Last active
June 14, 2020 12:53
-
-
Save btshft/25ec184d67397812abfc18a4bbd8d848 to your computer and use it in GitHub Desktop.
aspnet:3.0-buster-slim docker image test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PS C:\Users\Canyon\Desktop\clair> ./clair-scanner --ip="host.docker.internal" --threshold=Medium --reportAll=false mcr.microsoft.com/dotnet/core/aspnet:3.0-buster-slim | |
| 2020/06/14 15:48:52 [INFO] ▶ Start clair-scanner | |
| 2020/06/14 15:49:16 [INFO] ▶ Server listening on port 9279 | |
| 2020/06/14 15:49:16 [INFO] ▶ Analyzing 3e29b193cb0e97576e20170819724cf94c46c8d745136268e355db1342221572 | |
| 2020/06/14 15:49:24 [INFO] ▶ Analyzing 8981bb2400b54d954b70d8ecba0263836c72a4972ea60ae97aada1e17abe55fd | |
| 2020/06/14 15:49:27 [INFO] ▶ Analyzing cc10d7b72900931720971363ad251b38010acdd0330d7eabbb8394b451a8605b | |
| 2020/06/14 15:49:28 [INFO] ▶ Analyzing 6bab8815017212e88c871defec5af1d055149451a9d8f8ad4db8e8884dcb748f | |
| 2020/06/14 15:49:33 [INFO] ▶ Analyzing 3d730628ca3d8c420c4caa52b02fb28019d05b02ee86566e85a42e3da1608830 | |
| 2020/06/14 15:49:34 [WARN] ▶ Image [mcr.microsoft.com/dotnet/core/aspnet:3.0-buster-slim] contains 66 total vulnerabilities | |
| 2020/06/14 15:49:34 [ERRO] ▶ Image [mcr.microsoft.com/dotnet/core/aspnet:3.0-buster-slim] contains 10 unapproved vulnerabilities | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | High CVE-2020-10878 | perl | 5.28.1-6 | Perl before 5.30.3 has an integer overflow related to | | |
| | | | | | mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. | | |
| | | | | | A crafted regular expression could lead to malformed | | |
| | | | | | bytecode with a possibility of instruction injection. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-10878 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | High CVE-2020-10543 | perl | 5.28.1-6 | Perl before 5.30.3 on 32-bit platforms allows a | | |
| | | | | | heap-based buffer overflow because nested regular | | |
| | | | | | expression quantifiers have an integer overflow. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-10543 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2020-12723 | perl | 5.28.1-6 | regcomp.c in Perl before 5.30.3 allows a buffer | | |
| | | | | | overflow via a crafted regular expression | | |
| | | | | | because of recursive S_study_chunk calls. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-12723 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2020-1751 | glibc | 2.28-10 | An out-of-bounds write vulnerability was found in | | |
| | | | | | glibc before 2.31 when handling signal trampolines | | |
| | | | | | on PowerPC. Specifically, the backtrace function | | |
| | | | | | did not properly check the array bounds when storing | | |
| | | | | | the frame address, resulting in a denial of service | | |
| | | | | | or potential code execution. The highest threat | | |
| | | | | | from this vulnerability is to system availability. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-1751 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2019-12290 | libidn2 | 2.0.5-1+deb10u1 | GNU libidn2 before 2.2.0 fails to perform the roundtrip | | |
| | | | | | checks specified in RFC3490 Section 4.2 when converting | | |
| | | | | | A-labels to U-labels. This makes it possible in some | | |
| | | | | | circumstances for one domain to impersonate another. | | |
| | | | | | By creating a malicious domain that matches a target | | |
| | | | | | domain except for the inclusion of certain punycoded | | |
| | | | | | Unicode characters (that would be discarded when | | |
| | | | | | converted first to a Unicode label and then back to an | | |
| | | | | | ASCII label), arbitrary domains can be impersonated. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2019-12290 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2019-13115 | libssh2 | 1.8.0-2.1 | In libssh2 before 1.9.0, | | |
| | | | | | kex_method_diffie_hellman_group_exchange_sha256_key_exchange | | |
| | | | | | in kex.c has an integer overflow that could lead to an | | |
| | | | | | out-of-bounds read in the way packets are read from the | | |
| | | | | | server. A remote attacker who compromises a SSH server | | |
| | | | | | may be able to disclose sensitive information or cause | | |
| | | | | | a denial of service condition on the client system when | | |
| | | | | | a user connects to the server. This is related to an | | |
| | | | | | _libssh2_check_length mistake, and is different from the | | |
| | | | | | various issues fixed in 1.8.1, such as CVE-2019-3855. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2019-13115 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2020-10531 | icu | 63.1-6 | An issue was discovered in International Components for | | |
| | | | | | Unicode (ICU) for C/C++ through 66.1. An integer overflow, | | |
| | | | | | leading to a heap-based buffer overflow, exists in the | | |
| | | | | | UnicodeString::doAppend() function in common/unistr.cpp. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-10531 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2020-3810 | apt | 1.8.2 | Missing input validation in the ar/tar implementations | | |
| | | | | | of APT before version 2.1.2 could result in denial of | | |
| | | | | | service when processing specially crafted deb files. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-3810 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2020-12243 | openldap | 2.4.47+dfsg-3+deb10u1 | In filter.c in slapd in OpenLDAP before 2.4.50, | | |
| | | | | | LDAP search filters with nested boolean expressions | | |
| | | | | | can result in denial of service (daemon crash). | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2020-12243 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Medium CVE-2018-12886 | gcc-8 | 8.3.0-6 | stack_protect_prologue in cfgexpand.c and | | |
| | | | | | stack_protect_epilogue in function.c in GNU Compiler | | |
| | | | | | Collection (GCC) 4.1 through 8 (under certain | | |
| | | | | | circumstances) generate instruction sequences when | | |
| | | | | | targeting ARM targets that spill the address of | | |
| | | | | | the stack protector guard, which allows an attacker | | |
| | | | | | to bypass the protection of -fstack-protector, | | |
| | | | | | -fstack-protector-all, -fstack-protector-strong, and | | |
| | | | | | -fstack-protector-explicit against stack overflow by | | |
| | | | | | controlling what the stack canary is compared against. | | |
| | | | | | https://security-tracker.debian.org/tracker/CVE-2018-12886 | | |
| +------------+-----------------------+--------------+-----------------------+--------------------------------------------------------------+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mcr.microsoft.com/dotnet/core/aspnet:3.0-buster-slim (debian 10.3) | |
| ================================================================== | |
| Total: 29 (UNKNOWN: 0, LOW: 0, MEDIUM: 27, HIGH: 2, CRITICAL: 0) | |
| +----------------+------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
| +----------------+------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | apt | CVE-2020-3810 | MEDIUM | 1.8.2 | 1.8.2.1 | Missing input validation in | | |
| | | | | | | the ar/tar implementations of | | |
| | | | | | | APT before version 2.1.2... | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | gcc-8-base | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack | | |
| | | | | | | protection address in | | |
| | | | | | | cfgexpand.c and function.c | | |
| | | | | | | leads to... | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | |
| | | | | | | intrinsic produces repeated | | |
| | | | | | | output | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libapt-pkg5.0 | CVE-2020-3810 | | 1.8.2 | 1.8.2.1 | Missing input validation in | | |
| | | | | | | the ar/tar implementations of | | |
| | | | | | | APT before version 2.1.2... | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libc-bin | CVE-2020-1751 | | 2.28-10 | | glibc: array overflow in | | |
| | | | | | | backtrace functions for | | |
| | | | | | | powerpc | | |
| +----------------+ + + +-----------------------+ + | |
| | libc6 | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libgcc1 | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack | | |
| | | | | | | protection address in | | |
| | | | | | | cfgexpand.c and function.c | | |
| | | | | | | leads to... | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | |
| | | | | | | intrinsic produces repeated | | |
| | | | | | | output | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libgcrypt20 | CVE-2019-12904 | | 1.8.4-5 | | Libgcrypt: physical addresses | | |
| | | | | | | being available to other | | |
| | | | | | | processes leads to a | | |
| | | | | | | flush-and-reload... | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libgnutls30 | CVE-2020-11501 | | 3.6.7-4+deb10u2 | 3.6.7-4+deb10u3 | gnutls: DTLS client hello | | |
| | | | | | | contains a random value of all | | |
| | | | | | | zeroes | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2020-13777 | | | 3.6.7-4+deb10u4 | gnutls: session resumption | | |
| | | | | | | works without master key | | |
| | | | | | | allowing MITM | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libicu63 | CVE-2020-10531 | | 63.1-6 | 63.1-6+deb10u1 | ICU: Integer overflow in | | |
| | | | | | | UnicodeString::doAppend() | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libidn2-0 | CVE-2019-12290 | | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 | | |
| | | | | | | fails to perform the roundtrip | | |
| | | | | | | checks specified in... | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libldap-2.4-2 | CVE-2020-12243 | | 2.4.47+dfsg-3+deb10u1 | 2.4.47+dfsg-3+deb10u2 | openldap: denial of service | | |
| | | | | | | via nested boolean expressions | | |
| | | | | | | in LDAP search filters... | | |
| +----------------+ + + + + + | |
| | libldap-common | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libssh2-1 | CVE-2019-13115 | | 1.8.0-2.1 | | libssh2: integer overflow in | | |
| | | | | | | kex_method_diffie_hellman_group_exchange_sha256_key_exchange | | |
| | | | | | | in kex.c leads to out-of-bounds write | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libssl1.1 | CVE-2020-1967 | | 1.1.1d-0+deb10u2 | 1.1.1d-0+deb10u3 | openssl: Segmentation fault in | | |
| | | | | | | SSL_check_chain causes denial | | |
| | | | | | | of service | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libstdc++6 | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack | | |
| | | | | | | protection address in | | |
| | | | | | | cfgexpand.c and function.c | | |
| | | | | | | leads to... | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | |
| | | | | | | intrinsic produces repeated | | |
| | | | | | | output | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u3 | | systemd: services with | | |
| | | | | | | DynamicUser can create | | |
| | | | | | | SUID/SGID binaries | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2019-3844 | | | | systemd: services with | | |
| | | | | | | DynamicUser can get new | | |
| | | | | | | privileges and create SGID | | |
| | | | | | | binaries... | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2020-1712 | | | 241-7~deb10u4 | systemd: use-after-free when | | |
| | | | | | | asynchronous polkit queries | | |
| | | | | | | are performed | | |
| +----------------+------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | libudev1 | CVE-2019-3843 | | | | systemd: services with | | |
| | | | | | | DynamicUser can create | | |
| | | | | | | SUID/SGID binaries | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2019-3844 | | | | systemd: services with | | |
| | | | | | | DynamicUser can get new | | |
| | | | | | | privileges and create SGID | | |
| | | | | | | binaries... | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2020-1712 | | | 241-7~deb10u4 | systemd: use-after-free when | | |
| | | | | | | asynchronous polkit queries | | |
| | | | | | | are performed | | |
| +----------------+------------------+ +-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | openssl | CVE-2020-1967 | | 1.1.1d-0+deb10u2 | 1.1.1d-0+deb10u3 | openssl: Segmentation fault in | | |
| | | | | | | SSL_check_chain causes denial | | |
| | | | | | | of service | | |
| +----------------+------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+ | |
| | perl-base | CVE-2020-10543 | HIGH | 5.28.1-6 | | perl: heap-based buffer | | |
| | | | | | | overflow in regular expression | | |
| | | | | | | compiler leads to DoS | | |
| + +------------------+ + +-----------------------+--------------------------------------------------------------+ | |
| | | CVE-2020-10878 | | | | perl: corruption of | | |
| | | | | | | intermediate language state | | |
| | | | | | | of compiled regular expression | | |
| | | | | | | due to... | | |
| + +------------------+----------+ +-----------------------+ + | |
| | | CVE-2020-12723 | MEDIUM | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| +----------------+------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment