Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Container Image Vulnerability Check - 2021-07-30 #380

Closed
chirangaalwis opened this issue Jul 30, 2021 · 2 comments
Closed

Docker Container Image Vulnerability Check - 2021-07-30 #380

chirangaalwis opened this issue Jul 30, 2021 · 2 comments

Comments

@chirangaalwis
Copy link

chirangaalwis commented Jul 30, 2021
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?

It is a BUG REPORT.

Choose one: BUG REPORT or FEATURE REQUEST

What happened:
Experienced the following Docker container image vulnerability scan report using Trivy Docker image scan tool.

2021-07-29T11:12:06.2139573Z 2021-07-29T11:12:06.212Z	�[34mINFO�[0m	Detecting RHEL/CentOS vulnerabilities...
2021-07-29T11:12:06.2176279Z 2021-07-29T11:12:06.217Z	�[34mINFO�[0m	Number of language-specific files: 1
2021-07-29T11:12:06.2177527Z 2021-07-29T11:12:06.217Z	�[34mINFO�[0m	Detecting gobinary vulnerabilities...
2021-07-29T11:12:06.2438776Z 
2021-07-29T11:12:06.2442748Z litmuschaos/chaos-operator:1.13.8 (redhat 8.3)
2021-07-29T11:12:06.2443726Z ==============================================
2021-07-29T11:12:06.2444486Z Total: 98 (MEDIUM: 92, HIGH: 3, CRITICAL: 3)
2021-07-29T11:12:06.2444988Z 
2021-07-29T11:12:06.2450313Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2451424Z |        LIBRARY         | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  |  FIXED VERSION  |                  TITLE                  |
2021-07-29T11:12:06.2452818Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2454235Z | brotli                 | CVE-2020-8927    | MEDIUM   | 1.0.6-2.el8        | 1.0.6-3.el8     | brotli: buffer overflow when            |
2021-07-29T11:12:06.2457183Z |                        |                  |          |                    |                 | input chunk is larger than 2GiB         |
2021-07-29T11:12:06.2460342Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8927    |
2021-07-29T11:12:06.2463802Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2466949Z | coreutils-single       | CVE-2017-18018   |          | 8.30-8.el8         |                 | coreutils: race condition               |
2021-07-29T11:12:06.2469805Z |                        |                  |          |                    |                 | vulnerability in chown and chgrp        |
2021-07-29T11:12:06.2473231Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2017-18018   |
2021-07-29T11:12:06.2475469Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2516448Z | curl                   | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  | 7.61.1-18.el8   | curl: FTP PASV command                  |
2021-07-29T11:12:06.2519453Z |                        |                  |          |                    |                 | response can cause curl                 |
2021-07-29T11:12:06.2521088Z |                        |                  |          |                    |                 | to connect to arbitrary...              |
2021-07-29T11:12:06.2523581Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8284    |
2021-07-29T11:12:06.2526864Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2552034Z |                        | CVE-2020-8285    |          |                    |                 | curl: Malicious FTP server can          |
2021-07-29T11:12:06.2553132Z |                        |                  |          |                    |                 | trigger stack overflow when             |
2021-07-29T11:12:06.2553943Z |                        |                  |          |                    |                 | CURLOPT_CHUNK_BGN_FUNCTION              |
2021-07-29T11:12:06.2554701Z |                        |                  |          |                    |                 | is used...                              |
2021-07-29T11:12:06.2563367Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8285    |
2021-07-29T11:12:06.2564555Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2565751Z |                        | CVE-2020-8286    |          |                    |                 | curl: Inferior OCSP verification        |
2021-07-29T11:12:06.2567319Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8286    |
2021-07-29T11:12:06.2568529Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2569695Z |                        | CVE-2021-22876   |          |                    |                 | curl: Leak of authentication            |
2021-07-29T11:12:06.2570596Z |                        |                  |          |                    |                 | credentials in URL                      |
2021-07-29T11:12:06.2571591Z |                        |                  |          |                    |                 | via automatic Referer                   |
2021-07-29T11:12:06.2572701Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
2021-07-29T11:12:06.2573833Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2575081Z |                        | CVE-2021-22922   |          |                    |                 | curl: wrong content via                 |
2021-07-29T11:12:06.2575908Z |                        |                  |          |                    |                 | metalink is not being discarded         |
2021-07-29T11:12:06.2577100Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22922   |
2021-07-29T11:12:06.2578168Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2579322Z |                        | CVE-2021-22923   |          |                    |                 | curl: Metalink download                 |
2021-07-29T11:12:06.2580282Z |                        |                  |          |                    |                 | sends credentials                       |
2021-07-29T11:12:06.2581322Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22923   |
2021-07-29T11:12:06.2582559Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2583645Z |                        | CVE-2021-22924   |          |                    |                 | curl: bad connection reuse              |
2021-07-29T11:12:06.2584458Z |                        |                  |          |                    |                 | due to flawed path name checks          |
2021-07-29T11:12:06.2585449Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22924   |
2021-07-29T11:12:06.2586621Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2587852Z | file-libs              | CVE-2019-18218   |          | 5.33-16.el8_3.1    |                 | file: heap-based buffer overflow        |
2021-07-29T11:12:06.2588748Z |                        |                  |          |                    |                 | in cdf_read_property_info in cdf.c      |
2021-07-29T11:12:06.2589823Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-18218   |
2021-07-29T11:12:06.2684664Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2720697Z | glib2                  | CVE-2021-27219   | HIGH     | 2.56.4-8.el8       | 2.56.4-10.el8_4 | glib: integer overflow in               |
2021-07-29T11:12:06.2721725Z |                        |                  |          |                    |                 | g_bytes_new function on                 |
2021-07-29T11:12:06.2722778Z |                        |                  |          |                    |                 | 64-bit platforms due to an...           |
2021-07-29T11:12:06.2723912Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-27219   |
2021-07-29T11:12:06.2724991Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2726125Z |                        | CVE-2020-13543   | MEDIUM   |                    | 2.56.4-9.el8    | webkitgtk: use-after-free may           |
2021-07-29T11:12:06.2727032Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T11:12:06.2754231Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13543   |
2021-07-29T11:12:06.2755431Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2757954Z |                        | CVE-2020-13584   |          |                    |                 | webkitgtk: use-after-free may           |
2021-07-29T11:12:06.2758888Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T11:12:06.2759960Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13584   |
2021-07-29T11:12:06.2761444Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2764760Z |                        | CVE-2020-9948    |          |                    |                 | webkitgtk: type confusion may           |
2021-07-29T11:12:06.2765613Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T11:12:06.2766618Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9948    |
2021-07-29T11:12:06.2767858Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2768945Z |                        | CVE-2020-9951    |          |                    |                 | webkitgtk: use-after-free may           |
2021-07-29T11:12:06.2769755Z |                        |                  |          |                    |                 | lead to arbitrary code execution        |
2021-07-29T11:12:06.2770928Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9951    |
2021-07-29T11:12:06.2771954Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2773025Z |                        | CVE-2020-9983    |          |                    |                 | webkitgtk: out-of-bounds write          |
2021-07-29T11:12:06.2773837Z |                        |                  |          |                    |                 | may lead to code execution              |
2021-07-29T11:12:06.2774881Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-9983    |
2021-07-29T11:12:06.2775925Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2776996Z |                        | CVE-2021-27218   |          |                    |                 | glib: integer overflow in               |
2021-07-29T11:12:06.2777789Z |                        |                  |          |                    |                 | g_byte_array_new_take function          |
2021-07-29T11:12:06.2778890Z |                        |                  |          |                    |                 | when called with a buffer of...         |
2021-07-29T11:12:06.2780008Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-27218   |
2021-07-29T11:12:06.2781041Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2782150Z | glibc                  | CVE-2019-1010022 | CRITICAL | 2.28-127.el8_3.2   |                 | glibc: stack guard protection bypass    |
2021-07-29T11:12:06.2783233Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T11:12:06.2784257Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2785331Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T11:12:06.2786137Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T11:12:06.2787118Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T11:12:06.2788132Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T11:12:06.2789142Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2790736Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T11:12:06.2791601Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T11:12:06.2792486Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T11:12:06.2793682Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T11:12:06.2794719Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T11:12:06.2795734Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2796963Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T11:12:06.2799257Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T11:12:06.2814295Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T11:12:06.2815860Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T11:12:06.2823763Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2825538Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T11:12:06.2827326Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T11:12:06.2830097Z +------------------------+------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2831299Z | glibc-common           | CVE-2019-1010022 | CRITICAL |                    |                 | glibc: stack guard protection bypass    |
2021-07-29T11:12:06.2832880Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T11:12:06.2835093Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2836711Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T11:12:06.2837544Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T11:12:06.2839398Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T11:12:06.2841307Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T11:12:06.2842375Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2843617Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T11:12:06.2844443Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T11:12:06.2845254Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T11:12:06.2846201Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T11:12:06.2847158Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T11:12:06.2848375Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2849591Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T11:12:06.2850624Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T11:12:06.2851357Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T11:12:06.2852650Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T11:12:06.2853542Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2854627Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T11:12:06.2855654Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T11:12:06.2856767Z +------------------------+------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2858412Z | glibc-minimal-langpack | CVE-2019-1010022 | CRITICAL |                    |                 | glibc: stack guard protection bypass    |
2021-07-29T11:12:06.2859619Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-1010022 |
2021-07-29T11:12:06.2860642Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2861731Z |                        | CVE-2019-25013   | MEDIUM   |                    | 2.28-151.el8    | glibc: buffer over-read in              |
2021-07-29T11:12:06.2862535Z |                        |                  |          |                    |                 | iconv when processing invalid           |
2021-07-29T11:12:06.2863534Z |                        |                  |          |                    |                 | multi-byte input sequences in...        |
2021-07-29T11:12:06.2864551Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-25013   |
2021-07-29T11:12:06.2865567Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2866826Z |                        | CVE-2019-9169    |          |                    |                 | glibc: regular-expression               |
2021-07-29T11:12:06.2867582Z |                        |                  |          |                    |                 | match via proceed_next_node             |
2021-07-29T11:12:06.2868365Z |                        |                  |          |                    |                 | in posix/regexec.c leads to             |
2021-07-29T11:12:06.2869225Z |                        |                  |          |                    |                 | heap-based buffer over-read...          |
2021-07-29T11:12:06.2870280Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-9169    |
2021-07-29T11:12:06.2871488Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2872772Z |                        | CVE-2021-3326    |          |                    |                 | glibc: Assertion failure in             |
2021-07-29T11:12:06.2874178Z |                        |                  |          |                    |                 | ISO-2022-JP-3 gconv module              |
2021-07-29T11:12:06.2875073Z |                        |                  |          |                    |                 | related to combining characters         |
2021-07-29T11:12:06.2876017Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3326    |
2021-07-29T11:12:06.2877112Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2878361Z |                        | CVE-2021-35942   |          |                    |                 | glibc: Arbitrary read in wordexp()      |
2021-07-29T11:12:06.2879452Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35942   |
2021-07-29T11:12:06.2880566Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2881593Z | gnutls                 | CVE-2021-20231   |          | 3.6.14-8.el8_3     |                 | gnutls: Use after free in               |
2021-07-29T11:12:06.2882367Z |                        |                  |          |                    |                 | client key_share extension              |
2021-07-29T11:12:06.2883437Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20231   |
2021-07-29T11:12:06.2884477Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2885562Z |                        | CVE-2021-20232   |          |                    |                 | gnutls: Use after free                  |
2021-07-29T11:12:06.2886396Z |                        |                  |          |                    |                 | in client_send_params in                |
2021-07-29T11:12:06.2887131Z |                        |                  |          |                    |                 | lib/ext/pre_shared_key.c                |
2021-07-29T11:12:06.2888202Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20232   |
2021-07-29T11:12:06.2889171Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2890193Z | json-c                 | CVE-2020-12762   |          | 0.13.1-0.2.el8     |                 | json-c: integer overflow                |
2021-07-29T11:12:06.2891209Z |                        |                  |          |                    |                 | and out-of-bounds write                 |
2021-07-29T11:12:06.2891939Z |                        |                  |          |                    |                 | via a large JSON file                   |
2021-07-29T11:12:06.2893192Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-12762   |
2021-07-29T11:12:06.2894493Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2896217Z | krb5-libs              | CVE-2020-28196   |          | 1.18.2-5.el8       | 1.18.2-8.el8    | krb5: unbounded recursion via an        |
2021-07-29T11:12:06.2897381Z |                        |                  |          |                    |                 | ASN.1-encoded Kerberos message          |
2021-07-29T11:12:06.2898214Z |                        |                  |          |                    |                 | in lib/krb5/asn.1/asn1_encode.c         |
2021-07-29T11:12:06.2899000Z |                        |                  |          |                    |                 | may lead...                             |
2021-07-29T11:12:06.2900351Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-28196   |
2021-07-29T11:12:06.2901370Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2902304Z |                        | CVE-2021-36222   |          |                    |                 | krb5: sending a request containing      |
2021-07-29T11:12:06.2903285Z |                        |                  |          |                    |                 | a PA-ENCRYPTED-CHALLENGE padata         |
2021-07-29T11:12:06.2904059Z |                        |                  |          |                    |                 | element without using FAST...           |
2021-07-29T11:12:06.2905347Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36222   |
2021-07-29T11:12:06.2906374Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2907465Z | libarchive             | CVE-2017-14502   |          | 3.3.2-9.el8        | 3.3.3-1.el8     | libarchive: Off-by-one error            |
2021-07-29T11:12:06.2908687Z |                        |                  |          |                    |                 | in the read_header function             |
2021-07-29T11:12:06.2909729Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2017-14502   |
2021-07-29T11:12:06.2911036Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2912415Z |                        | CVE-2020-21674   |          |                    |                 | libarchive: heap-based                  |
2021-07-29T11:12:06.2913202Z |                        |                  |          |                    |                 | buffer overflow in                      |
2021-07-29T11:12:06.2913942Z |                        |                  |          |                    |                 | archive_string_append_from_wcs          |
2021-07-29T11:12:06.2914637Z |                        |                  |          |                    |                 | function in archive_string.c            |
2021-07-29T11:12:06.2915958Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-21674   |
2021-07-29T11:12:06.2916936Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2917976Z | libcurl                | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  | 7.61.1-18.el8   | curl: FTP PASV command                  |
2021-07-29T11:12:06.2918866Z |                        |                  |          |                    |                 | response can cause curl                 |
2021-07-29T11:12:06.2919736Z |                        |                  |          |                    |                 | to connect to arbitrary...              |
2021-07-29T11:12:06.2920654Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8284    |
2021-07-29T11:12:06.2921593Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2922700Z |                        | CVE-2020-8285    |          |                    |                 | curl: Malicious FTP server can          |
2021-07-29T11:12:06.2923401Z |                        |                  |          |                    |                 | trigger stack overflow when             |
2021-07-29T11:12:06.2924158Z |                        |                  |          |                    |                 | CURLOPT_CHUNK_BGN_FUNCTION              |
2021-07-29T11:12:06.2924990Z |                        |                  |          |                    |                 | is used...                              |
2021-07-29T11:12:06.2926157Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8285    |
2021-07-29T11:12:06.2927347Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.2928717Z |                        | CVE-2020-8286    |          |                    |                 | curl: Inferior OCSP verification        |
2021-07-29T11:12:06.2929885Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-8286    |
2021-07-29T11:12:06.2930869Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2931885Z |                        | CVE-2021-22876   |          |                    |                 | curl: Leak of authentication            |
2021-07-29T11:12:06.2932791Z |                        |                  |          |                    |                 | credentials in URL                      |
2021-07-29T11:12:06.2933524Z |                        |                  |          |                    |                 | via automatic Referer                   |
2021-07-29T11:12:06.2934520Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22876   |
2021-07-29T11:12:06.2935810Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2937020Z |                        | CVE-2021-22922   |          |                    |                 | curl: wrong content via                 |
2021-07-29T11:12:06.2937876Z |                        |                  |          |                    |                 | metalink is not being discarded         |
2021-07-29T11:12:06.2939130Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22922   |
2021-07-29T11:12:06.2940292Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2941629Z |                        | CVE-2021-22923   |          |                    |                 | curl: Metalink download                 |
2021-07-29T11:12:06.2942454Z |                        |                  |          |                    |                 | sends credentials                       |
2021-07-29T11:12:06.2943446Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22923   |
2021-07-29T11:12:06.2944983Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2946140Z |                        | CVE-2021-22924   |          |                    |                 | curl: bad connection reuse              |
2021-07-29T11:12:06.2946999Z |                        |                  |          |                    |                 | due to flawed path name checks          |
2021-07-29T11:12:06.2948185Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-22924   |
2021-07-29T11:12:06.2949522Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2951686Z | libdnf                 | CVE-2021-3445    |          | 0.48.0-5.el8       |                 | libdnf: libdnf does its                 |
2021-07-29T11:12:06.2952985Z |                        |                  |          |                    |                 | own signature verification,             |
2021-07-29T11:12:06.2953732Z |                        |                  |          |                    |                 | but this can be tricked...              |
2021-07-29T11:12:06.2954800Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3445    |
2021-07-29T11:12:06.2955955Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2957448Z | libgcc                 | CVE-2018-20673   |          | 8.3.1-5.1.el8      |                 | libiberty: Integer overflow in          |
2021-07-29T11:12:06.2965511Z |                        |                  |          |                    |                 | demangle_template() function            |
2021-07-29T11:12:06.2967341Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
2021-07-29T11:12:06.2968512Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2969702Z | libgcrypt              | CVE-2019-12904   |          | 1.8.5-4.el8        |                 | Libgcrypt: physical addresses           |
2021-07-29T11:12:06.2970601Z |                        |                  |          |                    |                 | being available to other processes      |
2021-07-29T11:12:06.2971965Z |                        |                  |          |                    |                 | leads to a flush-and-reload...          |
2021-07-29T11:12:06.2972950Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-12904   |
2021-07-29T11:12:06.2974098Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2975431Z |                        | CVE-2021-33560   |          |                    |                 | libgcrypt: mishandles ElGamal           |
2021-07-29T11:12:06.2976365Z |                        |                  |          |                    |                 | encryption because it lacks             |
2021-07-29T11:12:06.2977154Z |                        |                  |          |                    |                 | exponent blinding to address a...       |
2021-07-29T11:12:06.2978325Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-33560   |
2021-07-29T11:12:06.2979494Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.2980716Z | libsepol               | CVE-2021-36084   |          | 2.9-1.el8          |                 | libsepol: use-after-free in             |
2021-07-29T11:12:06.2981668Z |                        |                  |          |                    |                 | __cil_verify_classperms()               |
2021-07-29T11:12:06.2982791Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36084   |
2021-07-29T11:12:06.2983895Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2985172Z |                        | CVE-2021-36085   |          |                    |                 | libsepol: use-after-free in             |
2021-07-29T11:12:06.2986135Z |                        |                  |          |                    |                 | __cil_verify_classperms()               |
2021-07-29T11:12:06.2987316Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36085   |
2021-07-29T11:12:06.2988430Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.2989446Z |                        | CVE-2021-36086   |          |                    |                 | libsepol: use-after-free in             |
2021-07-29T11:12:06.2997491Z |                        |                  |          |                    |                 | cil_reset_classpermission()             |
2021-07-29T11:12:06.2999016Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36086   |
2021-07-29T11:12:06.3000190Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3001362Z |                        | CVE-2021-36087   |          |                    |                 | libsepol: heap-based buffer             |
2021-07-29T11:12:06.3002187Z |                        |                  |          |                    |                 | overflow in ebitmap_match_any()         |
2021-07-29T11:12:06.3003311Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-36087   |
2021-07-29T11:12:06.3004374Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3005558Z | libstdc++              | CVE-2018-20673   |          | 8.3.1-5.1.el8      |                 | libiberty: Integer overflow in          |
2021-07-29T11:12:06.3006524Z |                        |                  |          |                    |                 | demangle_template() function            |
2021-07-29T11:12:06.3007433Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20673   |
2021-07-29T11:12:06.3008384Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3009642Z | libxml2                | CVE-2020-24977   |          | 2.9.7-8.el8        | 2.9.7-9.el8     | libxml2: Buffer overflow                |
2021-07-29T11:12:06.3010398Z |                        |                  |          |                    |                 | vulnerability in                        |
2021-07-29T11:12:06.3015773Z |                        |                  |          |                    |                 | xmlEncodeEntitiesInternal()             |
2021-07-29T11:12:06.3016776Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T11:12:06.3018026Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-24977   |
2021-07-29T11:12:06.3019220Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3021127Z |                        | CVE-2021-3516    |          |                    | 2.9.7-9.el8_4.2 | libxml2: Use-after-free in              |
2021-07-29T11:12:06.3021944Z |                        |                  |          |                    |                 | xmlEncodeEntitiesInternal()             |
2021-07-29T11:12:06.3022658Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T11:12:06.3023874Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3516    |
2021-07-29T11:12:06.3024940Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3026256Z |                        | CVE-2021-3517    |          |                    |                 | libxml2: Heap-based buffer overflow     |
2021-07-29T11:12:06.3027287Z |                        |                  |          |                    |                 | in xmlEncodeEntitiesInternal()          |
2021-07-29T11:12:06.3027975Z |                        |                  |          |                    |                 | in entities.c                           |
2021-07-29T11:12:06.3029337Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3517    |
2021-07-29T11:12:06.3041139Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3042301Z |                        | CVE-2021-3518    |          |                    |                 | libxml2: Use-after-free in              |
2021-07-29T11:12:06.3043473Z |                        |                  |          |                    |                 | xmlXIncludeDoProcess() in xinclude.c    |
2021-07-29T11:12:06.3044437Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3518    |
2021-07-29T11:12:06.3045528Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3046912Z |                        | CVE-2021-3537    |          |                    |                 | libxml2: NULL pointer dereference       |
2021-07-29T11:12:06.3048093Z |                        |                  |          |                    |                 | when post-validating mixed              |
2021-07-29T11:12:06.3048826Z |                        |                  |          |                    |                 | content parsed in recovery mode...      |
2021-07-29T11:12:06.3049896Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3537    |
2021-07-29T11:12:06.3050890Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3051829Z |                        | CVE-2021-3541    |          |                    |                 | libxml2: Exponential entity             |
2021-07-29T11:12:06.3052788Z |                        |                  |          |                    |                 | expansion attack bypasses all           |
2021-07-29T11:12:06.3053489Z |                        |                  |          |                    |                 | existing protection mechanisms          |
2021-07-29T11:12:06.3054438Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3541    |
2021-07-29T11:12:06.3055418Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3056669Z | lua-libs               | CVE-2020-15945   |          | 5.3.4-11.el8       |                 | lua: segmentation fault                 |
2021-07-29T11:12:06.3057445Z |                        |                  |          |                    |                 | in changedline in ldebug.c              |
2021-07-29T11:12:06.3058763Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-15945   |
2021-07-29T11:12:06.3060756Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3061880Z | lz4-libs               | CVE-2019-17543   |          | 1.8.3-2.el8        |                 | lz4: heap-based buffer                  |
2021-07-29T11:12:06.3062862Z |                        |                  |          |                    |                 | overflow in LZ4_write32                 |
2021-07-29T11:12:06.3064247Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17543   |
2021-07-29T11:12:06.3065247Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3066325Z |                        | CVE-2021-3520    |          |                    | 1.8.3-3.el8_4   | lz4: memory corruption                  |
2021-07-29T11:12:06.3067347Z |                        |                  |          |                    |                 | due to an integer overflow              |
2021-07-29T11:12:06.3068294Z |                        |                  |          |                    |                 | bug caused by memmove...                |
2021-07-29T11:12:06.3069218Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3520    |
2021-07-29T11:12:06.3070321Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3071415Z | ncurses-base           | CVE-2019-17594   |          | 6.1-7.20180224.el8 |                 | ncurses: heap-based buffer              |
2021-07-29T11:12:06.3072274Z |                        |                  |          |                    |                 | overflow in the _nc_find_entry          |
2021-07-29T11:12:06.3072954Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T11:12:06.3073937Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
2021-07-29T11:12:06.3074893Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3075981Z |                        | CVE-2019-17595   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T11:12:06.3076708Z |                        |                  |          |                    |                 | overflow in the fmt_entry               |
2021-07-29T11:12:06.3077359Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T11:12:06.3078253Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
2021-07-29T11:12:06.3079299Z +------------------------+------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3080292Z | ncurses-libs           | CVE-2019-17594   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T11:12:06.3081049Z |                        |                  |          |                    |                 | overflow in the _nc_find_entry          |
2021-07-29T11:12:06.3081823Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T11:12:06.3082688Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17594   |
2021-07-29T11:12:06.3083574Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3084942Z |                        | CVE-2019-17595   |          |                    |                 | ncurses: heap-based buffer              |
2021-07-29T11:12:06.3085840Z |                        |                  |          |                    |                 | overflow in the fmt_entry               |
2021-07-29T11:12:06.3087096Z |                        |                  |          |                    |                 | function in tinfo/comp_hash.c           |
2021-07-29T11:12:06.3088446Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-17595   |
2021-07-29T11:12:06.3089739Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3091301Z | nettle                 | CVE-2021-3580    |          | 3.4.1-4.el8_3      |                 | nettle: Remote crash                    |
2021-07-29T11:12:06.3092329Z |                        |                  |          |                    |                 | in RSA decryption via                   |
2021-07-29T11:12:06.3099621Z |                        |                  |          |                    |                 | manipulated ciphertext                  |
2021-07-29T11:12:06.3100918Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3580    |
2021-07-29T11:12:06.3102149Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3103122Z | openssl-libs           | CVE-2021-23840   |          | 1:1.1.1g-15.el8_3  |                 | openssl: integer                        |
2021-07-29T11:12:06.3103994Z |                        |                  |          |                    |                 | overflow in CipherUpdate                |
2021-07-29T11:12:06.3104928Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-23840   |
2021-07-29T11:12:06.3105880Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3106951Z |                        | CVE-2021-23841   |          |                    |                 | openssl: NULL pointer dereference       |
2021-07-29T11:12:06.3107663Z |                        |                  |          |                    |                 | in X509_issuer_and_serial_hash()        |
2021-07-29T11:12:06.3108664Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-23841   |
2021-07-29T11:12:06.3110203Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3111429Z | p11-kit                | CVE-2020-29361   |          | 0.23.14-5.el8_0    | 0.23.22-1.el8   | p11-kit: integer overflow when          |
2021-07-29T11:12:06.3112255Z |                        |                  |          |                    |                 | allocating memory for arrays            |
2021-07-29T11:12:06.3113192Z |                        |                  |          |                    |                 | or attributes and object...             |
2021-07-29T11:12:06.3114270Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29361   |
2021-07-29T11:12:06.3115253Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3116559Z |                        | CVE-2020-29362   |          |                    |                 | p11-kit: out-of-bounds read in          |
2021-07-29T11:12:06.3117418Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array           |
2021-07-29T11:12:06.3118442Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T11:12:06.3119855Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29362   |
2021-07-29T11:12:06.3120851Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3121884Z |                        | CVE-2020-29363   |          |                    |                 | p11-kit: out-of-bounds write in         |
2021-07-29T11:12:06.3122637Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array_value     |
2021-07-29T11:12:06.3123721Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T11:12:06.3124696Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29363   |
2021-07-29T11:12:06.3125675Z +------------------------+------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3126707Z | p11-kit-trust          | CVE-2020-29361   |          |                    |                 | p11-kit: integer overflow when          |
2021-07-29T11:12:06.3127650Z |                        |                  |          |                    |                 | allocating memory for arrays            |
2021-07-29T11:12:06.3128382Z |                        |                  |          |                    |                 | or attributes and object...             |
2021-07-29T11:12:06.3129380Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29361   |
2021-07-29T11:12:06.3130489Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3131516Z |                        | CVE-2020-29362   |          |                    |                 | p11-kit: out-of-bounds read in          |
2021-07-29T11:12:06.3132468Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array           |
2021-07-29T11:12:06.3133453Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T11:12:06.3134626Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29362   |
2021-07-29T11:12:06.3135923Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3137056Z |                        | CVE-2020-29363   |          |                    |                 | p11-kit: out-of-bounds write in         |
2021-07-29T11:12:06.3138020Z |                        |                  |          |                    |                 | p11_rpc_buffer_get_byte_array_value     |
2021-07-29T11:12:06.3139229Z |                        |                  |          |                    |                 | function in rpc-message.c               |
2021-07-29T11:12:06.3140274Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-29363   |
2021-07-29T11:12:06.3141426Z +------------------------+------------------+          +--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3142669Z | rpm                    | CVE-2021-20271   |          | 4.14.3-4.el8       | 4.14.3-14.el8_4 | rpm: Signature checks bypass            |
2021-07-29T11:12:06.3143506Z |                        |                  |          |                    |                 | via corrupted rpm package               |
2021-07-29T11:12:06.3144501Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
2021-07-29T11:12:06.3146039Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3147306Z |                        | CVE-2021-3421    |          |                    |                 | rpm: unsigned signature header          |
2021-07-29T11:12:06.3148186Z |                        |                  |          |                    |                 | leads to string injection               |
2021-07-29T11:12:06.3149163Z |                        |                  |          |                    |                 | into an rpm database...                 |
2021-07-29T11:12:06.3150672Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
2021-07-29T11:12:06.3151750Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3152838Z |                        | CVE-2021-35937   |          |                    |                 | rpm: TOCTOU race in                     |
2021-07-29T11:12:06.3153725Z |                        |                  |          |                    |                 | checks for unsafe symlinks              |
2021-07-29T11:12:06.3154660Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35937   |
2021-07-29T11:12:06.3155635Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3156667Z |                        | CVE-2021-35938   |          |                    |                 | rpm: races with                         |
2021-07-29T11:12:06.3157446Z |                        |                  |          |                    |                 | chown/chmod/capabilities                |
2021-07-29T11:12:06.3158136Z |                        |                  |          |                    |                 | calls during installation               |
2021-07-29T11:12:06.3159318Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35938   |
2021-07-29T11:12:06.3166503Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3168140Z |                        | CVE-2021-35939   |          |                    |                 | rpm: checks for unsafe                  |
2021-07-29T11:12:06.3169119Z |                        |                  |          |                    |                 | symlinks are not performed              |
2021-07-29T11:12:06.3169915Z |                        |                  |          |                    |                 | for intermediary directories            |
2021-07-29T11:12:06.3171000Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35939   |
2021-07-29T11:12:06.3172117Z +------------------------+------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3173292Z | rpm-libs               | CVE-2021-20271   |          |                    | 4.14.3-14.el8_4 | rpm: Signature checks bypass            |
2021-07-29T11:12:06.3174179Z |                        |                  |          |                    |                 | via corrupted rpm package               |
2021-07-29T11:12:06.3175525Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-20271   |
2021-07-29T11:12:06.3176524Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3177725Z |                        | CVE-2021-3421    |          |                    |                 | rpm: unsigned signature header          |
2021-07-29T11:12:06.3178508Z |                        |                  |          |                    |                 | leads to string injection               |
2021-07-29T11:12:06.3179193Z |                        |                  |          |                    |                 | into an rpm database...                 |
2021-07-29T11:12:06.3180129Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-3421    |
2021-07-29T11:12:06.3181240Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3182273Z |                        | CVE-2021-35937   |          |                    |                 | rpm: TOCTOU race in                     |
2021-07-29T11:12:06.3183048Z |                        |                  |          |                    |                 | checks for unsafe symlinks              |
2021-07-29T11:12:06.3183998Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35937   |
2021-07-29T11:12:06.3184952Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3185970Z |                        | CVE-2021-35938   |          |                    |                 | rpm: races with                         |
2021-07-29T11:12:06.3186751Z |                        |                  |          |                    |                 | chown/chmod/capabilities                |
2021-07-29T11:12:06.3187441Z |                        |                  |          |                    |                 | calls during installation               |
2021-07-29T11:12:06.3188370Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35938   |
2021-07-29T11:12:06.3189466Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3191023Z |                        | CVE-2021-35939   |          |                    |                 | rpm: checks for unsafe                  |
2021-07-29T11:12:06.3191884Z |                        |                  |          |                    |                 | symlinks are not performed              |
2021-07-29T11:12:06.3192708Z |                        |                  |          |                    |                 | for intermediary directories            |
2021-07-29T11:12:06.3193654Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-35939   |
2021-07-29T11:12:06.3194632Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3195672Z | sqlite-libs            | CVE-2019-5827    | HIGH     | 3.26.0-11.el8      |                 | chromium-browser:                       |
2021-07-29T11:12:06.3196700Z |                        |                  |          |                    |                 | out-of-bounds access in SQLite          |
2021-07-29T11:12:06.3197681Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-5827    |
2021-07-29T11:12:06.3198657Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3199689Z |                        | CVE-2019-13750   | MEDIUM   |                    |                 | sqlite: dropping of shadow tables       |
2021-07-29T11:12:06.3200466Z |                        |                  |          |                    |                 | not restricted in defensive mode        |
2021-07-29T11:12:06.3201564Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-13750   |
2021-07-29T11:12:06.3202553Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3203581Z |                        | CVE-2019-13751   |          |                    |                 | sqlite: fts3: improve                   |
2021-07-29T11:12:06.3204359Z |                        |                  |          |                    |                 | detection of corrupted records          |
2021-07-29T11:12:06.3205442Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-13751   |
2021-07-29T11:12:06.3206427Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3207739Z |                        | CVE-2019-19603   |          |                    |                 | sqlite: mishandles certain SELECT       |
2021-07-29T11:12:06.3208623Z |                        |                  |          |                    |                 | statements with a nonexistent           |
2021-07-29T11:12:06.3209905Z |                        |                  |          |                    |                 | VIEW, leading to DoS...                 |
2021-07-29T11:12:06.3211357Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-19603   |
2021-07-29T11:12:06.3212519Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3213866Z |                        | CVE-2020-13434   |          |                    | 3.26.0-13.el8   | sqlite: integer overflow                |
2021-07-29T11:12:06.3214736Z |                        |                  |          |                    |                 | in sqlite3_str_vappendf                 |
2021-07-29T11:12:06.3215496Z |                        |                  |          |                    |                 | function in printf.c                    |
2021-07-29T11:12:06.3216720Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13434   |
2021-07-29T11:12:06.3217697Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3218732Z |                        | CVE-2020-13435   |          |                    |                 | sqlite: NULL pointer dereference        |
2021-07-29T11:12:06.3219509Z |                        |                  |          |                    |                 | leads to segmentation fault in          |
2021-07-29T11:12:06.3220204Z |                        |                  |          |                    |                 | sqlite3ExprCodeTarget in expr.c...      |
2021-07-29T11:12:06.3221141Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13435   |
2021-07-29T11:12:06.3222119Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3223152Z |                        | CVE-2020-15358   |          |                    | 3.26.0-13.el8   | sqlite: heap-based buffer overflow in   |
2021-07-29T11:12:06.3223936Z |                        |                  |          |                    |                 | multiSelectOrderBy due to mishandling   |
2021-07-29T11:12:06.3224869Z |                        |                  |          |                    |                 | of query-flattener optimization...      |
2021-07-29T11:12:06.3225855Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-15358   |
2021-07-29T11:12:06.3226978Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3228024Z | systemd-libs           | CVE-2021-33910   | HIGH     | 239-41.el8_3.2     | 239-45.el8_4.2  | systemd: uncontrolled                   |
2021-07-29T11:12:06.3228804Z |                        |                  |          |                    |                 | allocation on the stack in              |
2021-07-29T11:12:06.3229609Z |                        |                  |          |                    |                 | function unit_name_path_escape          |
2021-07-29T11:12:06.3230455Z |                        |                  |          |                    |                 | leads to crash...                       |
2021-07-29T11:12:06.3232664Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2021-33910   |
2021-07-29T11:12:06.3233726Z +                        +------------------+----------+                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3234759Z |                        | CVE-2018-20839   | MEDIUM   |                    |                 | systemd: mishandling of the             |
2021-07-29T11:12:06.3235537Z |                        |                  |          |                    |                 | current keyboard mode check             |
2021-07-29T11:12:06.3236227Z |                        |                  |          |                    |                 | leading to passwords being...           |
2021-07-29T11:12:06.3237167Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2018-20839   |
2021-07-29T11:12:06.3238125Z +                        +------------------+          +                    +-----------------+-----------------------------------------+
2021-07-29T11:12:06.3239303Z |                        | CVE-2019-3842    |          |                    | 239-45.el8      | systemd: Spoofing of XDG_SEAT           |
2021-07-29T11:12:06.3240127Z |                        |                  |          |                    |                 | allows for actions to be checked        |
2021-07-29T11:12:06.3240862Z |                        |                  |          |                    |                 | against "allow_active"...               |
2021-07-29T11:12:06.3241851Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2019-3842    |
2021-07-29T11:12:06.3242947Z +                        +------------------+          +                    +                 +-----------------------------------------+
2021-07-29T11:12:06.3243967Z |                        | CVE-2020-13776   |          |                    |                 | systemd: Mishandles numerical           |
2021-07-29T11:12:06.3244740Z |                        |                  |          |                    |                 | usernames beginning with decimal        |
2021-07-29T11:12:06.3245429Z |                        |                  |          |                    |                 | digits or 0x followed by...             |
2021-07-29T11:12:06.3246359Z |                        |                  |          |                    |                 | -->avd.aquasec.com/nvd/cve-2020-13776   |
2021-07-29T11:12:06.3247330Z +------------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2021-07-29T11:12:06.3247764Z 
2021-07-29T11:12:06.3248293Z usr/local/bin/chaos-operator (gobinary)
2021-07-29T11:12:06.3248759Z =======================================
2021-07-29T11:12:06.3249207Z Total: 4 (MEDIUM: 2, HIGH: 2, CRITICAL: 0)
2021-07-29T11:12:06.3249477Z 
2021-07-29T11:12:06.3250445Z +-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T11:12:06.3251331Z |           LIBRARY           | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION            |                 TITLE                 |
2021-07-29T11:12:06.3252416Z +-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T11:12:06.3253586Z | github.com/dgrijalva/jwt-go | CVE-2020-26160   | HIGH     | v3.2.0+incompatible                |                                    | jwt-go: access restriction            |
2021-07-29T11:12:06.3254598Z |                             |                  |          |                                    |                                    | bypass vulnerability                  |
2021-07-29T11:12:06.3255840Z |                             |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-26160 |
2021-07-29T11:12:06.3257159Z +-----------------------------+------------------+          +------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T11:12:06.3258471Z | golang.org/x/crypto         | CVE-2020-29652   |          | v0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
2021-07-29T11:12:06.3259654Z |                             |                  |          |                                    |                                    | authentication request can            |
2021-07-29T11:12:06.3260713Z |                             |                  |          |                                    |                                    | lead to nil pointer dereference       |
2021-07-29T11:12:06.3262652Z |                             |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
2021-07-29T11:12:06.3263943Z +-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T11:12:06.3265298Z | k8s.io/client-go            | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0                            | kubernetes: Bearer tokens             |
2021-07-29T11:12:06.3266527Z |                             |                  |          |                                    |                                    | written to logs at high               |
2021-07-29T11:12:06.3267521Z |                             |                  |          |                                    |                                    | verbosity levels (>= 7)...            |
2021-07-29T11:12:06.3268789Z |                             |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2019-11250 |
2021-07-29T11:12:06.3270205Z +                             +------------------+          +                                    +------------------------------------+---------------------------------------+
2021-07-29T11:12:06.3271517Z |                             | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2                    | kubernetes: Incomplete fix            |
2021-07-29T11:12:06.3273768Z |                             |                  |          |                                    |                                    | for CVE-2019-11250 allows for         |
2021-07-29T11:12:06.3274638Z |                             |                  |          |                                    |                                    | token leak in logs when...            |
2021-07-29T11:12:06.3275982Z |                             |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-8565  |
2021-07-29T11:12:06.3277117Z +-----------------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
2021-07-29T11:12:06.4233719Z Vulnerabilities found.
2021-07-29T11:12:06.4299835Z ##[error]Bash exited with code '1'.
2021-07-29T11:12:06.4342638Z ##[section]Finishing: Scan Docker container image

What you expected to happen:
Since, maintenance of a tested version of Chaos Operator Docker container image in a user specific, private container registry is a best practice in a production grade container deployment (instead of using the publicly available version from a public image registry), it would be ideal to provide the users with an image which is vulnerability free, as much as possible.

Appreciate if you could look into the detected vulnerabilities. If LitmusChaos uses a different, image scan tool, would appreciate details about its vulnerability check.

How to reproduce it (as minimally and precisely as possible):
Using Trivy Docker image scan tool.
@ksatchit
Copy link
Member

Thanks for opening the issue . We are in the process of hardening the images - with mitigation for at least severity high CVEs as much as possible. Eta will be updated here (expected to take some time due to test efforts involved)

@rlindner5 rlindner5 mentioned this issue Mar 5, 2024
Closed
@neelanjan00
Copy link
Member

neelanjan00 commented Mar 14, 2024
edited
Loading

Tracking this in different issue: #484. Thanks for the issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chirangaalwis @ksatchit @neelanjan00