Created
May 3, 2023 18:46
-
-
Save sozercan/3c93e33e8cd5a897283be2a48beab495 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "version": "2.1.0", | |
| "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", | |
| "runs": [ | |
| { | |
| "tool": { | |
| "driver": { | |
| "fullName": "Trivy Vulnerability Scanner", | |
| "informationUri": "https://github.com/aquasecurity/trivy", | |
| "name": "Trivy", | |
| "rules": [ | |
| { | |
| "id": "CVE-2023-0465", | |
| "name": "OsPackageVulnerability", | |
| "shortDescription": { | |
| "text": "Invalid certificate policies in leaf certificates are silently ignored" | |
| }, | |
| "fullDescription": { | |
| "text": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy\u0026#39; argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()\u0026#39; function." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-0465", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-0465\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: 3.0.8-r2\nLink: [CVE-2023-0465](https://avd.aquasec.com/nvd/cve-2023-0465)\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", | |
| "markdown": "**Vulnerability CVE-2023-0465**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl|3.0.8-r2|[CVE-2023-0465](https://avd.aquasec.com/nvd/cve-2023-0465)|\n\nApplications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "5.3", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-0466", | |
| "name": "OsPackageVulnerability", | |
| "shortDescription": { | |
| "text": "Certificate policy check not enabled" | |
| }, | |
| "fullDescription": { | |
| "text": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-0466", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-0466\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: 3.0.8-r3\nLink: [CVE-2023-0466](https://avd.aquasec.com/nvd/cve-2023-0466)\nThe function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", | |
| "markdown": "**Vulnerability CVE-2023-0466**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl|3.0.8-r3|[CVE-2023-0466](https://avd.aquasec.com/nvd/cve-2023-0466)|\n\nThe function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "5.3", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-1255", | |
| "name": "OsPackageVulnerability", | |
| "shortDescription": { | |
| "text": "Input buffer over-read in AES-XTS implementation on 64 bit ARM" | |
| }, | |
| "fullDescription": { | |
| "text": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-1255", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-1255\nSeverity: MEDIUM\nPackage: openssl\nFixed Version: 3.0.8-r4\nLink: [CVE-2023-1255](https://avd.aquasec.com/nvd/cve-2023-1255)\nIssue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.", | |
| "markdown": "**Vulnerability CVE-2023-1255**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|openssl|3.0.8-r4|[CVE-2023-1255](https://avd.aquasec.com/nvd/cve-2023-1255)|\n\nIssue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "5.9", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-28484", | |
| "name": "OsPackageVulnerability", | |
| "shortDescription": { | |
| "text": "NULL dereference in xmlSchemaFixupComplexType" | |
| }, | |
| "fullDescription": { | |
| "text": "In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-28484", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-28484\nSeverity: MEDIUM\nPackage: libxml2\nFixed Version: 2.10.4-r0\nLink: [CVE-2023-28484](https://avd.aquasec.com/nvd/cve-2023-28484)\nIn libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.", | |
| "markdown": "**Vulnerability CVE-2023-28484**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libxml2|2.10.4-r0|[CVE-2023-28484](https://avd.aquasec.com/nvd/cve-2023-28484)|\n\nIn libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "5.5", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-29469", | |
| "name": "OsPackageVulnerability", | |
| "shortDescription": { | |
| "text": "Hashing of empty dict strings isn\u0026#39;t deterministic" | |
| }, | |
| "fullDescription": { | |
| "text": "An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the \u0026#39;\\0\u0026#39; value)." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-29469", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-29469\nSeverity: MEDIUM\nPackage: libxml2\nFixed Version: 2.10.4-r0\nLink: [CVE-2023-29469](https://avd.aquasec.com/nvd/cve-2023-29469)\nAn issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value).", | |
| "markdown": "**Vulnerability CVE-2023-29469**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libxml2|2.10.4-r0|[CVE-2023-29469](https://avd.aquasec.com/nvd/cve-2023-29469)|\n\nAn issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\\0' value)." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "5.5", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-27561", | |
| "name": "LanguageSpecificPackageVulnerability", | |
