36:56.4768704Z | | | | | | in client_send_params in |
2021-07-29T13:36:56.4769339Z | | | | | | lib/ext/pre_shared_key.c |
2021-07-29T13:36:56.4770198Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 |
2021-07-29T13:36:56.4771065Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4772002Z | json-c | CVE-2020-12762 | | 0.13.1-0.2.el8 | | json-c: integer overflow |
2021-07-29T13:36:56.4772924Z | | | | | | and out-of-bounds write |
2021-07-29T13:36:56.4773575Z | | | | | | via a large JSON file |
2021-07-29T13:36:56.4774439Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-12762 |
2021-07-29T13:36:56.4775377Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4776307Z | krb5-libs | CVE-2020-28196 | | 1.18.2-5.el8 | 1.18.2-8.el8 | krb5: unbounded recursion via an |
2021-07-29T13:36:56.4777223Z | | | | | | ASN.1-encoded Kerberos message |
2021-07-29T13:36:56.4777876Z | | | | | | in lib/krb5/asn.1/asn1_encode.c |
2021-07-29T13:36:56.4778575Z | | | | | | may lead... |
2021-07-29T13:36:56.4779430Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-28196 |
2021-07-29T13:36:56.4780301Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4781220Z | | CVE-2021-36222 | | | | krb5: sending a request containing |
2021-07-29T13:36:56.4782136Z | | | | | | a PA-ENCRYPTED-CHALLENGE padata |
2021-07-29T13:36:56.4782788Z | | | | | | element without using FAST... |
2021-07-29T13:36:56.4783645Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-36222 |
2021-07-29T13:36:56.4784511Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4785441Z | libarchive | CVE-2017-14502 | | 3.3.2-9.el8 | 3.3.3-1.el8 | libarchive: Off-by-one error |
2021-07-29T13:36:56.4786143Z | | | | | | in the read_header function |
2021-07-29T13:36:56.4787007Z | | | | | | -->avd.aquasec.com/nvd/cve-2017-14502 |
2021-07-29T13:36:56.4787876Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4788799Z | | CVE-2020-21674 | | | | libarchive: heap-based |
2021-07-29T13:36:56.4790387Z | | | | | | buffer overflow in |
2021-07-29T13:36:56.4791177Z | | | | | | archive_string_append_from_wcs |
2021-07-29T13:36:56.4791981Z | | | | | | function in archive_string.c |
2021-07-29T13:36:56.4793072Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-21674 |
2021-07-29T13:36:56.4794221Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4796302Z | libcurl | CVE-2020-8284 | | 7.61.1-14.el8_3.1 | 7.61.1-18.el8 | curl: FTP PASV command |
2021-07-29T13:36:56.4797075Z | | | | | | response can cause curl |
2021-07-29T13:36:56.4797717Z | | | | | | to connect to arbitrary... |
2021-07-29T13:36:56.4798731Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 |
2021-07-29T13:36:56.4799604Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4800530Z | | CVE-2020-8285 | | | | curl: Malicious FTP server can |
2021-07-29T13:36:56.4801259Z | | | | | | trigger stack overflow when |
2021-07-29T13:36:56.4801988Z | | | | | | CURLOPT_CHUNK_BGN_FUNCTION |
2021-07-29T13:36:56.4802626Z | | | | | | is used... |
2021-07-29T13:36:56.4803488Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8285 |
2021-07-29T13:36:56.4804358Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4805282Z | | CVE-2020-8286 | | | | curl: Inferior OCSP verification |
2021-07-29T13:36:56.4806196Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8286 |
2021-07-29T13:36:56.4807069Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4807988Z | | CVE-2021-22876 | | | | curl: Leak of authentication |
2021-07-29T13:36:56.4808689Z | | | | | | credentials in URL |
2021-07-29T13:36:56.4809329Z | | | | | | via automatic Referer |
2021-07-29T13:36:56.4810191Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 |
2021-07-29T13:36:56.4811058Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4811986Z | | CVE-2021-22922 | | | | curl: wrong content via |
2021-07-29T13:36:56.4812678Z | | | | | | metalink is not being discarded |
2021-07-29T13:36:56.4813541Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 |
2021-07-29T13:36:56.4814412Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4815369Z | | CVE-2021-22923 | | | | curl: Metalink download |
2021-07-29T13:36:56.4816071Z | | | | | | sends credentials |
2021-07-29T13:36:56.4816938Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 |
2021-07-29T13:36:56.4817811Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4818811Z | | CVE-2021-22924 | | | | curl: bad connection reuse |
2021-07-29T13:36:56.4819505Z | | | | | | due to flawed path name checks |
2021-07-29T13:36:56.4820381Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 |
2021-07-29T13:36:56.4821249Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4822273Z | libdnf | CVE-2021-3445 | | 0.48.0-5.el8 | | libdnf: libdnf does its |
2021-07-29T13:36:56.4822969Z | | | | | | own signature verification, |
2021-07-29T13:36:56.4823610Z | | | | | | but this can be tricked... |
2021-07-29T13:36:56.4824472Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3445 |
2021-07-29T13:36:56.4825343Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4826250Z | libgcc | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in |
2021-07-29T13:36:56.4826948Z | | | | | | demangle_template() function |
2021-07-29T13:36:56.4827810Z | | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
2021-07-29T13:36:56.4828678Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4829604Z | libgcrypt | CVE-2019-12904 | | 1.8.5-4.el8 | | Libgcrypt: physical addresses |
2021-07-29T13:36:56.4830305Z | | | | | | being available to other processes |
2021-07-29T13:36:56.4831159Z | | | | | | leads to a flush-and-reload... |
2021-07-29T13:36:56.4832038Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-12904 |
2021-07-29T13:36:56.4832901Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4833822Z | | CVE-2021-33560 | | | | libgcrypt: mishandles ElGamal |
2021-07-29T13:36:56.4834525Z | | | | | | encryption because it lacks |
2021-07-29T13:36:56.4835163Z | | | | | | exponent blinding to address a... |
2021-07-29T13:36:56.4836551Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 |
2021-07-29T13:36:56.4837555Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4838494Z | libsepol | CVE-2021-36084 | | 2.9-1.el8 | | libsepol: use-after-free in |
2021-07-29T13:36:56.4839250Z | | | | | | __cil_verify_classperms() |
2021-07-29T13:36:56.4840276Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-36084 |
2021-07-29T13:36:56.4841209Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4842186Z | | CVE-2021-36085 | | | | libsepol: use-after-free in |
2021-07-29T13:36:56.4842936Z | | | | | | __cil_verify_classperms() |
2021-07-29T13:36:56.4843932Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-36085 |
2021-07-29T13:36:56.4844864Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4845850Z | | CVE-2021-36086 | | | | libsepol: use-after-free in |
2021-07-29T13:36:56.4846600Z | | | | | | cil_reset_classpermission() |
2021-07-29T13:36:56.4847513Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-36086 |
2021-07-29T13:36:56.4848438Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4849402Z | | CVE-2021-36087 | | | | libsepol: heap-based buffer |
2021-07-29T13:36:56.4850159Z | | | | | | overflow in ebitmap_match_any() |
2021-07-29T13:36:56.4851077Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-36087 |
2021-07-29T13:36:56.4851999Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4852974Z | libstdc++ | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in |
2021-07-29T13:36:56.4853724Z | | | | | | demangle_template() function |
2021-07-29T13:36:56.4854646Z | | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
2021-07-29T13:36:56.4855570Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4856564Z | libxml2 | CVE-2020-24977 | | 2.9.7-8.el8 | 2.9.7-9.el8 | libxml2: Buffer overflow |
2021-07-29T13:36:56.4857317Z | | | | | | vulnerability in |
2021-07-29T13:36:56.4857996Z | | | | | | xmlEncodeEntitiesInternal() |
2021-07-29T13:36:56.4858676Z | | | | | | in entities.c |
2021-07-29T13:36:56.4859591Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-24977 |
2021-07-29T13:36:56.4860508Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4861558Z | | CVE-2021-3516 | | | 2.9.7-9.el8_4.2 | libxml2: Use-after-free in |
2021-07-29T13:36:56.4862304Z | | | | | | xmlEncodeEntitiesInternal() |
2021-07-29T13:36:56.4862990Z | | | | | | in entities.c |
2021-07-29T13:36:56.4863904Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3516 |
2021-07-29T13:36:56.4864890Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4865866Z | | CVE-2021-3517 | | | | libxml2: Heap-based buffer overflow |
2021-07-29T13:36:56.4866611Z | | | | | | in xmlEncodeEntitiesInternal() |
2021-07-29T13:36:56.4867304Z | | | | | | in entities.c |
2021-07-29T13:36:56.4868217Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3517 |
2021-07-29T13:36:56.4869141Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4870128Z | | CVE-2021-3518 | | | | libxml2: Use-after-free in |
2021-07-29T13:36:56.4870878Z | | | | | | xmlXIncludeDoProcess() in xinclude.c |
2021-07-29T13:36:56.4871786Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3518 |
2021-07-29T13:36:56.4872717Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4873695Z | | CVE-2021-3537 | | | | libxml2: NULL pointer dereference |
2021-07-29T13:36:56.4874671Z | | | | | | when post-validating mixed |
2021-07-29T13:36:56.4875380Z | | | | | | content parsed in recovery mode... |
2021-07-29T13:36:56.4877262Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3537 |
2021-07-29T13:36:56.4878190Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4879178Z | | CVE-2021-3541 | | | | libxml2: Exponential entity |
2021-07-29T13:36:56.4879927Z | | | | | | expansion attack bypasses all |
2021-07-29T13:36:56.4880573Z | | | | | | existing protection mechanisms |
2021-07-29T13:36:56.4881824Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3541 |
2021-07-29T13:36:56.4882927Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4885116Z | lua-libs | CVE-2020-15945 | | 5.3.4-11.el8 | | lua: segmentation fault |
2021-07-29T13:36:56.4886163Z | | | | | | in changedline in ldebug.c |
2021-07-29T13:36:56.4887380Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-15945 |
2021-07-29T13:36:56.4888464Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4889714Z | lz4-libs | CVE-2019-17543 | | 1.8.3-2.el8 | | lz4: heap-based buffer |
2021-07-29T13:36:56.4890704Z | | | | | | overflow in LZ4_write32 |
2021-07-29T13:36:56.4891852Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 |
2021-07-29T13:36:56.4892905Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4894103Z | | CVE-2021-3520 | | | 1.8.3-3.el8_4 | lz4: memory corruption |
2021-07-29T13:36:56.4894987Z | | | | | | due to an integer overflow |
2021-07-29T13:36:56.4895795Z | | | | | | bug caused by memmove... |
2021-07-29T13:36:56.4896836Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3520 |
2021-07-29T13:36:56.4899824Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4900816Z | ncurses-base | CVE-2019-17594 | | 6.1-7.20180224.el8 | | ncurses: heap-based buffer |
2021-07-29T13:36:56.4901505Z | | | | | | overflow in the _nc_find_entry |
2021-07-29T13:36:56.4902150Z | | | | | | function in tinfo/comp_hash.c |
2021-07-29T13:36:56.4903084Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-17594 |
2021-07-29T13:36:56.4904015Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4904988Z | | CVE-2019-17595 | | | | ncurses: heap-based buffer |
2021-07-29T13:36:56.4905735Z | | | | | | overflow in the fmt_entry |
2021-07-29T13:36:56.4906413Z | | | | | | function in tinfo/comp_hash.c |
2021-07-29T13:36:56.4913053Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-17595 |
2021-07-29T13:36:56.4946506Z +------------------------+------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4947807Z | ncurses-libs | CVE-2019-17594 | | | | ncurses: heap-based buffer |
2021-07-29T13:36:56.4948691Z | | | | | | overflow in the _nc_find_entry |
2021-07-29T13:36:56.4949497Z | | | | | | function in tinfo/comp_hash.c |
2021-07-29T13:36:56.4950510Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-17594 |
2021-07-29T13:36:56.4961463Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4962668Z | | CVE-2019-17595 | | | | ncurses: heap-based buffer |
2021-07-29T13:36:56.4963545Z | | | | | | overflow in the fmt_entry |
2021-07-29T13:36:56.4964287Z | | | | | | function in tinfo/comp_hash.c |
2021-07-29T13:36:56.4965233Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-17595 |
2021-07-29T13:36:56.4966168Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4967162Z | nettle | CVE-2021-3580 | | 3.4.1-4.el8_3 | | nettle: Remote crash |
2021-07-29T13:36:56.4967913Z | | | | | | in RSA decryption via |
2021-07-29T13:36:56.4968604Z | | | | | | manipulated ciphertext |
2021-07-29T13:36:56.4969521Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 |
2021-07-29T13:36:56.4970457Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4971456Z | openssl-libs | CVE-2021-23840 | | 1:1.1.1g-15.el8_3 | | openssl: integer |
2021-07-29T13:36:56.4972211Z | | | | | | overflow in CipherUpdate |
2021-07-29T13:36:56.4973115Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
2021-07-29T13:36:56.4974041Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.4975018Z | | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
2021-07-29T13:36:56.4975769Z | | | | | | in X509_issuer_and_serial_hash() |
2021-07-29T13:36:56.4976688Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
2021-07-29T13:36:56.4977610Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.4978602Z | p11-kit | CVE-2020-29361 | | 0.23.14-5.el8_0 | 0.23.22-1.el8 | p11-kit: integer overflow when |
2021-07-29T13:36:56.4979355Z | | | | | | allocating memory for arrays |
2021-07-29T13:36:56.4980048Z | | | | | | or attributes and object... |
2021-07-29T13:36:56.4980966Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29361 |
2021-07-29T13:36:56.4981997Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4982982Z | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in |
2021-07-29T13:36:56.4983733Z | | | | | | p11_rpc_buffer_get_byte_array |
2021-07-29T13:36:56.4984640Z | | | | | | function in rpc-message.c |
2021-07-29T13:36:56.4985665Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29362 |
2021-07-29T13:36:56.4986592Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4987569Z | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in |
2021-07-29T13:36:56.4988320Z | | | | | | p11_rpc_buffer_get_byte_array_value |
2021-07-29T13:36:56.4989227Z | | | | | | function in rpc-message.c |
2021-07-29T13:36:56.4990155Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29363 |
2021-07-29T13:36:56.4991083Z +------------------------+------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4992065Z | p11-kit-trust | CVE-2020-29361 | | | | p11-kit: integer overflow when |
2021-07-29T13:36:56.4992816Z | | | | | | allocating memory for arrays |
2021-07-29T13:36:56.4993499Z | | | | | | or attributes and object... |
2021-07-29T13:36:56.4994408Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29361 |
2021-07-29T13:36:56.4995333Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.4996529Z | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in |
2021-07-29T13:36:56.4997293Z | | | | | | p11_rpc_buffer_get_byte_array |
2021-07-29T13:36:56.4998215Z | | | | | | function in rpc-message.c |
2021-07-29T13:36:56.4999141Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29362 |
2021-07-29T13:36:56.5000064Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.5001042Z | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in |
2021-07-29T13:36:56.5001794Z | | | | | | p11_rpc_buffer_get_byte_array_value |
2021-07-29T13:36:56.5002699Z | | | | | | function in rpc-message.c |
2021-07-29T13:36:56.5003722Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29363 |
2021-07-29T13:36:56.5004644Z +------------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5005624Z | rpm | CVE-2021-20271 | | 4.14.3-4.el8 | 4.14.3-14.el8_4 | rpm: Signature checks bypass |
2021-07-29T13:36:56.5006373Z | | | | | | via corrupted rpm package |
2021-07-29T13:36:56.5007363Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-20271 |
2021-07-29T13:36:56.5008288Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5009263Z | | CVE-2021-3421 | | | | rpm: unsigned signature header |
2021-07-29T13:36:56.5010006Z | | | | | | leads to string injection |
2021-07-29T13:36:56.5010689Z | | | | | | into an rpm database... |
2021-07-29T13:36:56.5011602Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3421 |
2021-07-29T13:36:56.5012530Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5013501Z | | CVE-2021-35937 | | | | rpm: TOCTOU race in |
2021-07-29T13:36:56.5014250Z | | | | | | checks for unsafe symlinks |
2021-07-29T13:36:56.5015166Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
2021-07-29T13:36:56.5016119Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5017091Z | | CVE-2021-35938 | | | | rpm: races with |
2021-07-29T13:36:56.5017838Z | | | | | | chown/chmod/capabilities |
2021-07-29T13:36:56.5018525Z | | | | | | calls during installation |
2021-07-29T13:36:56.5019439Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
2021-07-29T13:36:56.5020348Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5021317Z | | CVE-2021-35939 | | | | rpm: checks for unsafe |
2021-07-29T13:36:56.5022065Z | | | | | | symlinks are not performed |
2021-07-29T13:36:56.5022745Z | | | | | | for intermediary directories |
2021-07-29T13:36:56.5023658Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
2021-07-29T13:36:56.5024573Z +------------------------+------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5025633Z | rpm-libs | CVE-2021-20271 | | | 4.14.3-14.el8_4 | rpm: Signature checks bypass |
2021-07-29T13:36:56.5026377Z | | | | | | via corrupted rpm package |
2021-07-29T13:36:56.5027294Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-20271 |
2021-07-29T13:36:56.5028211Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5029253Z | | CVE-2021-3421 | | | | rpm: unsigned signature header |
2021-07-29T13:36:56.5029996Z | | | | | | leads to string injection |
2021-07-29T13:36:56.5030683Z | | | | | | into an rpm database... |
2021-07-29T13:36:56.5031591Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3421 |
2021-07-29T13:36:56.5032513Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5033489Z | | CVE-2021-35937 | | | | rpm: TOCTOU race in |
2021-07-29T13:36:56.5034239Z | | | | | | checks for unsafe symlinks |
2021-07-29T13:36:56.5035150Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
2021-07-29T13:36:56.5036626Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5037628Z | | CVE-2021-35938 | | | | rpm: races with |
2021-07-29T13:36:56.5038379Z | | | | | | chown/chmod/capabilities |
2021-07-29T13:36:56.5039070Z | | | | | | calls during installation |
2021-07-29T13:36:56.5039984Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
2021-07-29T13:36:56.5040906Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5041881Z | | CVE-2021-35939 | | | | rpm: checks for unsafe |
2021-07-29T13:36:56.5042627Z | | | | | | symlinks are not performed |
2021-07-29T13:36:56.5043300Z | | | | | | for intermediary directories |
2021-07-29T13:36:56.5044210Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
2021-07-29T13:36:56.5045133Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5046114Z | sqlite-libs | CVE-2019-5827 | HIGH | 3.26.0-11.el8 | | chromium-browser: |
2021-07-29T13:36:56.5047085Z | | | | | | out-of-bounds access in SQLite |
2021-07-29T13:36:56.5048110Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-5827 |
2021-07-29T13:36:56.5049030Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5050006Z | | CVE-2019-13750 | MEDIUM | | | sqlite: dropping of shadow tables |
2021-07-29T13:36:56.5050829Z | | | | | | not restricted in defensive mode |
2021-07-29T13:36:56.5051744Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-13750 |
2021-07-29T13:36:56.5052663Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5053643Z | | CVE-2019-13751 | | | | sqlite: fts3: improve |
2021-07-29T13:36:56.5054394Z | | | | | | detection of corrupted records |
2021-07-29T13:36:56.5055306Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-13751 |
2021-07-29T13:36:56.5056228Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5057202Z | | CVE-2019-19603 | | | | sqlite: mishandles certain SELECT |
2021-07-29T13:36:56.5057950Z | | | | | | statements with a nonexistent |
2021-07-29T13:36:56.5058636Z | | | | | | VIEW, leading to DoS... |
2021-07-29T13:36:56.5059547Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-19603 |
2021-07-29T13:36:56.5060467Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5061441Z | | CVE-2020-13434 | | | 3.26.0-13.el8 | sqlite: integer overflow |
2021-07-29T13:36:56.5062191Z | | | | | | in sqlite3_str_vappendf |
2021-07-29T13:36:56.5062874Z | | | | | | function in printf.c |
2021-07-29T13:36:56.5063794Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-13434 |
2021-07-29T13:36:56.5064715Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5065683Z | | CVE-2020-13435 | | | | sqlite: NULL pointer dereference |
2021-07-29T13:36:56.5066414Z | | | | | | leads to segmentation fault in |
2021-07-29T13:36:56.5067105Z | | | | | | sqlite3ExprCodeTarget in expr.c... |
2021-07-29T13:36:56.5068015Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-13435 |
2021-07-29T13:36:56.5069013Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5069991Z | | CVE-2020-15358 | | | 3.26.0-13.el8 | sqlite: heap-based buffer overflow in |
2021-07-29T13:36:56.5070735Z | | | | | | multiSelectOrderBy due to mishandling |
2021-07-29T13:36:56.5071644Z | | | | | | of query-flattener optimization... |
2021-07-29T13:36:56.5072636Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-15358 |
2021-07-29T13:36:56.5073557Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5074546Z | systemd-libs | CVE-2021-33910 | HIGH | 239-41.el8_3.2 | 239-45.el8_4.2 | systemd: uncontrolled |
2021-07-29T13:36:56.5075295Z | | | | | | allocation on the stack in |
2021-07-29T13:36:56.5076081Z | | | | | | function unit_name_path_escape |
2021-07-29T13:36:56.5076729Z | | | | | | leads to crash... |
2021-07-29T13:36:56.5077605Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-33910 |
2021-07-29T13:36:56.5081111Z + +------------------+----------+ +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5082318Z | | CVE-2018-20839 | MEDIUM | | | systemd: mishandling of the |
2021-07-29T13:36:56.5083095Z | | | | | | current keyboard mode check |
2021-07-29T13:36:56.5083791Z | | | | | | leading to passwords being... |
2021-07-29T13:36:56.5084715Z | | | | | | -->avd.aquasec.com/nvd/cve-2018-20839 |
2021-07-29T13:36:56.5085646Z + +------------------+ + +-----------------+-----------------------------------------+
2021-07-29T13:36:56.5086627Z | | CVE-2019-3842 | | | 239-45.el8 | systemd: Spoofing of XDG_SEAT |
2021-07-29T13:36:56.5087380Z | | | | | | allows for actions to be checked |
2021-07-29T13:36:56.5088069Z | | | | | | against "allow_active"... |
2021-07-29T13:36:56.5088987Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-3842 |
2021-07-29T13:36:56.5089915Z + +------------------+ + + +-----------------------------------------+
2021-07-29T13:36:56.5090896Z | | CVE-2020-13776 | | | | systemd: Mishandles numerical |
2021-07-29T13:36:56.5091630Z | | | | | | usernames beginning with decimal |
2021-07-29T13:36:56.5092317Z | | | | | | digits or 0x followed by... |
2021-07-29T13:36:56.5093346Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-13776 |
2021-07-29T13:36:56.5094270Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T13:36:56.5094671Z
2021-07-29T13:36:56.5095172Z usr/local/bin/chaos-runner (gobinary)
2021-07-29T13:36:56.5095599Z =====================================
2021-07-29T13:36:56.5096106Z Total: 4 (MEDIUM: 2, HIGH: 2, CRITICAL: 0)
2021-07-29T13:36:56.5096384Z
2021-07-29T13:36:56.5097188Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5098020Z | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
2021-07-29T13:36:56.5099093Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5100168Z | github.com/gogo/protobuf | CVE-2021-3121 | HIGH | v1.3.1 | v1.3.2 | gogo/protobuf: |
2021-07-29T13:36:56.5100979Z | | | | | | plugin/unmarshal/unmarshal.go |
2021-07-29T13:36:56.5101769Z | | | | | | lacks certain index validation |
2021-07-29T13:36:56.5102814Z | | | | | | -->avd.aquasec.com/nvd/cve-2021-3121 |
2021-07-29T13:36:56.5103871Z +--------------------------+------------------+ +------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5105007Z | golang.org/x/crypto | CVE-2020-29652 | | v0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
2021-07-29T13:36:56.5105872Z | | | | | | authentication request can |
2021-07-29T13:36:56.5106664Z | | | | | | lead to nil pointer dereference |
2021-07-29T13:36:56.5107703Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
2021-07-29T13:36:56.5108757Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5109889Z | k8s.io/client-go | CVE-2019-11250 | MEDIUM | v0.0.0-20191016111102-bec269661e48 | v0.17.0 | kubernetes: Bearer tokens |
2021-07-29T13:36:56.5110750Z | | | | | | written to logs at high |
2021-07-29T13:36:56.5111535Z | | | | | | verbosity levels (>= 7)... |
2021-07-29T13:36:56.5112567Z | | | | | | -->avd.aquasec.com/nvd/cve-2019-11250 |
2021-07-29T13:36:56.5113702Z + +------------------+ + +------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5114825Z | | CVE-2020-8565 | | | v0.20.0-alpha.2 | kubernetes: Incomplete fix |
2021-07-29T13:36:56.5116334Z | | | | | | for CVE-2019-11250 allows for |
2021-07-29T13:36:56.5117270Z | | | | | | token leak in logs when... |
2021-07-29T13:36:56.5118336Z | | | | | | -->avd.aquasec.com/nvd/cve-2020-8565 |
2021-07-29T13:36:56.5119392Z +--------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T13:36:56.5959433Z Vulnerabilities found.
2021-07-29T13:36:56.5994000Z ##[error]Bash exited with code '1'.
2021-07-29T13:36:56.6049663Z ##[section]Finishing: Scan Docker container image
What you expected to happen:
Since, maintenance of a tested version of Chaos Runner Docker container image in a user specific, private container registry is a best practice in a production grade container deployment (instead of using the publicly available version from a public image registry), it would be ideal to provide the users with an image which is vulnerability free, as much as possible.
Appreciate if you could look into the detected vulnerabilities. If LitmusChaos uses a different, image scan tool, would appreciate details about its vulnerability check.
How to reproduce it (as minimally and precisely as possible):
Using Trivy Docker image scan tool.