From 23407db12d6d702bc492f13a1998c5440ad9adee Mon Sep 17 00:00:00 2001 From: burnettk Date: Thu, 15 Aug 2024 09:54:20 -0400 Subject: [PATCH] add sample puppetserver response --- ...le-api-response-puppetserver-ecs-scan.json | 3657 +++++++++++++++++ 1 file changed, 3657 insertions(+) create mode 100644 wait-for-ecr-scan-and-get-sarif/sample-api-response-puppetserver-ecs-scan.json diff --git a/wait-for-ecr-scan-and-get-sarif/sample-api-response-puppetserver-ecs-scan.json b/wait-for-ecr-scan-and-get-sarif/sample-api-response-puppetserver-ecs-scan.json new file mode 100644 index 0000000..ca13251 --- /dev/null +++ b/wait-for-ecr-scan-and-get-sarif/sample-api-response-puppetserver-ecs-scan.json @@ -0,0 +1,3657 @@ +{ + "imageScanFindings": { + "enhancedFindings": [ + { + "awsAccountId": "772215651096", + "description": "\n It was discovered that OpenSSH incorrectly handled signal management. A\n remote attacker could use this issue to bypass authentication and remotely\n access systems without proper credentials.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/08f260371502df67620f50106f645948", + "firstObservedAt": "2024-07-02T19:13:34.370000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 8.1, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 8.1, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt", + "https://ubuntu.com/blog/ubuntu-regresshion-security-fix", + "https://www.cve.org/CVERecord?id=CVE-2024-6387", + "https://ubuntu.com/security/notices/USN-6859-1" + ], + "relatedVulnerabilities": [ + "USN-6859-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-6387.html", + "vendorCreatedAt": "2024-07-01T09:15:00-04:00", + "vulnerabilityId": "CVE-2024-6387", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "openssh-client", + "packageManager": "OS", + "release": "3ubuntu0.7", + "sourceLayerHash": "sha256:f10709c479d939368e25cb0f53919bdb6e1133c5afcd3e0f186d11bd5b43f3bb", + "version": "8.9p1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 8.1, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 8.1, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-6387 - openssh-client", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/17fa5bc38f1e650d551253fd0b2bf5b3", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://people.redhat.com/~hkario/marvin/", + "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", + "https://ubuntu.com/security/notices/USN-6733-1", + "https://access.redhat.com/security/cve/CVE-2024-28834", + "https://www.gnutls.org/security-new.html", + "https://www.cve.org/CVERecord?id=CVE-2024-28834", + "https://ubuntu.com/security/notices/USN-6733-2" + ], + "relatedVulnerabilities": [ + "USN-6733-2", + "USN-6733-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-28834.html", + "vendorCreatedAt": "2024-03-21T10:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-28834", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libgnutls30", + "packageManager": "OS", + "release": "4ubuntu1.4", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.7.3" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-28834 - libgnutls30", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/241e3b2f502c5e779cfda524edfe48c5", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6754-1", + "https://www.cve.org/CVERecord?id=CVE-2019-9511", + "https://ubuntu.com/security/notices/USN-4099-1" + ], + "relatedVulnerabilities": [ + "USN-4099-1", + "USN-6754-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9511.html", + "vendorCreatedAt": "2019-08-13T17:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2019-9511", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "nghttp2", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libnghttp2-14", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.5, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.5, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2019-9511 - nghttp2, libnghttp2-14", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/2bc50cf1ff97373f8eb6b1dd930955c1", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-34397", + "https://ubuntu.com/security/notices/USN-6768-1", + "https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/1" + ], + "relatedVulnerabilities": [ + "USN-6768-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-34397.html", + "vendorCreatedAt": "2024-05-07T14:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-34397", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libglib2.0-0", + "packageManager": "OS", + "release": "0ubuntu2.2", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.72.4" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-34397 - libglib2.0-0", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execut", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/3c15e6ce997fec4b56a668128fd0a41a", + "firstObservedAt": "2024-06-24T18:37:02.715000-04:00", + "lastObservedAt": "2024-06-27T18:30:39.838000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 4.4, + "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-35235", + "https://ubuntu.com/security/notices/USN-6844-1" + ], + "relatedVulnerabilities": [ + "USN-6844-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-35235.html", + "vendorCreatedAt": "2024-06-11T11:16:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-35235", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "cups", + "packageManager": "OS", + "release": "1ubuntu4.8", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.4.1op1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 4.4, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 4.4, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", + "version": "3.1" + } + }, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-35235 - cups", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-27T18:30:39.838000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/415c416bb93123af606377d98f54d8d9", + "firstObservedAt": "2024-07-17T19:01:56.787000-04:00", + "lastObservedAt": "2024-07-17T19:01:56.787000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-39908", + "vendorCreatedAt": "2024-07-16T14:15:08-04:00", + "vendorUpdatedAt": "2024-07-17T09:34:20-04:00", + "vulnerabilityId": "CVE-2024-39908", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/dropsonde/gems/puppet-8.5.1/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.6" + }, + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.4" + }, + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/vendored-jruby-gems/specifications/rexml-3.2.5.gemspec", + "name": "rexml", + "packageManager": "GEMSPEC", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.5" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-39908 - rexml, rexml and 1 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-07-17T19:01:56.787000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/417c81610f173ecab19b2601c6681be2", + "firstObservedAt": "2024-08-06T20:26:44.151000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6944-1", + "https://www.cve.org/CVERecord?id=CVE-2024-7264" + ], + "relatedVulnerabilities": [ + "USN-6944-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-7264.html", + "vendorCreatedAt": "2024-07-31T04:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-7264", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "curl", + "packageManager": "OS", + "release": "1ubuntu1.16", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "7.81.0" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libcurl3-gnutls", + "packageManager": "OS", + "release": "1ubuntu1.16", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "7.81.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-7264 - curl, libcurl3-gnutls", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/41e58cda8f585b5cae38713b64bda9ae", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-06-18T21:53:28.400000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/", + "https://hackerone.com/reports/1187477", + "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/", + "https://ubuntu.com/security/notices/USN-6838-1", + "https://www.cve.org/CVERecord?id=CVE-2024-27281", + "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-27281.html" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-27281", + "vendorCreatedAt": "2024-05-14T11:11:57-04:00", + "vendorUpdatedAt": "2024-05-14T12:13:02-04:00", + "vulnerabilityId": "CVE-2024-27281", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/dropsonde/gems/puppet-8.5.1/Gemfile.lock", + "name": "rdoc", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "6.3.3" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "ruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-27281 - rdoc, libruby3.0 and 1 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-18T21:53:28.400000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/4b32b7431f2a37deec61c3f040eb4f07", + "firstObservedAt": "2024-08-08T20:10:15.923000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-37370", + "https://web.mit.edu/kerberos/www/advisories/", + "https://ubuntu.com/security/notices/USN-6947-1" + ], + "relatedVulnerabilities": [ + "USN-6947-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-37370.html", + "vendorCreatedAt": "2024-06-28T18:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-37370", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libkrb5-3", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libgssapi-krb5-2", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libkrb5support0", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libk5crypto3", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-37370 - libkrb5-3, libgssapi-krb5-2 and 2 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "\n It was discovered that OpenSSL failed to choose an appropriately short\n private key size when computing shared-secrets in the Diffie-Hellman Key\n Agreement Protocol. A remote attacker could possibly use this issue to\n cause OpenSSL to consume resources, resulting in a denial of service.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/4b94ef99c240420d407e4d78f21f93cf", + "firstObservedAt": "2024-06-27T18:30:39.838000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.rfc-editor.org/rfc/rfc5114", + "https://ubuntu.com/security/notices/USN-6854-1", + "https://www.rfc-editor.org/rfc/rfc7919", + "https://www.rfc-editor.org/rfc/rfc3526", + "https://www.rfc-editor.org/rfc/rfc4419", + "https://ieeexplore.ieee.org/document/10374117", + "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf", + "https://www.cve.org/CVERecord?id=CVE-2022-40735" + ], + "relatedVulnerabilities": [ + "USN-6854-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-40735.html", + "vendorCreatedAt": "2022-11-14T18:15:00-05:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2022-40735", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libssl3", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.0.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "openssl", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.5, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.5, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2022-40735 - libssl3, openssl", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/4c91b482443f2a55ab52d60e645d9488", + "firstObservedAt": "2024-06-01T19:28:26.369000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-33602", + "https://sourceware.org/bugzilla/show_bug.cgi?id=31680", + "https://ubuntu.com/security/notices/USN-6804-1", + "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + ], + "relatedVulnerabilities": [ + "USN-6804-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-33602.html", + "vendorCreatedAt": "2024-05-06T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-33602", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libc6", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libc-bin", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-33602 - libc6, libc-bin", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/4eb04c19ed882c3afb54615e85aac8a1", + "firstObservedAt": "2024-05-29T19:52:31.486000-04:00", + "lastObservedAt": "2024-08-06T20:26:44.151000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-32465", + "https://ubuntu.com/security/notices/USN-6793-1" + ], + "relatedVulnerabilities": [ + "USN-6793-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-32465.html", + "vendorCreatedAt": "2024-05-14T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-32465", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "git", + "packageManager": "OS", + "release": "1ubuntu1.10", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.34.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-32465 - git", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-06T20:26:44.151000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/59803501bebc6c6b8e111e53a9c9caa8", + "firstObservedAt": "2024-05-29T19:52:31.486000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 9.0, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 9.0, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-32002", + "https://ubuntu.com/security/notices/USN-6793-2", + "https://ubuntu.com/security/notices/USN-6793-1" + ], + "relatedVulnerabilities": [ + "USN-6793-1", + "USN-6793-2" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-32002.html", + "vendorCreatedAt": "2024-05-14T15:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-32002", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "git", + "packageManager": "OS", + "release": "1ubuntu1.10", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.34.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 9.0, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 9.0, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", + "version": "3.1" + } + }, + "severity": "CRITICAL", + "status": "ACTIVE", + "title": "CVE-2024-32002 - git", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/6558d9495e5c810a45aa0f0084d34c7b", + "firstObservedAt": "2024-06-06T19:47:37.966000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-21012", + "https://ubuntu.com/security/notices/USN-6811-1", + "https://ubuntu.com/security/notices/USN-6812-1", + "https://ubuntu.com/security/notices/USN-6813-1", + "https://www.oracle.com/security-alerts/cpuapr2024.html" + ], + "relatedVulnerabilities": [ + "USN-6811-1", + "USN-6812-1", + "USN-6813-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21012.html", + "vendorCreatedAt": "2024-04-16T18:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21012", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21012 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/657dee8fa73606b73a9826bde457735b", + "firstObservedAt": "2024-06-27T18:30:39.838000-04:00", + "lastObservedAt": "2024-06-27T18:30:39.838000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6853-1", + "https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/", + "https://www.cve.org/CVERecord?id=CVE-2024-27280" + ], + "relatedVulnerabilities": [ + "USN-6853-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-27280.html", + "vendorCreatedAt": "2024-05-14T11:11:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-27280", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "ruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-27280 - libruby3.0, ruby3.0", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-27T18:30:39.838000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/6a533507730150dd344f45eb94606503", + "firstObservedAt": "2024-08-08T20:10:15.923000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://web.mit.edu/kerberos/www/advisories/", + "https://ubuntu.com/security/notices/USN-6947-1", + "https://www.cve.org/CVERecord?id=CVE-2024-37371" + ], + "relatedVulnerabilities": [ + "USN-6947-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-37371.html", + "vendorCreatedAt": "2024-06-28T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-37371", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libkrb5-3", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libgssapi-krb5-2", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libkrb5support0", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libk5crypto3", + "packageManager": "OS", + "release": "2ubuntu0.3", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "1.19.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-37371 - libkrb5-3, libgssapi-krb5-2 and 2 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which suppl", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/6c24a6482f09027e55e7859d3beef4b9", + "firstObservedAt": "2024-07-31T18:37:29.913000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.oracle.com/security-alerts/cpujul2024.html", + "https://www.cve.org/CVERecord?id=CVE-2024-21145", + "https://ubuntu.com/security/notices/USN-6932-1", + "https://ubuntu.com/security/notices/USN-6931-1", + "https://ubuntu.com/security/notices/USN-6930-1", + "https://ubuntu.com/security/notices/USN-6929-1" + ], + "relatedVulnerabilities": [ + "USN-6932-1", + "USN-6931-1", + "USN-6930-1", + "USN-6929-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21145.html", + "vendorCreatedAt": "2024-07-16T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21145", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-21145 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/6da2bcc342204a71dcf79b090629b8f9", + "firstObservedAt": "2024-06-01T19:28:26.369000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-33599", + "https://ubuntu.com/security/notices/USN-6804-1", + "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + ], + "relatedVulnerabilities": [ + "USN-6804-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-33599.html", + "vendorCreatedAt": "2024-05-06T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-33599", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libc6", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libc-bin", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-33599 - libc6, libc-bin", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/743ec392641da722106fbe15cc2a59f9", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html", + "https://ubuntu.com/security/notices/USN-6733-1", + "https://access.redhat.com/security/cve/CVE-2024-28835", + "https://www.gnutls.org/security-new.html", + "https://www.cve.org/CVERecord?id=CVE-2024-28835", + "https://ubuntu.com/security/notices/USN-6733-2" + ], + "relatedVulnerabilities": [ + "USN-6733-2", + "USN-6733-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-28835.html", + "vendorCreatedAt": "2024-03-21T02:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-28835", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libgnutls30", + "packageManager": "OS", + "release": "4ubuntu1.4", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.7.3" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-28835 - libgnutls30", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which s", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/75b19a30be4817f908f23e04ad335875", + "firstObservedAt": "2024-07-31T18:37:29.913000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 4.8, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 4.8, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.oracle.com/security-alerts/cpujul2024.html", + "https://ubuntu.com/security/notices/USN-6932-1", + "https://www.cve.org/CVERecord?id=CVE-2024-21140", + "https://ubuntu.com/security/notices/USN-6931-1", + "https://ubuntu.com/security/notices/USN-6930-1", + "https://ubuntu.com/security/notices/USN-6929-1" + ], + "relatedVulnerabilities": [ + "USN-6932-1", + "USN-6931-1", + "USN-6930-1", + "USN-6929-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21140.html", + "vendorCreatedAt": "2024-07-16T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21140", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 4.8, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 4.8, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "version": "3.1" + } + }, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-21140 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, ", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/7a6aab81f0483445d87681f43f427a69", + "firstObservedAt": "2024-05-29T19:52:31.486000-04:00", + "lastObservedAt": "2024-08-06T20:26:44.151000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6793-1", + "https://www.cve.org/CVERecord?id=CVE-2024-32020" + ], + "relatedVulnerabilities": [ + "USN-6793-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-32020.html", + "vendorCreatedAt": "2024-05-14T15:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-32020", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "git", + "packageManager": "OS", + "release": "1ubuntu1.10", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.34.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-32020 - git", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-06T20:26:44.151000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/7e776741c40ba541ade76cf914e87b00", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-06T20:26:44.151000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-28965", + "vendorCreatedAt": "2021-04-21T03:15:07-04:00", + "vendorSeverity": "HIGH", + "vendorUpdatedAt": "2023-11-06T22:32:25-05:00", + "vulnerabilityId": "CVE-2021-28965", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.4" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.5, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.5, + "scoreSource": "NVD", + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2021-28965 - rexml", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-06T20:26:44.151000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Use After Free with SSL_free_buffers", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/83deb784c8a22e4f648aa0a529d3189e", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-4741", + "https://ubuntu.com/security/notices/USN-6937-1", + "https://www.openssl.org/news/secadv/20240528.txt" + ], + "relatedVulnerabilities": [ + "USN-6937-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4741.html", + "vendorCreatedAt": "2024-05-27T20:00:00-04:00", + "vulnerabilityId": "CVE-2024-4741", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libssl3", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-4741 - libssl3", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/8d961fce86e328d5d26b2ba6ed323f61", + "firstObservedAt": "2024-06-01T19:28:26.369000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-33601", + "https://ubuntu.com/security/notices/USN-6804-1", + "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + ], + "relatedVulnerabilities": [ + "USN-6804-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-33601.html", + "vendorCreatedAt": "2024-05-06T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-33601", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libc6", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libc-bin", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-33601 - libc6, libc-bin", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a ", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/90ee93a22e8e2ff126c29230bdabbb70", + "firstObservedAt": "2024-05-29T19:52:31.486000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6793-1", + "https://www.cve.org/CVERecord?id=CVE-2024-32021" + ], + "relatedVulnerabilities": [ + "USN-6793-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-32021.html", + "vendorCreatedAt": "2024-05-14T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-32021", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "git", + "packageManager": "OS", + "release": "1ubuntu1.10", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.34.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-32021 - git", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applet", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/92539af18170213c93065de7a823b0de", + "firstObservedAt": "2024-06-06T19:47:37.966000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-21068", + "https://ubuntu.com/security/notices/USN-6810-1", + "https://ubuntu.com/security/notices/USN-6811-1", + "https://ubuntu.com/security/notices/USN-6812-1", + "https://ubuntu.com/security/notices/USN-6813-1", + "https://www.oracle.com/security-alerts/cpuapr2024.html" + ], + "relatedVulnerabilities": [ + "USN-6810-1", + "USN-6811-1", + "USN-6812-1", + "USN-6813-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21068.html", + "vendorCreatedAt": "2024-04-16T18:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21068", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21068 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was ne", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/933136c95c3b1bcb1ebef6e72b6e83fb", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://openssl.org/news/secadv/20240627.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-5535", + "https://ubuntu.com/security/notices/USN-6937-1" + ], + "relatedVulnerabilities": [ + "USN-6937-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-5535.html", + "vendorCreatedAt": "2024-06-27T07:15:00-04:00", + "vulnerabilityId": "CVE-2024-5535", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libssl3", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-5535 - libssl3", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/9747a7ec4aa80a5b8d74c40677c3c870", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-06-18T21:53:28.400000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176", + "vendorCreatedAt": "2024-05-16T12:15:09-04:00", + "vendorUpdatedAt": "2024-05-17T14:36:31-04:00", + "vulnerabilityId": "CVE-2024-35176", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/dropsonde/gems/puppet-8.5.1/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.6" + }, + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.4" + }, + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/vendored-jruby-gems/specifications/rexml-3.2.5.gemspec", + "name": "rexml", + "packageManager": "GEMSPEC", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.5" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-35176 - rexml, rexml and 1 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-18T21:53:28.400000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "YARD is a Ruby Documentation tool. The \"frames.html\" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the \"frames.erb\" template file. This vulnerability is fixed in 0.9.36.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/aae6dfa1f3e9ebe2449277ecef59f444", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-27285", + "vendorCreatedAt": "2024-02-28T15:15:41-05:00", + "vendorUpdatedAt": "2024-03-20T23:15:48-04:00", + "vulnerabilityId": "CVE-2024-27285", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "yard", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "0.9.26" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-27285 - yard", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/b320c123dd713ef507a4ef3dad1efd95", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-02T16:59:09.469000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-41123", + "vendorCreatedAt": "2024-08-01T11:15:13-04:00", + "vendorUpdatedAt": "2024-08-01T12:45:25-04:00", + "vulnerabilityId": "CVE-2024-41123", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/dropsonde/gems/puppet-8.5.1/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.6" + }, + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.4" + }, + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/vendored-jruby-gems/specifications/rexml-3.2.5.gemspec", + "name": "rexml", + "packageManager": "GEMSPEC", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.5" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-41123 - rexml, rexml and 1 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-02T16:59:09.469000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applicati", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/b3ab757154044ee06e3838d9b3dbaf49", + "firstObservedAt": "2024-07-31T18:37:29.913000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.oracle.com/security-alerts/cpujul2024.html", + "https://ubuntu.com/security/notices/USN-6932-1", + "https://ubuntu.com/security/notices/USN-6931-1", + "https://ubuntu.com/security/notices/USN-6930-1", + "https://www.cve.org/CVERecord?id=CVE-2024-21131", + "https://ubuntu.com/security/notices/USN-6929-1" + ], + "relatedVulnerabilities": [ + "USN-6932-1", + "USN-6931-1", + "USN-6930-1", + "USN-6929-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21131.html", + "vendorCreatedAt": "2024-07-16T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21131", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21131 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applica", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/b7ad5cb4ef4819c9d01d144681fd356c", + "firstObservedAt": "2024-07-31T18:37:29.913000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-21138", + "https://www.oracle.com/security-alerts/cpujul2024.html", + "https://ubuntu.com/security/notices/USN-6932-1", + "https://ubuntu.com/security/notices/USN-6931-1", + "https://ubuntu.com/security/notices/USN-6930-1", + "https://ubuntu.com/security/notices/USN-6929-1" + ], + "relatedVulnerabilities": [ + "USN-6932-1", + "USN-6931-1", + "USN-6930-1", + "USN-6929-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21138.html", + "vendorCreatedAt": "2024-07-16T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21138", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21138 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/bed02c740cf4cda476da6de58f9d7475", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6754-1", + "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", + "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", + "https://www.cve.org/CVERecord?id=CVE-2023-44487", + "https://nodejs.org/en/blog/vulnerability/october-2023-security-releases", + "https://ubuntu.com/security/notices/USN-6427-1", + "https://ubuntu.com/security/notices/USN-6438-1", + "https://my.f5.com/manage/s/article/K000137106", + "https://ubuntu.com/security/notices/USN-6427-2", + "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", + "https://devblogs.microsoft.com/dotnet/october-2023-updates/", + "https://ubuntu.com/security/notices/USN-6574-1", + "https://ubuntu.com/security/notices/USN-6505-1", + "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" + ], + "relatedVulnerabilities": [ + "USN-6427-1", + "USN-6438-1", + "USN-6427-2", + "USN-6505-1", + "USN-6754-1", + "USN-6574-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-44487.html", + "vendorCreatedAt": "2023-10-10T10:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2023-44487", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "nghttp2", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libnghttp2-14", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.5, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.5, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2023-44487 - nghttp2, libnghttp2-14", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/c210c9980eb42172d1a840ae127e80f9", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6762-1", + "https://ubuntu.com/security/notices/USN-6737-1", + "https://www.cve.org/CVERecord?id=CVE-2024-2961", + "https://ubuntu.com/security/notices/USN-6737-2" + ], + "relatedVulnerabilities": [ + "USN-6762-1", + "USN-6737-2", + "USN-6737-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2961.html", + "vendorCreatedAt": "2024-04-17T14:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-2961", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libc6", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libc-bin", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-2961 - libc6, libc-bin", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/c9ad62cdde976ffb7fcf0a5b4bb62f85", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-6754-2", + "https://www.kb.cert.org/vuls/id/421644", + "https://www.cve.org/CVERecord?id=CVE-2024-28182" + ], + "relatedVulnerabilities": [ + "USN-6754-1", + "USN-6754-2" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-28182.html", + "vendorCreatedAt": "2024-04-04T11:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-28182", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "nghttp2", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libnghttp2-14", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-28182 - nghttp2, libnghttp2-14", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified C", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/c9f8801bf90543572ab46bf8061f8110", + "firstObservedAt": "2024-07-31T18:37:29.913000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.4, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 7.4, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-21147", + "https://www.oracle.com/security-alerts/cpujul2024.html", + "https://ubuntu.com/security/notices/USN-6932-1", + "https://ubuntu.com/security/notices/USN-6931-1", + "https://ubuntu.com/security/notices/USN-6930-1", + "https://ubuntu.com/security/notices/USN-6929-1" + ], + "relatedVulnerabilities": [ + "USN-6932-1", + "USN-6931-1", + "USN-6930-1", + "USN-6929-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21147.html", + "vendorCreatedAt": "2024-07-16T19:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21147", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.4, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.4, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2024-21147 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a ", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/cde9d71e5071b8640dac26dde23f5e41", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-01T17:17:33.239000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-4603", + "https://www.openssl.org/news/secadv/20240516.txt", + "https://ubuntu.com/security/notices/USN-6937-1" + ], + "relatedVulnerabilities": [ + "USN-6937-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4603.html", + "vendorCreatedAt": "2024-05-16T12:15:00-04:00", + "vulnerabilityId": "CVE-2024-4603", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libssl3", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-4603 - libssl3", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-01T17:17:33.239000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "USN-6844-1 fixed vulnerabilities in the CUPS package. The update\nlead to the discovery of a regression in CUPS with regards to\nhow the cupsd daemon handles Listen configuration directive. \nThis update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\nRory McNamara discovered that when starting the cupsd server with a\nListen configuration item, the cupsd process fails to validate if\nbind call passed. An attacker could possibly trick cupsd to perform\nan arbitrary chmod of the provided argument, providing world-writable\naccess to the target.\n", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/cf58b351cab807b9cd6be27b4c11a0b4", + "firstObservedAt": "2024-06-29T20:16:32.343000-04:00", + "lastObservedAt": "2024-06-29T20:16:32.343000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [], + "relatedVulnerabilities": [], + "source": "USN", + "sourceUrl": "https://usn.ubuntu.com/6844-2", + "vendorCreatedAt": "2024-06-28T12:08:04-04:00", + "vulnerabilityId": "USN-6844-2", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "cups", + "packageManager": "OS", + "release": "1ubuntu4.8", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.4.1op1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "In general, a standard system update will make all the necessary changes.\n" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "USN-6844-2 - cups", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-29T20:16:32.343000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/d034c583a3ddc0043f3d29e627cf5d80", + "firstObservedAt": "2024-05-29T19:52:31.486000-04:00", + "lastObservedAt": "2024-08-06T20:26:44.151000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-32004", + "https://ubuntu.com/security/notices/USN-6793-1" + ], + "relatedVulnerabilities": [ + "USN-6793-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-32004.html", + "vendorCreatedAt": "2024-05-14T15:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-32004", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 1, + "name": "git", + "packageManager": "OS", + "release": "1ubuntu1.10", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "2.34.1" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-32004 - git", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-06T20:26:44.151000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sa", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/e080ee48bf3c40ec6042858261dc3aae", + "firstObservedAt": "2024-06-06T19:47:37.966000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-21011", + "https://ubuntu.com/security/notices/USN-6810-1", + "https://ubuntu.com/security/notices/USN-6811-1", + "https://ubuntu.com/security/notices/USN-6812-1", + "https://ubuntu.com/security/notices/USN-6813-1", + "https://www.oracle.com/security-alerts/cpuapr2024.html" + ], + "relatedVulnerabilities": [ + "USN-6810-1", + "USN-6811-1", + "USN-6812-1", + "USN-6813-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21011.html", + "vendorCreatedAt": "2024-04-16T18:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21011", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21011 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this iss", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/e12f6a3d935203c7ecbfc4113a88b5ce", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.openssl.org/news/secadv/20240408.txt", + "https://www.cve.org/CVERecord?id=CVE-2024-2511", + "https://ubuntu.com/security/notices/USN-6937-1" + ], + "relatedVulnerabilities": [ + "USN-6937-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2511.html", + "vendorCreatedAt": "2024-04-08T10:15:00-04:00", + "vulnerabilityId": "CVE-2024-2511", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libssl3", + "packageManager": "OS", + "release": "0ubuntu1.15", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-2511 - libssl3", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandb", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/e2d1eef88c31c9a4896061880080cbda", + "firstObservedAt": "2024-06-06T19:47:37.966000-04:00", + "lastObservedAt": "2024-06-24T18:37:02.715000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 3.7, + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://bugs.openjdk.org/browse/JDK-8317507", + "https://ubuntu.com/security/notices/USN-6810-1", + "https://ubuntu.com/security/notices/USN-6811-1", + "https://ubuntu.com/security/notices/USN-6812-1", + "https://ubuntu.com/security/notices/USN-6813-1", + "https://www.oracle.com/security-alerts/cpuapr2024.html", + "https://www.cve.org/CVERecord?id=CVE-2024-21094" + ], + "relatedVulnerabilities": [ + "USN-6810-1", + "USN-6811-1", + "USN-6812-1", + "USN-6813-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-21094.html", + "vendorCreatedAt": "2024-04-16T18:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-21094", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "openjdk-17-jre-headless", + "packageManager": "OS", + "release": "1~22.04.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "17.0.10+7" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 3.7, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 3.7, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "severity": "LOW", + "status": "ACTIVE", + "title": "CVE-2024-21094 - openjdk-17-jre-headless", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-06-24T18:37:02.715000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/e4a1464e7c8474f9cc37ac5ce3190d88", + "firstObservedAt": "2024-06-01T19:28:26.369000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.cve.org/CVERecord?id=CVE-2024-33600", + "https://ubuntu.com/security/notices/USN-6804-1", + "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + ], + "relatedVulnerabilities": [ + "USN-6804-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-33600.html", + "vendorCreatedAt": "2024-05-06T16:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-33600", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libc6", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libc-bin", + "packageManager": "OS", + "release": "0ubuntu3.6", + "sourceLayerHash": "sha256:7021d1b70935851c95c45ed18156980b5024eda29b99564429025ea04f5ec109", + "version": "2.35" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-33600 - libc6, libc-bin", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/eb72e6a8dd04d4fd7a0a03aef514da63", + "firstObservedAt": "2024-06-18T21:53:28.400000-04:00", + "lastObservedAt": "2024-07-31T18:37:29.913000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/", + "https://ubuntu.com/security/notices/USN-6838-1", + "https://www.cve.org/CVERecord?id=CVE-2024-27282" + ], + "relatedVulnerabilities": [ + "USN-6838-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-27282.html", + "vendorCreatedAt": "2024-05-14T11:11:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2024-27282", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "libruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "ruby3.0", + "packageManager": "OS", + "release": "7ubuntu2.4", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "3.0.2" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "MEDIUM", + "status": "ACTIVE", + "title": "CVE-2024-27282 - libruby3.0, ruby3.0", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-07-31T18:37:29.913000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": " Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/f734fb3f6da42f94d758380e79defa0e", + "firstObservedAt": "2024-05-23T18:01:47.280000-04:00", + "lastObservedAt": "2024-08-08T20:10:15.923000-04:00", + "packageVulnerabilityDetails": { + "cvss": [ + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "UBUNTU_CVE", + "version": "3.1" + }, + { + "baseScore": 7.5, + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "NVD", + "version": "3.1" + } + ], + "referenceUrls": [ + "https://ubuntu.com/security/notices/USN-6754-1", + "https://ubuntu.com/security/notices/USN-4099-1", + "https://www.cve.org/CVERecord?id=CVE-2019-9513" + ], + "relatedVulnerabilities": [ + "USN-4099-1", + "USN-6754-1" + ], + "source": "UBUNTU_CVE", + "sourceUrl": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9513.html", + "vendorCreatedAt": "2019-08-13T17:15:00-04:00", + "vendorSeverity": "medium", + "vulnerabilityId": "CVE-2019-9513", + "vulnerablePackages": [ + { + "arch": "AMD64", + "epoch": 0, + "name": "nghttp2", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + }, + { + "arch": "AMD64", + "epoch": 0, + "name": "libnghttp2-14", + "packageManager": "OS", + "release": "1ubuntu0.1", + "sourceLayerHash": "sha256:937174835bc7ce2149e327a9a2a5334b7fcc27194afc105c840766acf5efb926", + "version": "1.43.0" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 7.5, + "scoreDetails": { + "cvss": { + "adjustments": [], + "score": 7.5, + "scoreSource": "UBUNTU_CVE", + "scoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + }, + "severity": "HIGH", + "status": "ACTIVE", + "title": "CVE-2019-9513 - nghttp2, libnghttp2-14", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-08T20:10:15.923000-04:00" + }, + { + "awsAccountId": "772215651096", + "description": "REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.", + "findingArn": "arn:aws:inspector2:us-east-2:772215651096:finding/f7f9a4ddfa31e8f4a435f5e2f944a1fb", + "firstObservedAt": "2024-08-01T17:17:33.239000-04:00", + "lastObservedAt": "2024-08-06T20:26:44.151000-04:00", + "packageVulnerabilityDetails": { + "cvss": [], + "referenceUrls": [ + "https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml", + "https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946" + ], + "relatedVulnerabilities": [], + "source": "NVD", + "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-41946", + "vendorCreatedAt": "2024-08-01T11:15:14-04:00", + "vendorUpdatedAt": "2024-08-01T12:45:25-04:00", + "vulnerabilityId": "CVE-2024-41946", + "vulnerablePackages": [ + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/dropsonde/gems/puppet-8.5.1/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.6" + }, + { + "epoch": 0, + "filePath": "var/lib/gems/3.0.0/gems/cri-2.15.11/Gemfile.lock", + "name": "rexml", + "packageManager": "BUNDLER", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.4" + }, + { + "epoch": 0, + "filePath": "var/tmp/puppetserver/vendored-jruby-gems/specifications/rexml-3.2.5.gemspec", + "name": "rexml", + "packageManager": "GEMSPEC", + "sourceLayerHash": "sha256:a42c8bec3e631bf1bfe45dae836da4ab8d4d0505f94487403f1df5fa3d66c526", + "version": "3.2.5" + } + ] + }, + "remediation": { + "recommendation": { + "text": "None Provided" + } + }, + "resources": [ + { + "details": { + "awsEcrContainerImage": { + "architecture": "amd64", + "imageHash": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTags": [ + "dev" + ], + "platform": "UBUNTU_22_04", + "pushedAt": "2024-05-23T18:01:30-04:00", + "registry": "772215651096", + "repositoryName": "infr/puppetserver" + } + }, + "id": "arn:aws:ecr:us-east-2:772215651096:repository/infr/puppetserver/sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "tags": {}, + "type": "AWS_ECR_CONTAINER_IMAGE" + } + ], + "score": 0.0, + "severity": "UNTRIAGED", + "status": "ACTIVE", + "title": "CVE-2024-41946 - rexml, rexml and 1 more", + "type": "PACKAGE_VULNERABILITY", + "updatedAt": "2024-08-06T20:26:44.151000-04:00" + } + ], + "imageScanCompletedAt": "2024-08-08T20:10:15.923000-04:00", + "vulnerabilitySourceUpdatedAt": "2024-08-08T20:10:15.923000-04:00", + "findingSeverityCounts": { + "HIGH": 7, + "MEDIUM": 21, + "LOW": 6, + "UNTRIAGED": 11, + "CRITICAL": 1 + } + }, + "registryId": "772215651096", + "repositoryName": "infr/puppetserver", + "imageId": { + "imageDigest": "sha256:269992ef1af233805ca16e23f679eeb9db1a98d5a5827868721b0f157c73ce0a", + "imageTag": "dev" + }, + "imageScanStatus": { + "status": "ACTIVE", + "description": "Continuous scan is selected for image." + } +}