| "shortDescription": { | |
| "text": "runc: volume mount race condition (regression of CVE-2019-19921)" | |
| }, | |
| "fullDescription": { | |
| "text": "runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "error" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-27561", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-27561\nSeverity: HIGH\nPackage: github.com/opencontainers/runc\nFixed Version: v1.1.5\nLink: [CVE-2023-27561](https://avd.aquasec.com/nvd/cve-2023-27561)\nrunc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.", | |
| "markdown": "**Vulnerability CVE-2023-27561**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|github.com/opencontainers/runc|v1.1.5|[CVE-2023-27561](https://avd.aquasec.com/nvd/cve-2023-27561)|\n\nrunc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "7.0", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "HIGH" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-28642", | |
| "name": "LanguageSpecificPackageVulnerability", | |
| "shortDescription": { | |
| "text": "AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration" | |
| }, | |
| "fullDescription": { | |
| "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "error" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-28642", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-28642\nSeverity: HIGH\nPackage: github.com/opencontainers/runc\nFixed Version: v1.1.5\nLink: [CVE-2023-28642](https://avd.aquasec.com/nvd/cve-2023-28642)\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.", | |
| "markdown": "**Vulnerability CVE-2023-28642**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|github.com/opencontainers/runc|v1.1.5|[CVE-2023-28642](https://avd.aquasec.com/nvd/cve-2023-28642)|\n\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "7.8", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "HIGH" | |
| ] | |
| } | |
| }, | |
| { | |
| "id": "CVE-2023-25809", | |
| "name": "LanguageSpecificPackageVulnerability", | |
| "shortDescription": { | |
| "text": "Rootless runc makes `/sys/fs/cgroup` writable" | |
| }, | |
| "fullDescription": { | |
| "text": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users\u0026#39;s cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`." | |
| }, | |
| "defaultConfiguration": { | |
| "level": "warning" | |
| }, | |
| "helpUri": "https://avd.aquasec.com/nvd/cve-2023-25809", | |
| "help": { | |
| "text": "Vulnerability CVE-2023-25809\nSeverity: MEDIUM\nPackage: github.com/opencontainers/runc\nFixed Version: v1.1.5\nLink: [CVE-2023-25809](https://avd.aquasec.com/nvd/cve-2023-25809)\nrunc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.", | |
| "markdown": "**Vulnerability CVE-2023-25809**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|github.com/opencontainers/runc|v1.1.5|[CVE-2023-25809](https://avd.aquasec.com/nvd/cve-2023-25809)|\n\nrunc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`." | |
| }, | |
| "properties": { | |
| "precision": "very-high", | |
| "security-severity": "6.3", | |
| "tags": [ | |
| "vulnerability", | |
| "security", | |
| "MEDIUM" | |
| ] | |
| } | |
| } | |
| ], | |
| "version": "0.41.0" | |
| } | |
| }, | |
| "results": [ | |
| { | |
| "ruleId": "CVE-2023-0465", | |
| "ruleIndex": 0, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libcrypto3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0465\nSeverity: MEDIUM\nFixed Version: 3.0.8-r2\nLink: [CVE-2023-0465](https://avd.aquasec.com/nvd/cve-2023-0465)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libcrypto3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-0466", | |
| "ruleIndex": 1, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libcrypto3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0466\nSeverity: MEDIUM\nFixed Version: 3.0.8-r3\nLink: [CVE-2023-0466](https://avd.aquasec.com/nvd/cve-2023-0466)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libcrypto3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-1255", | |
| "ruleIndex": 2, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libcrypto3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-1255\nSeverity: MEDIUM\nFixed Version: 3.0.8-r4\nLink: [CVE-2023-1255](https://avd.aquasec.com/nvd/cve-2023-1255)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libcrypto3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-0465", | |
| "ruleIndex": 0, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libssl3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0465\nSeverity: MEDIUM\nFixed Version: 3.0.8-r2\nLink: [CVE-2023-0465](https://avd.aquasec.com/nvd/cve-2023-0465)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libssl3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-0466", | |
| "ruleIndex": 1, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libssl3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0466\nSeverity: MEDIUM\nFixed Version: 3.0.8-r3\nLink: [CVE-2023-0466](https://avd.aquasec.com/nvd/cve-2023-0466)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libssl3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-1255", | |
| "ruleIndex": 2, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libssl3\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-1255\nSeverity: MEDIUM\nFixed Version: 3.0.8-r4\nLink: [CVE-2023-1255](https://avd.aquasec.com/nvd/cve-2023-1255)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libssl3@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-28484", | |
| "ruleIndex": 3, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libxml2\nInstalled Version: 2.10.3-r1\nVulnerability CVE-2023-28484\nSeverity: MEDIUM\nFixed Version: 2.10.4-r0\nLink: [CVE-2023-28484](https://avd.aquasec.com/nvd/cve-2023-28484)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libxml2@2.10.3-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-29469", | |
| "ruleIndex": 4, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: libxml2\nInstalled Version: 2.10.3-r1\nVulnerability CVE-2023-29469\nSeverity: MEDIUM\nFixed Version: 2.10.4-r0\nLink: [CVE-2023-29469](https://avd.aquasec.com/nvd/cve-2023-29469)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: libxml2@2.10.3-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-0465", | |
| "ruleIndex": 0, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: openssl\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0465\nSeverity: MEDIUM\nFixed Version: 3.0.8-r2\nLink: [CVE-2023-0465](https://avd.aquasec.com/nvd/cve-2023-0465)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: openssl@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-0466", | |
| "ruleIndex": 1, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: openssl\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-0466\nSeverity: MEDIUM\nFixed Version: 3.0.8-r3\nLink: [CVE-2023-0466](https://avd.aquasec.com/nvd/cve-2023-0466)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: openssl@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-1255", | |
| "ruleIndex": 2, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: openssl\nInstalled Version: 3.0.8-r1\nVulnerability CVE-2023-1255\nSeverity: MEDIUM\nFixed Version: 3.0.8-r4\nLink: [CVE-2023-1255](https://avd.aquasec.com/nvd/cve-2023-1255)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "ingress-nginx/controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "ingress-nginx/controller: openssl@3.0.8-r1" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-27561", | |
| "ruleIndex": 5, | |
| "level": "error", | |
| "message": { | |
| "text": "Package: github.com/opencontainers/runc\nInstalled Version: v1.1.4\nVulnerability CVE-2023-27561\nSeverity: HIGH\nFixed Version: v1.1.5\nLink: [CVE-2023-27561](https://avd.aquasec.com/nvd/cve-2023-27561)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "nginx-ingress-controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "nginx-ingress-controller: github.com/opencontainers/runc@v1.1.4" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-28642", | |
| "ruleIndex": 6, | |
| "level": "error", | |
| "message": { | |
| "text": "Package: github.com/opencontainers/runc\nInstalled Version: v1.1.4\nVulnerability CVE-2023-28642\nSeverity: HIGH\nFixed Version: v1.1.5\nLink: [CVE-2023-28642](https://avd.aquasec.com/nvd/cve-2023-28642)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "nginx-ingress-controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "nginx-ingress-controller: github.com/opencontainers/runc@v1.1.4" | |
| } | |
| } | |
| ] | |
| }, | |
| { | |
| "ruleId": "CVE-2023-25809", | |
| "ruleIndex": 7, | |
| "level": "warning", | |
| "message": { | |
| "text": "Package: github.com/opencontainers/runc\nInstalled Version: v1.1.4\nVulnerability CVE-2023-25809\nSeverity: MEDIUM\nFixed Version: v1.1.5\nLink: [CVE-2023-25809](https://avd.aquasec.com/nvd/cve-2023-25809)" | |
| }, | |
| "locations": [ | |
| { | |
| "physicalLocation": { | |
| "artifactLocation": { | |
| "uri": "nginx-ingress-controller", | |
| "uriBaseId": "ROOTPATH" | |
| }, | |
| "region": { | |
| "startLine": 1, | |
| "startColumn": 1, | |
| "endLine": 1, | |
| "endColumn": 1 | |
| } | |
| }, | |
| "message": { | |
| "text": "nginx-ingress-controller: github.com/opencontainers/runc@v1.1.4" | |
| } | |
| } | |
| ] | |
| } | |
| ], | |
| "columnKind": "utf16CodeUnits", | |
| "originalUriBaseIds": { | |
| "ROOTPATH": { | |
| "uri": "file:///" | |
| } | |
| }, | |
| "properties": { | |
| "imageName": "registry.k8s.io/ingress-nginx/controller:v1.7.0", | |
| "repoDigests": [ | |
| "registry.k8s.io/ingress-nginx/controller@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7" | |
| ], | |
| "repoTags": [ | |
| "registry.k8s.io/ingress-nginx/controller:v1.7.0" | |
| ] | |
| } | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment