Created
October 2, 2020 20:35
-
-
Save pierre-ernst/dc1d7b9180ecc39995e942ef813e9361 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "vulnerabilities": [ | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "bzip2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.\n\n## References\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Aug/4)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Jul/22)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-12900)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc)\n- [MISC](http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html)\n- [MISC](https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4038-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4038-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-12900" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/4" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Jul/22" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-12900" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4038-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4038-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:42.749535Z", | |
| "modificationTime": "2020-07-23T10:26:13.683809Z", | |
| "publicationTime": "2019-06-23T08:37:39.937109Z", | |
| "disclosureTime": "2019-06-19T23:15:00Z", | |
| "id": "SNYK-ALPINE39-BZIP2-452847", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.0.6-r7" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "bzip2/libbz2@1.0.6-r6" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "bzip2/libbz2", | |
| "version": "1.0.6-r6", | |
| "nearestFixedInVersion": "1.0.6-r7" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "bzip2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nBZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.\n\n## References\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Aug/4)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Jul/22)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-12900)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc)\n- [MISC](http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html)\n- [MISC](https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4038-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4038-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-12900" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/4" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Jul/22" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-12900" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/153644/Slackware-Security-Advisory-bzip2-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/153957/FreeBSD-Security-Advisory-FreeBSD-SA-19-18.bzip2.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00040.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00050.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12900" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4038-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4038-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:42.749535Z", | |
| "modificationTime": "2020-07-23T10:26:13.683809Z", | |
| "publicationTime": "2019-06-23T08:37:39.937109Z", | |
| "disclosureTime": "2019-06-19T23:15:00Z", | |
| "id": "SNYK-ALPINE39-BZIP2-452847", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.0.6-r7" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "bzip2/libbz2@1.0.6-r6" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "bzip2/libbz2", | |
| "version": "1.0.6-r6", | |
| "nearestFixedInVersion": "1.0.6-r7" | |
| }, | |
| { | |
| "title": "Integer Overflow or Wraparound", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.\n\n## References\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5435.html)\n- [CONFIRM](https://support.f5.com/csp/article/K08125515)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5435)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0004/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5435)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5435" | |
| ], | |
| "CWE": [ | |
| "CWE-190" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5435.html" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K08125515" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5435" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0004/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5435" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.602200Z", | |
| "modificationTime": "2020-07-23T10:26:12.640264Z", | |
| "publicationTime": "2019-05-23T06:54:37Z", | |
| "disclosureTime": "2019-05-28T19:29:00Z", | |
| "id": "SNYK-ALPINE39-CURL-449676", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r2" | |
| }, | |
| { | |
| "title": "Out-of-Bounds", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nA heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.\n\n## References\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5436.html)\n- [CONFIRM](https://support.f5.com/csp/article/K55133295)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5436)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/)\n- [MLIST](http://www.openwall.com/lists/oss-security/2019/09/11/6)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0004/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5436)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5436" | |
| ], | |
| "CWE": [ | |
| "CWE-119" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.8, | |
| "CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5436.html" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K55133295" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5436" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0004/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5436" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.580210Z", | |
| "modificationTime": "2020-07-23T10:26:12.620852Z", | |
| "publicationTime": "2019-05-23T06:03:00Z", | |
| "disclosureTime": "2019-05-28T19:29:00Z", | |
| "id": "SNYK-ALPINE39-CURL-449730", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r2" | |
| }, | |
| { | |
| "title": "Double Free", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481)\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5481.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5481)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5481)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5481" | |
| ], | |
| "CWE": [ | |
| "CWE-415" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5481.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5481" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5481" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.085512Z", | |
| "modificationTime": "2020-07-23T10:26:19.207887Z", | |
| "publicationTime": "2019-09-11T09:22:27.828900Z", | |
| "disclosureTime": "2019-09-16T19:15:00Z", | |
| "id": "SNYK-ALPINE39-CURL-500961", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r3" | |
| }, | |
| { | |
| "title": "Buffer Overflow", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482)\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5482.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5482)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5482)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5482" | |
| ], | |
| "CWE": [ | |
| "CWE-120" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5482.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5482" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5482" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.201686Z", | |
| "modificationTime": "2020-07-23T10:26:19.238976Z", | |
| "publicationTime": "2019-09-11T09:22:28.354405Z", | |
| "disclosureTime": "2019-09-16T19:15:00Z", | |
| "id": "SNYK-ALPINE39-CURL-511277", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r3" | |
| }, | |
| { | |
| "title": "CVE-2020-8169", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-8169. None\n## Remediation\nUpgrade `curl` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-8169" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-09-16T03:45:00.351569Z", | |
| "modificationTime": "2020-09-16T03:45:00.354996Z", | |
| "publicationTime": "2020-09-16T03:45:00.219508Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-CURL-674636", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r4" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r4" | |
| }, | |
| { | |
| "title": "CVE-2020-8177", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-8177. None\n## Remediation\nUpgrade `curl` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-8177" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-09-16T03:45:00.410807Z", | |
| "modificationTime": "2020-09-16T03:45:00.412967Z", | |
| "publicationTime": "2020-09-16T03:45:00.318542Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-CURL-674637", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r4" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r4" | |
| }, | |
| { | |
| "title": "Integer Overflow or Wraparound", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.\n\n## References\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5435.html)\n- [CONFIRM](https://support.f5.com/csp/article/K08125515)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5435)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0004/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5435)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5435" | |
| ], | |
| "CWE": [ | |
| "CWE-190" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5435.html" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K08125515" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5435" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0004/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5435" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.602200Z", | |
| "modificationTime": "2020-07-23T10:26:12.640264Z", | |
| "publicationTime": "2019-05-23T06:54:37Z", | |
| "disclosureTime": "2019-05-28T19:29:00Z", | |
| "id": "SNYK-ALPINE39-CURL-449676", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r2" | |
| }, | |
| { | |
| "title": "Out-of-Bounds", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nA heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.\n\n## References\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5436.html)\n- [CONFIRM](https://support.f5.com/csp/article/K55133295)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5436)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/)\n- [MLIST](http://www.openwall.com/lists/oss-security/2019/09/11/6)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0004/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5436)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5436" | |
| ], | |
| "CWE": [ | |
| "CWE-119" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.8, | |
| "CVSSv3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5436.html" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K55133295" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5436" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0004/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5436" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.580210Z", | |
| "modificationTime": "2020-07-23T10:26:12.620852Z", | |
| "publicationTime": "2019-05-23T06:03:00Z", | |
| "disclosureTime": "2019-05-28T19:29:00Z", | |
| "id": "SNYK-ALPINE39-CURL-449730", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r2" | |
| }, | |
| { | |
| "title": "Double Free", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nDouble-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481)\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5481.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5481)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5481)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5481" | |
| ], | |
| "CWE": [ | |
| "CWE-415" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5481.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5481" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5481" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.085512Z", | |
| "modificationTime": "2020-07-23T10:26:19.207887Z", | |
| "publicationTime": "2019-09-11T09:22:27.828900Z", | |
| "disclosureTime": "2019-09-16T19:15:00Z", | |
| "id": "SNYK-ALPINE39-CURL-500961", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r3" | |
| }, | |
| { | |
| "title": "Buffer Overflow", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nHeap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482)\n- [CONFIRM](https://curl.haxx.se/docs/CVE-2019-5482.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5482)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5482)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5482" | |
| ], | |
| "CWE": [ | |
| "CWE-120" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://curl.haxx.se/docs/CVE-2019-5482.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5482" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5482" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.201686Z", | |
| "modificationTime": "2020-07-23T10:26:19.238976Z", | |
| "publicationTime": "2019-09-11T09:22:28.354405Z", | |
| "disclosureTime": "2019-09-16T19:15:00Z", | |
| "id": "SNYK-ALPINE39-CURL-511277", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r3" | |
| }, | |
| { | |
| "title": "CVE-2020-8169", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-8169. None\n## Remediation\nUpgrade `curl` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-8169" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-09-16T03:45:00.351569Z", | |
| "modificationTime": "2020-09-16T03:45:00.354996Z", | |
| "publicationTime": "2020-09-16T03:45:00.219508Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-CURL-674636", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r4" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r4" | |
| }, | |
| { | |
| "title": "CVE-2020-8177", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "curl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-8177. None\n## Remediation\nUpgrade `curl` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-8177" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-09-16T03:45:00.410807Z", | |
| "modificationTime": "2020-09-16T03:45:00.412967Z", | |
| "publicationTime": "2020-09-16T03:45:00.318542Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-CURL-674637", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<7.64.0-r4" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "curl/libcurl@7.64.0-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "curl/libcurl", | |
| "version": "7.64.0-r1", | |
| "nearestFixedInVersion": "7.64.0-r4" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "e2fsprogs", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/58)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4535)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5094)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4142-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5094" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/58" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4535" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4142-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.394132Z", | |
| "modificationTime": "2020-07-23T10:26:19.427360Z", | |
| "publicationTime": "2019-09-24T07:03:12.778438Z", | |
| "disclosureTime": "2019-09-24T22:15:00Z", | |
| "id": "SNYK-ALPINE39-E2FSPROGS-496794", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.44.5-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "e2fsprogs/libcom_err@1.44.5-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "e2fsprogs/libcom_err", | |
| "version": "1.44.5-r0", | |
| "nearestFixedInVersion": "1.44.5-r1" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "e2fsprogs", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Out-of-bounds Write. A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.\n## Remediation\nUpgrade `e2fsprogs` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5188)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4249-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5188" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4249-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:53:09.267990Z", | |
| "modificationTime": "2020-07-23T10:26:42.713444Z", | |
| "publicationTime": "2020-01-07T22:21:50.199659Z", | |
| "disclosureTime": "2020-01-08T16:15:00Z", | |
| "id": "SNYK-ALPINE39-E2FSPROGS-589311", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.44.5-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "e2fsprogs/libcom_err@1.44.5-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "e2fsprogs/libcom_err", | |
| "version": "1.44.5-r0", | |
| "nearestFixedInVersion": "1.44.5-r2" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "e2fsprogs", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/58)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4535)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5094)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4142-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5094" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/58" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4535" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4142-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.394132Z", | |
| "modificationTime": "2020-07-23T10:26:19.427360Z", | |
| "publicationTime": "2019-09-24T07:03:12.778438Z", | |
| "disclosureTime": "2019-09-24T22:15:00Z", | |
| "id": "SNYK-ALPINE39-E2FSPROGS-496794", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.44.5-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "e2fsprogs/libcom_err@1.44.5-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "e2fsprogs/libcom_err", | |
| "version": "1.44.5-r0", | |
| "nearestFixedInVersion": "1.44.5-r1" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "e2fsprogs", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Out-of-bounds Write. A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.\n## Remediation\nUpgrade `e2fsprogs` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5188)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4249-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5188" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00004.html" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0973" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4249-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:53:09.267990Z", | |
| "modificationTime": "2020-07-23T10:26:42.713444Z", | |
| "publicationTime": "2020-01-07T22:21:50.199659Z", | |
| "disclosureTime": "2020-01-08T16:15:00Z", | |
| "id": "SNYK-ALPINE39-E2FSPROGS-589311", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.44.5-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "e2fsprogs/libcom_err@1.44.5-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "e2fsprogs/libcom_err", | |
| "version": "1.44.5-r0", | |
| "nearestFixedInVersion": "1.44.5-r2" | |
| }, | |
| { | |
| "title": "XML External Entity (XXE) Injection", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).\n\n## References\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Jun/39)\n- [CONFIRM](https://support.f5.com/csp/article/K51011533)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4472)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20843)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/)\n- [GitHub Commit](https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/186)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/262)\n- [MISC](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226)\n- [MISC](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190703-0001/)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2018-20843" | |
| ], | |
| "CWE": [ | |
| "CWE-611" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Jun/39" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K51011533" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4472" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/186" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/262" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190703-0001/" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:42.779252Z", | |
| "modificationTime": "2020-07-23T10:26:13.714471Z", | |
| "publicationTime": "2019-06-24T22:21:12.802637Z", | |
| "disclosureTime": "2019-06-24T17:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-453353", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r0" | |
| }, | |
| { | |
| "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/17)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/21)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/23)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/1)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/24)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/29)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/37)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/30)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20190926-0004/)\n- [CONFIRM](https://support.apple.com/kb/HT210785)\n- [CONFIRM](https://support.apple.com/kb/HT210788)\n- [CONFIRM](https://support.apple.com/kb/HT210789)\n- [CONFIRM](https://support.apple.com/kb/HT210790)\n- [CONFIRM](https://support.apple.com/kb/HT210793)\n- [CONFIRM](https://support.apple.com/kb/HT210794)\n- [CONFIRM](https://support.apple.com/kb/HT210795)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4530)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4549)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4571)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-15903)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/23)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/26)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/27)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/30)\n- [GENTOO](https://security.gentoo.org/glsa/201911-08)\n- [GitHub Commit](https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/317)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/342)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/318)\n- [MISC](http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3210)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3237)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3756)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html)\n- [UBUNTU](https://usn.ubuntu.com/4165-1/)\n- [UBUNTU](https://usn.ubuntu.com/4202-1/)\n- [UBUNTU](https://usn.ubuntu.com/4335-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-15903" | |
| ], | |
| "CWE": [ | |
| "CWE-125", | |
| "CWE-776" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/17" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/21" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/23" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/1" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/24" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/29" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/37" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/30" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20190926-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210785" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210788" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210789" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210790" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210793" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210794" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210795" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4530" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4549" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4571" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/23" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/26" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/27" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/30" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-08" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/317" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/342" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/318" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3210" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3237" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3756" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4165-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4202-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4335-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.443004Z", | |
| "modificationTime": "2020-07-23T10:26:18.696987Z", | |
| "publicationTime": "2019-09-04T14:09:12.945192Z", | |
| "disclosureTime": "2019-09-04T06:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-485094", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r1" | |
| }, | |
| { | |
| "title": "XML External Entity (XXE) Injection", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).\n\n## References\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Jun/39)\n- [CONFIRM](https://support.f5.com/csp/article/K51011533)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4472)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20843)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/)\n- [GitHub Commit](https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/186)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/262)\n- [MISC](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226)\n- [MISC](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190703-0001/)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2018-20843" | |
| ], | |
| "CWE": [ | |
| "CWE-611" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Jun/39" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K51011533" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4472" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/186" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/262" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190703-0001/" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:42.779252Z", | |
| "modificationTime": "2020-07-23T10:26:13.714471Z", | |
| "publicationTime": "2019-06-24T22:21:12.802637Z", | |
| "disclosureTime": "2019-06-24T17:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-453353", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r0" | |
| }, | |
| { | |
| "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/17)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/21)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/23)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/1)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/24)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/29)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/37)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/30)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20190926-0004/)\n- [CONFIRM](https://support.apple.com/kb/HT210785)\n- [CONFIRM](https://support.apple.com/kb/HT210788)\n- [CONFIRM](https://support.apple.com/kb/HT210789)\n- [CONFIRM](https://support.apple.com/kb/HT210790)\n- [CONFIRM](https://support.apple.com/kb/HT210793)\n- [CONFIRM](https://support.apple.com/kb/HT210794)\n- [CONFIRM](https://support.apple.com/kb/HT210795)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4530)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4549)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4571)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-15903)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/23)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/26)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/27)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/30)\n- [GENTOO](https://security.gentoo.org/glsa/201911-08)\n- [GitHub Commit](https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/317)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/342)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/318)\n- [MISC](http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3210)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3237)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3756)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html)\n- [UBUNTU](https://usn.ubuntu.com/4165-1/)\n- [UBUNTU](https://usn.ubuntu.com/4202-1/)\n- [UBUNTU](https://usn.ubuntu.com/4335-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-15903" | |
| ], | |
| "CWE": [ | |
| "CWE-125", | |
| "CWE-776" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/17" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/21" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/23" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/1" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/24" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/29" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/37" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/30" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20190926-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210785" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210788" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210789" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210790" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210793" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210794" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210795" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4530" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4549" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4571" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/23" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/26" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/27" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/30" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-08" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/317" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/342" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/318" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3210" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3237" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3756" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4165-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4202-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4335-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.443004Z", | |
| "modificationTime": "2020-07-23T10:26:18.696987Z", | |
| "publicationTime": "2019-09-04T14:09:12.945192Z", | |
| "disclosureTime": "2019-09-04T06:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-485094", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r1" | |
| }, | |
| { | |
| "title": "XML External Entity (XXE) Injection", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).\n\n## References\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Jun/39)\n- [CONFIRM](https://support.f5.com/csp/article/K51011533)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4472)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2018-20843)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/)\n- [GitHub Commit](https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/186)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/262)\n- [MISC](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226)\n- [MISC](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190703-0001/)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4040-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2018-20843" | |
| ], | |
| "CWE": [ | |
| "CWE-611" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Jun/39" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K51011533" | |
| }, | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4472" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/186" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/262" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190703-0001/" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20843" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4040-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:42.779252Z", | |
| "modificationTime": "2020-07-23T10:26:13.714471Z", | |
| "publicationTime": "2019-06-24T22:21:12.802637Z", | |
| "disclosureTime": "2019-06-24T17:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-453353", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r0" | |
| }, | |
| { | |
| "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "expat", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/17)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/21)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Dec/23)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/1)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Nov/24)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/29)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/37)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/30)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20190926-0004/)\n- [CONFIRM](https://support.apple.com/kb/HT210785)\n- [CONFIRM](https://support.apple.com/kb/HT210788)\n- [CONFIRM](https://support.apple.com/kb/HT210789)\n- [CONFIRM](https://support.apple.com/kb/HT210790)\n- [CONFIRM](https://support.apple.com/kb/HT210793)\n- [CONFIRM](https://support.apple.com/kb/HT210794)\n- [CONFIRM](https://support.apple.com/kb/HT210795)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4530)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4549)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4571)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-15903)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/23)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/26)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/27)\n- [FULLDISC](http://seclists.org/fulldisclosure/2019/Dec/30)\n- [GENTOO](https://security.gentoo.org/glsa/201911-08)\n- [GitHub Commit](https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/317)\n- [GitHub Issue](https://github.com/libexpat/libexpat/issues/342)\n- [GitHub PR](https://github.com/libexpat/libexpat/pull/318)\n- [MISC](http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html)\n- [MISC](http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3210)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3237)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3756)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html)\n- [UBUNTU](https://usn.ubuntu.com/4165-1/)\n- [UBUNTU](https://usn.ubuntu.com/4202-1/)\n- [UBUNTU](https://usn.ubuntu.com/4335-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4132-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-15903" | |
| ], | |
| "CWE": [ | |
| "CWE-125", | |
| "CWE-776" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/17" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/21" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/23" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/1" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Nov/24" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/29" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/37" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/30" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20190926-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210785" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210788" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210789" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210790" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210793" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210794" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.apple.com/kb/HT210795" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4530" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4549" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4571" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/23" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/26" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/27" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2019/Dec/30" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-08" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/libexpat/libexpat/commit/c20b758c332d9a13afbbb276d30db1d183a85d43" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/317" | |
| }, | |
| { | |
| "title": "GitHub Issue", | |
| "url": "https://github.com/libexpat/libexpat/issues/342" | |
| }, | |
| { | |
| "title": "GitHub PR", | |
| "url": "https://github.com/libexpat/libexpat/pull/318" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154503/Slackware-Security-Advisory-expat-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154947/Slackware-Security-Advisory-mozilla-firefox-Updates.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3210" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3237" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3756" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00080.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00081.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00000.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00002.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00003.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00013.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00016.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00017.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00018.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00019.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4165-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4202-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4335-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-15903" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4132-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.443004Z", | |
| "modificationTime": "2020-07-23T10:26:18.696987Z", | |
| "publicationTime": "2019-09-04T14:09:12.945192Z", | |
| "disclosureTime": "2019-09-04T06:15:00Z", | |
| "id": "SNYK-ALPINE39-EXPAT-485094", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.2.7-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0", | |
| "expat/expat@2.2.6-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "expat/expat", | |
| "version": "2.2.6-r0", | |
| "nearestFixedInVersion": "2.2.7-r1" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387)\n- [CONFIRM](https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1387)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/)\n- [GENTOO](https://security.gentoo.org/glsa/202003-30)\n- [GENTOO](https://security.gentoo.org/glsa/202003-42)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2020:0124)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2020:0228)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:4356)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2020:0002)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1387)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1387" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/%23u" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1387" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-30" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-42" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0124" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0228" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:4356" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0002" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1387" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:50.548465Z", | |
| "modificationTime": "2020-07-23T10:26:41.228665Z", | |
| "publicationTime": "2019-12-10T21:04:12.942670Z", | |
| "disclosureTime": "2019-12-18T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589108", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1354)\n- [MISC](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1354)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1354" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1354" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1354" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:50.764150Z", | |
| "modificationTime": "2020-07-23T10:26:41.247504Z", | |
| "publicationTime": "2019-12-10T21:04:05.016956Z", | |
| "disclosureTime": "2020-01-24T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589111", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "CVE-2019-1353", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2019-1353. An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as \"WSL\") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1353)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/202003-30)\n- [MISC](https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1353)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1353" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.3, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1353" | |
| }, | |
| { | |
| "title": "Gentoo Security Advisory", | |
| "url": "https://security.gentoo.org/glsa/202003-30" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/%23u" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1353" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:50.990652Z", | |
| "modificationTime": "2020-07-23T10:26:41.266930Z", | |
| "publicationTime": "2019-12-10T21:09:06.650924Z", | |
| "disclosureTime": "2020-01-24T22:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589114", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1352)\n- [MISC](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2020:0228)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1352)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1352" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1352" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1352" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0228" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1352" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:51.215022Z", | |
| "modificationTime": "2020-07-23T10:26:41.286226Z", | |
| "publicationTime": "2019-12-10T21:04:12.509126Z", | |
| "disclosureTime": "2020-01-24T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589117", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Use of Incorrectly-Resolved Name or Reference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference. A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1351)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/202003-30)\n- [MISC](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1351)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1351" | |
| ], | |
| "CWE": [ | |
| "CWE-706" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1351" | |
| }, | |
| { | |
| "title": "Gentoo Security Advisory", | |
| "url": "https://security.gentoo.org/glsa/202003-30" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1351" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1351" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:51.429299Z", | |
| "modificationTime": "2020-07-23T10:26:41.309392Z", | |
| "publicationTime": "2019-12-10T21:04:15.541817Z", | |
| "disclosureTime": "2020-01-24T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589120", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1350)\n- [MISC](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1350)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1350" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1350" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1350" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1350" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:51.644381Z", | |
| "modificationTime": "2020-07-23T10:26:41.330695Z", | |
| "publicationTime": "2019-12-10T21:04:13.404904Z", | |
| "disclosureTime": "2020-01-24T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589123", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1349)\n- [MISC](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2020:0228)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1349)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1349" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1349" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1349" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0228" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1349" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:51.847641Z", | |
| "modificationTime": "2020-07-23T10:26:41.355109Z", | |
| "publicationTime": "2019-12-10T21:04:14.657528Z", | |
| "disclosureTime": "2020-01-24T21:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589126", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths.\n## Remediation\nUpgrade `git` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348)\n- [Apple Security Advisory](https://support.apple.com/kb/HT210729)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1348)\n- [GENTOO](https://security.gentoo.org/glsa/202003-30)\n- [GENTOO](https://security.gentoo.org/glsa/202003-42)\n- [MISC](https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u)\n- [MISC](https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2020:0228)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1348)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1348" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.3, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348" | |
| }, | |
| { | |
| "title": "Apple Security Advisory", | |
| "url": "https://support.apple.com/kb/HT210729" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1348" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-30" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-42" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/%23u" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0228" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1348" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:52:52.066232Z", | |
| "modificationTime": "2020-07-23T10:26:41.374161Z", | |
| "publicationTime": "2019-12-10T21:04:12.063299Z", | |
| "disclosureTime": "2020-01-24T22:15:00Z", | |
| "id": "SNYK-ALPINE39-GIT-589129", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.2-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.2-r0" | |
| }, | |
| { | |
| "title": "CVE-2020-11008", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-11008. None\n## Remediation\nUpgrade `git` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-11008" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-07-21T17:52:52.277770Z", | |
| "modificationTime": "2020-07-23T10:26:41.396345Z", | |
| "publicationTime": "2020-07-21T17:52:46.572870Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-GIT-589132", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.4-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.4-r0" | |
| }, | |
| { | |
| "title": "CVE-2020-5260", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "git", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2020-5260. None\n## Remediation\nUpgrade `git` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-5260" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-07-21T17:52:52.488888Z", | |
| "modificationTime": "2020-07-23T10:26:41.424980Z", | |
| "publicationTime": "2020-07-21T17:52:43.276763Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-GIT-589135", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<2.20.3-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "git/git@2.20.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "git/git", | |
| "version": "2.20.1-r0", | |
| "nearestFixedInVersion": "2.20.3-r0" | |
| }, | |
| { | |
| "title": "Integer Overflow", | |
| "credit": [ | |
| "Unknown" | |
| ], | |
| "packageName": "libssh2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nThe `SSH_MSG_DISCONNECT` logic in `packet.c` has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.\n\n## References\n- [Exploit](https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498)\n- [GitHub Fix Commit](https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94)\n- [Semmle Blogpost](https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/)\n- [Vulnerable code](https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c%23L480)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-17498" | |
| ], | |
| "CWE": [ | |
| "CWE-190" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "Exploit", | |
| "url": "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498" | |
| }, | |
| { | |
| "title": "GitHub Fix Commit", | |
| "url": "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94" | |
| }, | |
| { | |
| "title": "Vulnerable code", | |
| "url": "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c%23L480" | |
| }, | |
| { | |
| "title": "Semmle Blogpost", | |
| "url": "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/" | |
| } | |
| ], | |
| "creationTime": "2019-10-28T10:30:17.707485Z", | |
| "modificationTime": "2019-10-31T16:09:08.567500Z", | |
| "publicationTime": "2019-10-21T23:06:19Z", | |
| "disclosureTime": "2019-10-21T23:06:19Z", | |
| "id": "SNYK-ALPINE39-LIBSSH2-474568", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.9.0-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "libssh2/libssh2", | |
| "version": "1.8.2-r0", | |
| "nearestFixedInVersion": "1.9.0-r1" | |
| }, | |
| { | |
| "title": "Integer Overflow", | |
| "credit": [ | |
| "Unknown" | |
| ], | |
| "packageName": "libssh2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nThe `SSH_MSG_DISCONNECT` logic in `packet.c` has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.\n\n## References\n- [Exploit](https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498)\n- [GitHub Fix Commit](https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94)\n- [Semmle Blogpost](https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/)\n- [Vulnerable code](https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c%23L480)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-17498" | |
| ], | |
| "CWE": [ | |
| "CWE-190" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "Exploit", | |
| "url": "https://github.com/kevinbackhouse/SecurityExploits/tree/8cbdbbe6363510f7d9ceec685373da12e6fc752d/libssh2/out_of_bounds_read_disconnect_CVE-2019-17498" | |
| }, | |
| { | |
| "title": "GitHub Fix Commit", | |
| "url": "https://github.com/libssh2/libssh2/pull/402/commits/1c6fa92b77e34d089493fe6d3e2c6c8775858b94" | |
| }, | |
| { | |
| "title": "Vulnerable code", | |
| "url": "https://github.com/libssh2/libssh2/blob/42d37aa63129a1b2644bf6495198923534322d64/src/packet.c%23L480" | |
| }, | |
| { | |
| "title": "Semmle Blogpost", | |
| "url": "https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/" | |
| } | |
| ], | |
| "creationTime": "2019-10-28T10:30:17.707485Z", | |
| "modificationTime": "2019-10-31T16:09:08.567500Z", | |
| "publicationTime": "2019-10-21T23:06:19Z", | |
| "disclosureTime": "2019-10-21T23:06:19Z", | |
| "id": "SNYK-ALPINE39-LIBSSH2-474568", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.9.0-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "libssh2/libssh2@1.8.2-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "libssh2/libssh2", | |
| "version": "1.8.2-r0", | |
| "nearestFixedInVersion": "1.9.0-r1" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "musl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-14697)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/202003-13)\n- [MISC](https://www.openwall.com/lists/musl/2019/08/06/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/08/06/4)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-14697" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Gentoo Security Advisory", | |
| "url": "https://security.gentoo.org/glsa/202003-13" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.openwall.com/lists/musl/2019/08/06/1" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/08/06/4" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:45.626504Z", | |
| "modificationTime": "2020-07-23T10:26:16.644717Z", | |
| "publicationTime": "2019-08-06T22:04:52.037600Z", | |
| "disclosureTime": "2019-08-06T16:15:00Z", | |
| "id": "SNYK-ALPINE39-MUSL-458529", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.20-r5" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "musl/musl-utils@1.1.20-r4" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "musl/musl-utils", | |
| "version": "1.1.20-r4", | |
| "nearestFixedInVersion": "1.1.20-r5" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "musl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-14697)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/202003-13)\n- [MISC](https://www.openwall.com/lists/musl/2019/08/06/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/08/06/4)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-14697" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Gentoo Security Advisory", | |
| "url": "https://security.gentoo.org/glsa/202003-13" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.openwall.com/lists/musl/2019/08/06/1" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/08/06/4" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:45.626504Z", | |
| "modificationTime": "2020-07-23T10:26:16.644717Z", | |
| "publicationTime": "2019-08-06T22:04:52.037600Z", | |
| "disclosureTime": "2019-08-06T16:15:00Z", | |
| "id": "SNYK-ALPINE39-MUSL-458529", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.20-r5" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libc-dev/libc-utils@0.7.1-r0", | |
| "musl/musl-utils@1.1.20-r4" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "musl/musl-utils", | |
| "version": "1.1.20-r4", | |
| "nearestFixedInVersion": "1.1.20-r5" | |
| }, | |
| { | |
| "title": "Out-of-bounds Write", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "musl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nmusl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-14697)\n- [Gentoo Security Advisory](https://security.gentoo.org/glsa/202003-13)\n- [MISC](https://www.openwall.com/lists/musl/2019/08/06/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/08/06/4)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-14697" | |
| ], | |
| "CWE": [ | |
| "CWE-787" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-14697" | |
| }, | |
| { | |
| "title": "Gentoo Security Advisory", | |
| "url": "https://security.gentoo.org/glsa/202003-13" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.openwall.com/lists/musl/2019/08/06/1" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/08/06/4" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:45.626504Z", | |
| "modificationTime": "2020-07-23T10:26:16.644717Z", | |
| "publicationTime": "2019-08-06T22:04:52.037600Z", | |
| "disclosureTime": "2019-08-06T16:15:00Z", | |
| "id": "SNYK-ALPINE39-MUSL-458529", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.20-r5" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "meta-common-packages@meta", | |
| "musl/musl@1.1.20-r4" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "musl/musl", | |
| "version": "1.1.20-r4", | |
| "nearestFixedInVersion": "1.1.20-r5" | |
| }, | |
| { | |
| "title": "Resource Exhaustion", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSome HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Aug/40)\n- [CERT-VN](https://kb.cert.org/vuls/id/605641/)\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10296)\n- [CONFIRM](https://support.f5.com/csp/article/K02591030)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_19_33)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4511)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4505)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9511)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/)\n- [MISC](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0002/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0005/)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2692)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2745)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2746)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2775)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2799)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9511)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4099-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-9511" | |
| ], | |
| "CWE": [ | |
| "CWE-400" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/40" | |
| }, | |
| { | |
| "title": "CERT-VN", | |
| "url": "https://kb.cert.org/vuls/id/605641/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K02591030" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_19_33" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4511" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4505" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-9511" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0002/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0005/" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2692" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2745" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2746" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2775" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2799" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9511" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4099-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:46.187246Z", | |
| "modificationTime": "2020-07-23T10:26:17.437136Z", | |
| "publicationTime": "2019-08-13T19:52:35.596559Z", | |
| "disclosureTime": "2019-08-13T21:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-505311", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r1" | |
| }, | |
| { | |
| "title": "Resource Exhaustion", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSome HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Aug/40)\n- [CERT-VN](https://kb.cert.org/vuls/id/605641/)\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10296)\n- [CONFIRM](https://support.f5.com/csp/article/K02591030)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_19_33)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4511)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4505)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9513)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/)\n- [MISC](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0002/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0005/)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2692)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2745)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2746)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2775)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2799)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9513)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4099-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-9513" | |
| ], | |
| "CWE": [ | |
| "CWE-400" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/40" | |
| }, | |
| { | |
| "title": "CERT-VN", | |
| "url": "https://kb.cert.org/vuls/id/605641/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K02591030" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_19_33" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4511" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4505" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-9513" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0002/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0005/" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2692" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2745" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2746" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2775" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2799" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9513" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4099-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:46.443245Z", | |
| "modificationTime": "2020-07-23T10:26:17.770678Z", | |
| "publicationTime": "2019-08-13T19:57:36.123699Z", | |
| "disclosureTime": "2019-08-13T21:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-505929", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r1" | |
| }, | |
| { | |
| "title": "Improper Enforcement of Message or Data Structure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Enforcement of Message or Data Structure. In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.\n## Remediation\nUpgrade `nghttp2` to version or higher.\n## References\n- [CONFIRM](https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4696)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/)\n- [MISC](https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090)\n- [MISC](https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-11080" | |
| ], | |
| "CWE": [ | |
| "CWE-707" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4696" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:29.347405Z", | |
| "modificationTime": "2020-07-23T10:26:35.129437Z", | |
| "publicationTime": "2020-07-21T17:51:22.350995Z", | |
| "disclosureTime": "2020-06-03T23:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-588223", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r2" | |
| }, | |
| { | |
| "title": "Resource Exhaustion", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSome HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Aug/40)\n- [CERT-VN](https://kb.cert.org/vuls/id/605641/)\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10296)\n- [CONFIRM](https://support.f5.com/csp/article/K02591030)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_19_33)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4511)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4505)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9511)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/)\n- [MISC](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0002/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0005/)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2692)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2745)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2746)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2775)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2799)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9511)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4099-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-9511" | |
| ], | |
| "CWE": [ | |
| "CWE-400" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/40" | |
| }, | |
| { | |
| "title": "CERT-VN", | |
| "url": "https://kb.cert.org/vuls/id/605641/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K02591030" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_19_33" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4511" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4505" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-9511" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0002/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0005/" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2692" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2745" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2746" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2775" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2799" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9511" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4099-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:46.187246Z", | |
| "modificationTime": "2020-07-23T10:26:17.437136Z", | |
| "publicationTime": "2019-08-13T19:52:35.596559Z", | |
| "disclosureTime": "2019-08-13T21:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-505311", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r1" | |
| }, | |
| { | |
| "title": "Resource Exhaustion", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSome HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Sep/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Aug/40)\n- [CERT-VN](https://kb.cert.org/vuls/id/605641/)\n- [CONFIRM](https://kc.mcafee.com/corporate/index?page=content&id=SB10296)\n- [CONFIRM](https://support.f5.com/csp/article/K02591030)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_19_33)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4511)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4505)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-9513)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/)\n- [MISC](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0002/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190823-0005/)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2692)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2745)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2746)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2775)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:2799)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9513)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4099-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-9513" | |
| ], | |
| "CWE": [ | |
| "CWE-400" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Aug/40" | |
| }, | |
| { | |
| "title": "CERT-VN", | |
| "url": "https://kb.cert.org/vuls/id/605641/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K02591030" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_19_33" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4511" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4505" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-9513" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPAEC4FWL4UU4LDEGPY5NPALU24FFQD/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0002/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190823-0005/" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2692" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2745" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2746" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2775" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:2799" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9513" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4099-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:46.443245Z", | |
| "modificationTime": "2020-07-23T10:26:17.770678Z", | |
| "publicationTime": "2019-08-13T19:57:36.123699Z", | |
| "disclosureTime": "2019-08-13T21:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-505929", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r1" | |
| }, | |
| { | |
| "title": "Improper Enforcement of Message or Data Structure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "nghttp2", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Enforcement of Message or Data Structure. In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.\n## Remediation\nUpgrade `nghttp2` to version or higher.\n## References\n- [CONFIRM](https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4696)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/)\n- [MISC](https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090)\n- [MISC](https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-11080" | |
| ], | |
| "CWE": [ | |
| "CWE-707" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4696" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:29.347405Z", | |
| "modificationTime": "2020-07-23T10:26:35.129437Z", | |
| "publicationTime": "2020-07-21T17:51:22.350995Z", | |
| "disclosureTime": "2020-06-03T23:15:00Z", | |
| "id": "SNYK-ALPINE39-NGHTTP2-588223", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.35.1-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "nghttp2/nghttp2-libs@1.35.1-r0" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "nghttp2/nghttp2-libs", | |
| "version": "1.35.1-r0", | |
| "nearestFixedInVersion": "1.35.1-r2" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "ca-certificates/ca-certificates@20190108-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "ca-certificates/ca-certificates@20190108-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "ca-certificates/ca-certificates@20190108-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "ca-certificates/ca-certificates@20190108-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "ca-certificates/ca-certificates@20190108-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libssh2/libssh2@1.8.2-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libcrypto1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libcrypto1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "apk-tools/apk-tools@2.10.3-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "libtls-standalone/libtls-standalone@2.7.4-r6", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "curl/libcurl@7.64.0-r1", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nNormally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200122-0002/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0003/)\n- [CONFIRM](https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-08)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1547)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://arxiv.org/abs/1909.01785)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1547" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.7, | |
| "CVSSv3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0002/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-08" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1547" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://arxiv.org/abs/1909.01785" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1547" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.965628Z", | |
| "modificationTime": "2020-07-23T10:26:19.094839Z", | |
| "publicationTime": "2019-09-11T00:32:26.849763Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-491992", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Use of Insufficiently Random Values", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243)\n- [CONFIRM](https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1549)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1549" | |
| ], | |
| "CWE": [ | |
| "CWE-330" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1549" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1549" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.986964Z", | |
| "modificationTime": "2020-07-23T10:26:19.114238Z", | |
| "publicationTime": "2019-09-11T00:32:28.463177Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-501158", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Missing Encryption of Sensitive Data", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/0)\n- [BUGTRAQ](https://seclists.org/bugtraq/2019/Oct/1)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Sep/25)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f)\n- [CONFIRM](https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4539)\n- [DEBIAN](https://www.debian.org/security/2019/dsa-4540)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1563)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/)\n- [GENTOO](https://security.gentoo.org/glsa/201911-04)\n- [MISC](http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190919-0002/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20190910.txt)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4376-2/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1563" | |
| ], | |
| "CWE": [ | |
| "CWE-311" | |
| ] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": 3.7, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/0" | |
| }, | |
| { | |
| "title": "BUGTRAQ", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/1" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Sep/25" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4539" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2019/dsa-4540" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1563" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201911-04" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190919-0002/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20190910.txt" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-2/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1563" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:48.032417Z", | |
| "modificationTime": "2020-07-23T10:26:19.146067Z", | |
| "publicationTime": "2019-09-11T00:32:28.961076Z", | |
| "disclosureTime": "2019-09-10T17:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-505098", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r0" | |
| }, | |
| { | |
| "title": "Information Exposure", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Information Exposure. There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/39)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Dec/46)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f)\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98)\n- [CONFIRM](https://www.tenable.com/security/tns-2019-09)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4594)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-1551)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191210-0001/)\n- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20191206.txt)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html)\n- [UBUNTU](https://usn.ubuntu.com/4376-1/)\n- [UBUNTU](https://usn.ubuntu.com/4504-1/)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-1551" | |
| ], | |
| "CWE": [ | |
| "CWE-200" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 5.3, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/39" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Dec/46" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2019-09" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4594" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-1551" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191210-0001/" | |
| }, | |
| { | |
| "title": "OpenSSL Security Advisory", | |
| "url": "https://www.openssl.org/news/secadv/20191206.txt" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4376-1/" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4504-1/" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1551" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:13.495221Z", | |
| "modificationTime": "2020-07-23T10:26:33.820106Z", | |
| "publicationTime": "2019-12-06T18:58:11.603400Z", | |
| "disclosureTime": "2019-12-06T18:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588019", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1d-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1d-r2" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "openssl", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the \"signature_algorithms_cert\" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).\n## Remediation\nUpgrade `openssl` to version or higher.\n## References\n- [CONFIRM](https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1)\n- [CONFIRM](https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200424-0003/)\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200717-0004/)\n- [CONFIRM](https://www.openssl.org/news/secadv/20200421.txt)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05)\n- [CONFIRM](https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-03)\n- [CONFIRM](https://www.tenable.com/security/tns-2020-04)\n- [DEBIAN](https://www.debian.org/security/2020/dsa-4661)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/)\n- [FEDORA](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc)\n- [FULLDISC](http://seclists.org/fulldisclosure/2020/May/5)\n- [GENTOO](https://security.gentoo.org/glsa/202004-10)\n- [MISC](http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html)\n- [MISC](https://github.com/irsl/CVE-2020-1967)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E)\n- [MLIST](http://www.openwall.com/lists/oss-security/2020/04/22/2)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html)\n- [SUSE](http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-1967" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200424-0003/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200717-0004/" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.openssl.org/news/secadv/20200421.txt" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-03" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.tenable.com/security/tns-2020-04" | |
| }, | |
| { | |
| "title": "DEBIAN", | |
| "url": "https://www.debian.org/security/2020/dsa-4661" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/" | |
| }, | |
| { | |
| "title": "FEDORA", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc" | |
| }, | |
| { | |
| "title": "FULLDISC", | |
| "url": "http://seclists.org/fulldisclosure/2020/May/5" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202004-10" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://github.com/irsl/CVE-2020-1967" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "http://www.openwall.com/lists/oss-security/2020/04/22/2" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html" | |
| }, | |
| { | |
| "title": "SUSE", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:51:14.051206Z", | |
| "modificationTime": "2020-07-23T10:26:33.882678Z", | |
| "publicationTime": "2020-07-21T17:51:06.891221Z", | |
| "disclosureTime": "2020-04-21T14:15:00Z", | |
| "id": "SNYK-ALPINE39-OPENSSL-588029", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.1.1g-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "krb5-conf/krb5-conf@1.0-r1", | |
| "krb5/krb5-libs@1.15.5-r0", | |
| "openssl/libssl1.1@1.1.1b-r1" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "openssl/libssl1.1", | |
| "version": "1.1.1b-r1", | |
| "nearestFixedInVersion": "1.1.1g-r0" | |
| }, | |
| { | |
| "title": "Out-of-bounds Read", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.\n\n## References\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-8457)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.sqlite.org/releaselog/3_28_0.html)\n- [MISC](https://www.sqlite.org/src/info/90acdbfce9c08858)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0002/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html)\n- [Oracle Security Advisory](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-8457)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4004-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4004-2/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4019-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4019-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-8457" | |
| ], | |
| "CWE": [ | |
| "CWE-125" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/releaselog/3_28_0.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/info/90acdbfce9c08858" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0002/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html" | |
| }, | |
| { | |
| "title": "Oracle Security Advisory", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4004-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4004-2/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4019-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4019-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.738226Z", | |
| "modificationTime": "2020-07-23T10:26:12.746909Z", | |
| "publicationTime": "2019-05-30T16:29:00Z", | |
| "disclosureTime": "2019-05-30T16:29:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-449671", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r0" | |
| }, | |
| { | |
| "title": "Use After Free", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.\n\n## References\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5018)\n- [GENTOO](https://security.gentoo.org/glsa/201908-09)\n- [MISC](http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190521-0001/)\n- [Security Focus](http://www.securityfocus.com/bid/108294)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5018)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5018" | |
| ], | |
| "CWE": [ | |
| "CWE-416" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.1, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5018" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201908-09" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190521-0001/" | |
| }, | |
| { | |
| "title": "Security Focus", | |
| "url": "http://www.securityfocus.com/bid/108294" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5018" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:40.908455Z", | |
| "modificationTime": "2020-07-23T10:26:11.983699Z", | |
| "publicationTime": "2019-05-10T19:29:00Z", | |
| "disclosureTime": "2019-05-10T19:29:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-449762", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r0" | |
| }, | |
| { | |
| "title": "Divide By Zero", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-16168)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/)\n- [GENTOO](https://security.gentoo.org/glsa/202003-16)\n- [MISC](https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62)\n- [MISC](https://www.sqlite.org/src/timeline?c=98357d8c1263920b)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190926-0003/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200122-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-16168)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4205-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-16168" | |
| ], | |
| "CWE": [ | |
| "CWE-369" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-16" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190926-0003/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0003/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4205-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.928751Z", | |
| "modificationTime": "2020-07-23T10:26:19.069103Z", | |
| "publicationTime": "2019-09-09T19:32:19.978398Z", | |
| "disclosureTime": "2019-09-09T17:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-487067", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r1" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.\n## Remediation\nUpgrade `sqlite` to version or higher.\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0001/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc)\n- [GENTOO](https://security.gentoo.org/glsa/202007-26)\n- [MISC](https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11)\n- [MISC](https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html)\n- [UBUNTU](https://usn.ubuntu.com/4394-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-11655" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0001/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202007-26" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4394-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:50:24.735529Z", | |
| "modificationTime": "2020-07-23T10:26:29.488178Z", | |
| "publicationTime": "2020-07-21T17:50:16.129369Z", | |
| "disclosureTime": "2020-04-09T03:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-587441", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r3" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.\n## Remediation\nUpgrade `sqlite` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-19242)\n- [GitHub Commit](https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19242)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4205-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-19242" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.3, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-19242" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19242" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4205-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:50:25.595694Z", | |
| "modificationTime": "2020-07-23T10:26:29.557862Z", | |
| "publicationTime": "2019-11-25T21:35:20.381427Z", | |
| "disclosureTime": "2019-11-27T17:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-587452", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r2" | |
| }, | |
| { | |
| "title": "Out-of-bounds Read", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nSQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.\n\n## References\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-8457)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MISC](https://www.sqlite.org/releaselog/3_28_0.html)\n- [MISC](https://www.sqlite.org/src/info/90acdbfce9c08858)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190606-0002/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html)\n- [Oracle Security Advisory](https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-8457)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4004-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4004-2/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4019-1/)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4019-2/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-8457" | |
| ], | |
| "CWE": [ | |
| "CWE-125" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "critical", | |
| "cvssScore": 9.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/releaselog/3_28_0.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/info/90acdbfce9c08858" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190606-0002/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html" | |
| }, | |
| { | |
| "title": "Oracle Security Advisory", | |
| "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-8457" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4004-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4004-2/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4019-1/" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4019-2/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:41.738226Z", | |
| "modificationTime": "2020-07-23T10:26:12.746909Z", | |
| "publicationTime": "2019-05-30T16:29:00Z", | |
| "disclosureTime": "2019-05-30T16:29:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-449671", | |
| "nvdSeverity": "critical", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r0" | |
| }, | |
| { | |
| "title": "Use After Free", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nAn exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.\n\n## References\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-5018)\n- [GENTOO](https://security.gentoo.org/glsa/201908-09)\n- [MISC](http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190521-0001/)\n- [Security Focus](http://www.securityfocus.com/bid/108294)\n- [Talos Vulnerability Report](https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5018)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-5018" | |
| ], | |
| "CWE": [ | |
| "CWE-416" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.1, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CVE Details", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-5018" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/201908-09" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/152809/Sqlite3-Window-Function-Remote-Code-Execution.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190521-0001/" | |
| }, | |
| { | |
| "title": "Security Focus", | |
| "url": "http://www.securityfocus.com/bid/108294" | |
| }, | |
| { | |
| "title": "Talos Vulnerability Report", | |
| "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0777" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5018" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:40.908455Z", | |
| "modificationTime": "2020-07-23T10:26:11.983699Z", | |
| "publicationTime": "2019-05-10T19:29:00Z", | |
| "disclosureTime": "2019-05-10T19:29:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-449762", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r0" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r0" | |
| }, | |
| { | |
| "title": "Divide By Zero", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\nIn SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"\n\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-16168)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/)\n- [GENTOO](https://security.gentoo.org/glsa/202003-16)\n- [MISC](https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html)\n- [MISC](https://www.oracle.com/security-alerts/cpujan2020.html)\n- [MISC](https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62)\n- [MISC](https://www.sqlite.org/src/timeline?c=98357d8c1263920b)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20190926-0003/)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20200122-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-16168)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4205-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-16168" | |
| ], | |
| "CWE": [ | |
| "CWE-369" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 6.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZARJHJJDBHI7CE5PZEBXS5HKK6HXKW2/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-16" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujan2020.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20190926-0003/" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20200122-0003/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00032.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00033.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-16168" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4205-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T16:54:47.928751Z", | |
| "modificationTime": "2020-07-23T10:26:19.069103Z", | |
| "publicationTime": "2019-09-09T19:32:19.978398Z", | |
| "disclosureTime": "2019-09-09T17:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-487067", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r1" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r1" | |
| }, | |
| { | |
| "title": "Improper Input Validation", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation. SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.\n## Remediation\nUpgrade `sqlite` to version or higher.\n## References\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200416-0001/)\n- [FREEBSD](https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc)\n- [GENTOO](https://security.gentoo.org/glsa/202007-26)\n- [MISC](https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11)\n- [MISC](https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c)\n- [MISC](https://www.oracle.com/security-alerts/cpujul2020.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html)\n- [MLIST](https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html)\n- [UBUNTU](https://usn.ubuntu.com/4394-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2020-11655" | |
| ], | |
| "CWE": [ | |
| "CWE-20" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 7.5, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://security.netapp.com/advisory/ntap-20200416-0001/" | |
| }, | |
| { | |
| "title": "FREEBSD", | |
| "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:22.sqlite.asc" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202007-26" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www3.sqlite.org/cgi/src/info/4a302b42c7bf5e11" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www3.sqlite.org/cgi/src/tktview?name=af4556bb5c" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://www.oracle.com/security-alerts/cpujul2020.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00006.html" | |
| }, | |
| { | |
| "title": "MLIST", | |
| "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" | |
| }, | |
| { | |
| "title": "UBUNTU", | |
| "url": "https://usn.ubuntu.com/4394-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:50:24.735529Z", | |
| "modificationTime": "2020-07-23T10:26:29.488178Z", | |
| "publicationTime": "2020-07-21T17:50:16.129369Z", | |
| "disclosureTime": "2020-04-09T03:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-587441", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r3" | |
| }, | |
| { | |
| "title": "NULL Pointer Dereference", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sqlite", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference. SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.\n## Remediation\nUpgrade `sqlite` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-19242)\n- [GitHub Commit](https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c)\n- [N/A](https://www.oracle.com/security-alerts/cpuapr2020.html)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19242)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4205-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-19242" | |
| ], | |
| "CWE": [ | |
| "CWE-476" | |
| ] | |
| }, | |
| "severity": "medium", | |
| "severityWithCritical": "medium", | |
| "cvssScore": 4.3, | |
| "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19242" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-19242" | |
| }, | |
| { | |
| "title": "GitHub Commit", | |
| "url": "https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c" | |
| }, | |
| { | |
| "title": "N/A", | |
| "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19242" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4205-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:50:25.595694Z", | |
| "modificationTime": "2020-07-23T10:26:29.557862Z", | |
| "publicationTime": "2019-11-25T21:35:20.381427Z", | |
| "disclosureTime": "2019-11-27T17:15:00Z", | |
| "id": "SNYK-ALPINE39-SQLITE-587452", | |
| "nvdSeverity": "medium", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<3.28.0-r2" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| ".python-rundeps@0", | |
| "sqlite/sqlite-libs@3.26.0-r3" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sqlite/sqlite-libs", | |
| "version": "3.26.0-r3", | |
| "nearestFixedInVersion": "3.28.0-r2" | |
| }, | |
| { | |
| "title": "CVE-2019-18634", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sudo", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to CVE-2019-18634. None\n## Remediation\nUpgrade `sudo` to version or higher.", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-18634" | |
| ], | |
| "CWE": [] | |
| }, | |
| "severity": "low", | |
| "severityWithCritical": "low", | |
| "cvssScore": null, | |
| "CVSSv3": null, | |
| "patches": [], | |
| "references": [], | |
| "creationTime": "2020-07-21T17:50:20.274527Z", | |
| "modificationTime": "2020-07-23T10:26:28.766182Z", | |
| "publicationTime": "2020-07-21T17:50:11.539782Z", | |
| "disclosureTime": null, | |
| "id": "SNYK-ALPINE39-SUDO-587367", | |
| "nvdSeverity": "low", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.8.25_p1-r3" | |
| ] | |
| }, | |
| "exploit": "Not Defined", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sudo/sudo@1.8.25_p1-r2" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sudo/sudo", | |
| "version": "1.8.25_p1-r2", | |
| "nearestFixedInVersion": "1.8.25_p1-r3" | |
| }, | |
| { | |
| "title": "Improper Handling of Exceptional Conditions", | |
| "credit": [ | |
| "" | |
| ], | |
| "packageName": "sudo", | |
| "language": "linux", | |
| "packageManager": "alpine:3.9", | |
| "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Exceptional Conditions. In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a \"sudo -u \\#$((0xffffffff))\" command.\n## Remediation\nUpgrade `sudo` to version or higher.\n## References\n- [ADVISORY](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Oct/20)\n- [Bugtraq Mailing List](https://seclists.org/bugtraq/2019/Oct/21)\n- [CONFIRM](https://support.f5.com/csp/article/K53746212?utm_source=f5support&utm_medium=RSS)\n- [CONFIRM](https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03976en_us)\n- [CONFIRM](https://www.sudo.ws/alerts/minus_1_uid.html)\n- [Debian Security Advisory](https://www.debian.org/security/2019/dsa-4543)\n- [Debian Security Announcement](https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html)\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-14287)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/)\n- [Fedora Security Update](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/)\n- [GENTOO](https://security.gentoo.org/glsa/202003-12)\n- [MISC](http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html)\n- [MISC](https://resources.whitesourcesoftware.com/blog-whitesource/new-vulnerability-in-sudo-cve-2019-14287)\n- [Netapp Security Advisory](https://security.netapp.com/advisory/ntap-20191017-0003/)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html)\n- [OpenSuse Security Announcement](http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html)\n- [OSS security Advisory](https://www.openwall.com/lists/oss-security/2019/10/15/2)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/10/14/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/10/24/1)\n- [OSS security Advisory](http://www.openwall.com/lists/oss-security/2019/10/29/3)\n- [REDHAT](https://access.redhat.com/errata/RHBA-2019:3248)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3694)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3754)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3755)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3895)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3916)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:3941)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2019:4191)\n- [REDHAT](https://access.redhat.com/errata/RHSA-2020:0388)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3197)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3204)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3205)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3209)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3219)\n- [RHSA Security Advisory](https://access.redhat.com/errata/RHSA-2019:3278)\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14287)\n- [Ubuntu Security Advisory](https://usn.ubuntu.com/4154-1/)\n", | |
| "identifiers": { | |
| "ALTERNATIVE": [], | |
| "CVE": [ | |
| "CVE-2019-14287" | |
| ], | |
| "CWE": [ | |
| "CWE-755" | |
| ] | |
| }, | |
| "severity": "high", | |
| "severityWithCritical": "high", | |
| "cvssScore": 8.8, | |
| "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F", | |
| "patches": [], | |
| "references": [ | |
| { | |
| "title": "ADVISORY", | |
| "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/20" | |
| }, | |
| { | |
| "title": "Bugtraq Mailing List", | |
| "url": "https://seclists.org/bugtraq/2019/Oct/21" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.f5.com/csp/article/K53746212?utm_source=f5support&%3Butm_medium=RSS" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03976en_us" | |
| }, | |
| { | |
| "title": "CONFIRM", | |
| "url": "https://www.sudo.ws/alerts/minus_1_uid.html" | |
| }, | |
| { | |
| "title": "Debian Security Advisory", | |
| "url": "https://www.debian.org/security/2019/dsa-4543" | |
| }, | |
| { | |
| "title": "Debian Security Announcement", | |
| "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html" | |
| }, | |
| { | |
| "title": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2019-14287" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/" | |
| }, | |
| { | |
| "title": "Fedora Security Update", | |
| "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/" | |
| }, | |
| { | |
| "title": "GENTOO", | |
| "url": "https://security.gentoo.org/glsa/202003-12" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "http://packetstormsecurity.com/files/154853/Slackware-Security-Advisory-sudo-Updates.html" | |
| }, | |
| { | |
| "title": "MISC", | |
| "url": "https://resources.whitesourcesoftware.com/blog-whitesource/new-vulnerability-in-sudo-cve-2019-14287" | |
| }, | |
| { | |
| "title": "Netapp Security Advisory", | |
| "url": "https://security.netapp.com/advisory/ntap-20191017-0003/" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00042.html" | |
| }, | |
| { | |
| "title": "OpenSuse Security Announcement", | |
| "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00047.html" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "https://www.openwall.com/lists/oss-security/2019/10/15/2" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/10/14/1" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/10/24/1" | |
| }, | |
| { | |
| "title": "OSS security Advisory", | |
| "url": "http://www.openwall.com/lists/oss-security/2019/10/29/3" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHBA-2019:3248" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3694" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3754" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3755" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3895" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3916" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3941" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:4191" | |
| }, | |
| { | |
| "title": "REDHAT", | |
| "url": "https://access.redhat.com/errata/RHSA-2020:0388" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3197" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3204" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3205" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3209" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3219" | |
| }, | |
| { | |
| "title": "RHSA Security Advisory", | |
| "url": "https://access.redhat.com/errata/RHSA-2019:3278" | |
| }, | |
| { | |
| "title": "Ubuntu CVE Tracker", | |
| "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-14287" | |
| }, | |
| { | |
| "title": "Ubuntu Security Advisory", | |
| "url": "https://usn.ubuntu.com/4154-1/" | |
| } | |
| ], | |
| "creationTime": "2020-07-21T17:50:20.453848Z", | |
| "modificationTime": "2020-07-23T10:26:28.820342Z", | |
| "publicationTime": "2019-10-14T16:35:17.388942Z", | |
| "disclosureTime": "2019-10-17T18:15:00Z", | |
| "id": "SNYK-ALPINE39-SUDO-587370", | |
| "nvdSeverity": "high", | |
| "relativeImportance": null, | |
| "semver": { | |
| "vulnerable": [ | |
| "<1.8.25_p1-r3" | |
| ] | |
| }, | |
| "exploit": "Functional", | |
| "from": [ | |
| "docker-image|clmdevops/detect-secrets@latest", | |
| "sudo/sudo@1.8.25_p1-r2" | |
| ], | |
| "upgradePath": [], | |
| "isUpgradable": false, | |
| "isPatchable": false, | |
| "name": "sudo/sudo", | |
| "version": "1.8.25_p1-r2", | |
| "nearestFixedInVersion": "1.8.25_p1-r3" | |
| } | |
| ], | |
| "ok": false, | |
| "dependencyCount": 47, | |
| "org": "cloud-suz", | |
| "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.19.0\nignore: {}\npatch: {}\n", | |
| "isPrivate": true, | |
| "licensesPolicy": { | |
| "severities": {}, | |
| "orgLicenseRules": { | |
| "AGPL-1.0": { | |
| "licenseType": "AGPL-1.0", | |
| "severity": "high", | |
| "instructions": "" | |
| }, | |
| "AGPL-3.0": { | |
| "licenseType": "AGPL-3.0", | |
| "severity": "high", | |
| "instructions": "" | |
| }, | |
| "Artistic-1.0": { | |
| "licenseType": "Artistic-1.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "Artistic-2.0": { | |
| "licenseType": "Artistic-2.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "CDDL-1.0": { | |
| "licenseType": "CDDL-1.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "CPOL-1.02": { | |
| "licenseType": "CPOL-1.02", | |
| "severity": "high", | |
| "instructions": "" | |
| }, | |
| "EPL-1.0": { | |
| "licenseType": "EPL-1.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "GPL-2.0": { | |
| "licenseType": "GPL-2.0", | |
| "severity": "high", | |
| "instructions": "" | |
| }, | |
| "GPL-3.0": { | |
| "licenseType": "GPL-3.0", | |
| "severity": "high", | |
| "instructions": "" | |
| }, | |
| "LGPL-2.0": { | |
| "licenseType": "LGPL-2.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "LGPL-2.1": { | |
| "licenseType": "LGPL-2.1", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "LGPL-3.0": { | |
| "licenseType": "LGPL-3.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "MPL-1.1": { | |
| "licenseType": "MPL-1.1", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "MPL-2.0": { | |
| "licenseType": "MPL-2.0", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "MS-RL": { | |
| "licenseType": "MS-RL", | |
| "severity": "medium", | |
| "instructions": "" | |
| }, | |
| "SimPL-2.0": { | |
| "licenseType": "SimPL-2.0", | |
| "severity": "high", | |
| "instructions": "" | |
| } | |
| } | |
| }, | |
| "packageManager": "apk", | |
| "ignoreSettings": null, | |
| "docker": { | |
| "binariesVulns": { | |
| "issuesData": {}, | |
| "affectedPkgs": {} | |
| } | |
| }, | |
| "summary": "122 vulnerable dependency paths", | |
| "filesystemPolicy": false, | |
| "filtered": { | |
| "ignore": [], | |
| "patch": [] | |
| }, | |
| "uniqueCount": 38, | |
| "projectName": "docker-image|clmdevops/detect-secrets", | |
| "path": "clmdevops/detect-secrets/detect-secrets" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment