Last active
May 8, 2022 21:02
-
-
Save thomasdarimont/efb1a1327a585517db5a047401852a88 to your computer and use it in GitHub Desktop.
CVEs reported in Keycloak Image quay.io/keycloak/keycloak:18.0.0 by aquasec/trivy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT | |
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT | |
2022-05-07T11:40:04.324Z INFO Detected OS: redhat | |
2022-05-07T11:40:04.324Z INFO Detecting RHEL/CentOS vulnerabilities... | |
2022-05-07T11:40:04.356Z INFO Number of language-specific files: 1 | |
2022-05-07T11:40:04.356Z INFO Detecting jar vulnerabilities... | |
thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT (redhat 8.5) | |
=========================================================== | |
Total: 104 (UNKNOWN: 0, LOW: 37, MEDIUM: 65, HIGH: 2, CRITICAL: 0) | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-20.el8 | | avahi: Local DoS by event-busy-loop | | |
| | | | | | from writing long lines to | | |
| | | | | | /run/avahi-daemon/socket | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3468 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2017-6519 | LOW | | | avahi: Multicast DNS | | |
| | | | | | responds to unicast queries | | |
| | | | | | outside of local network | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-6519 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| bzip2-libs | CVE-2019-12900 | | 1.0.6-26.el8 | | bzip2: out-of-bounds write | | |
| | | | | | in function BZ2_decompress | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| cups-libs | CVE-2021-25317 | | 1:2.2.6-40.el8 | | cups: insecure permissions | | |
| | | | | | of /var/log/cups allows | | |
| | | | | | for symlink attacks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25317 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| curl | CVE-2022-22576 | MEDIUM | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass | | |
| | | | | | in connection re-use | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27774 | | | | curl: credential leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| dbus-libs | CVE-2020-35512 | LOW | 1:1.12.8-14.el8 | | dbus: users with the same numeric UID | | |
| | | | | | could lead to use-after-free and... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35512 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| expat | CVE-2021-45960 | MEDIUM | 2.2.5-4.el8_5.3 | | expat: Large number of prefixed XML | | |
| | | | | | attributes on a single tag can... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45960 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-46143 | | | | expat: Integer overflow | | |
| | | | | | in doProlog in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-46143 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22822 | | | | expat: Integer overflow in | | |
| | | | | | addBinding in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22822 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22823 | | | | expat: Integer overflow in | | |
| | | | | | build_model in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22823 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22824 | | | | expat: Integer overflow in | | |
| | | | | | defineAttribute in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22824 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22825 | | | | expat: Integer overflow | | |
| | | | | | in lookup in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22825 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22826 | | | | expat: Integer overflow in | | |
| | | | | | nextScaffoldPart in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22826 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-22827 | | | | expat: Integer overflow | | |
| | | | | | in storeAtts in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22827 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-25314 | | | | expat: integer overflow | | |
| | | | | | in copyString() | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25314 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| file-libs | CVE-2019-8905 | LOW | 5.33-20.el8 | | file: stack-based buffer over-read | | |
| | | | | | in do_core_note in readelf.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8905 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2019-8906 | | | | file: out-of-bounds read in | | |
| | | | | | do_core_note in readelf.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8906 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| freetype | CVE-2022-27404 | MEDIUM | 2.9.1-4.el8_3.1 | | FreeType: Buffer Overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27405 | | | | FreeType: Segementation Fault | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27405 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27406 | | | | Freetype: Segmentation violation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27406 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| glib2 | CVE-2018-16428 | LOW | 2.56.4-156.el8 | | glib2: NULL pointer dereference in | | |
| | | | | | g_markup_parse_context_end_parse() | | |
| | | | | | function in gmarkup.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16428 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| gmp | CVE-2021-43618 | | 1:6.1.2-10.el8 | | gmp: Integer overflow and resultant | | |
| | | | | | buffer overflow via crafted input | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| gnutls | CVE-2021-4209 | | 3.6.16-4.el8 | | GnuTLS: Null pointer | | |
| | | | | | dereference in MD_UPDATE | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-4209 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| krb5-libs | CVE-2020-17049 | MEDIUM | 1.18.2-14.el8 | | Kerberos: delegation | | |
| | | | | | constrain bypass in S4U2Proxy | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17049 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow | | |
| | | | | | in AllocateDataSet() in | | |
| | | | | | cmscgats.c leading to | | |
| | | | | | heap-based buffer overflow... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16435 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libarchive | CVE-2022-26280 | HIGH | 3.3.3-3.el8_5 | | libarchive: an out-of-bounds read via | | |
| | | | | | the component zipx_lzma_alone_init | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-26280 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-21674 | MEDIUM | | | libarchive: heap-based | | |
| | | | | | buffer overflow in | | |
| | | | | | archive_string_append_from_wcs | | |
| | | | | | function in archive_string.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-21674 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2017-14166 | LOW | | | libarchive: Heap-based buffer | | |
| | | | | | over-read in the atol8 function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14166 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2017-14501 | | | | libarchive: Out-of-bounds | | |
| | | | | | read in parse_file_info | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14501 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2018-1000879 | | | | libarchive: NULL pointer dereference in | | |
| | | | | | ACL parser resulting in a denial of... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000879 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2018-1000880 | | | | libarchive: Improper input | | |
| | | | | | validation in WARC parser | | |
| | | | | | resulting in a denial of... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000880 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libcom_err | CVE-2022-1304 | MEDIUM | 1.45.6-2.el8 | | e2fsprogs: out-of-bounds | | |
| | | | | | read/write via crafted filesystem | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1304 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| libcurl | CVE-2022-22576 | | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass | | |
| | | | | | in connection re-use | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27774 | | | | curl: credential leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| libgcc | CVE-2018-20673 | | 8.5.0-4.el8_5 | | libiberty: Integer overflow in | | |
| | | | | | demangle_template() function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-42694 | | | | Developer environment: | | |
| | | | | | Homoglyph characters can | | |
| | | | | | lead to trojan source attack | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c | | |
| | | | | | in GNU GCC 11.2 allows stack | | |
| | | | | | exhaustion in demangle_const... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | |
| | | | | | demangle_template function | | |
| | | | | | resulting in a denial of service... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2019-14250 | | | | binutils: integer overflow in | | |
| | | | | | simple-object-elf.c leads to | | |
| | | | | | a heap-based buffer overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-6.el8 | | Libgcrypt: physical addresses | | |
| | | | | | being available to other processes | | |
| | | | | | leads to a flush-and-reload... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12904 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-40528 | | | | libgcrypt: ElGamal implementation | | |
| | | | | | allows plaintext recovery | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| libjpeg-turbo | CVE-2019-2201 | | 1.5.3-12.el8 | | libjpeg-turbo: several integer | | |
| | | | | | overflows and subsequent | | |
| | | | | | segfaults when attempting to | | |
| | | | | | compress/decompress gigapixel... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-2201 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2020-13790 | | | | libjpeg-turbo: heap-based buffer | | |
| | | | | | over-read in get_rgb_row() in rdppm.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13790 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2020-17541 | | | | libjpeg-turbo: Stack-based buffer | | |
| | | | | | overflow in the "transform" component | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17541 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in | | |
| | | | | | png_image_free in png.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-7317 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libsolv | CVE-2021-44568 | MEDIUM | 0.7.19-1.el8 | | libsolv: heap-overflows in | | |
| | | | | | resolve_dependencies function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44568 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44569 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44569 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44570 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44570 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44571 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44571 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44573 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44573 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44574 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44574 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44575 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44575 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44576 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44576 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-44577 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44577 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libssh | CVE-2021-3634 | LOW | 0.9.4-3.el8 | | libssh: possible heap-based | | |
| | | | | | buffer overflow when rekeying | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3634 | | |
+---------------------+ + + +---------------+ + | |
| libssh-config | | | | | | | |
| | | | | | | | |
| | | | | | | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libstdc++ | CVE-2018-20673 | MEDIUM | 8.5.0-4.el8_5 | | libiberty: Integer overflow in | | |
| | | | | | demangle_template() function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-42694 | | | | Developer environment: | | |
| | | | | | Homoglyph characters can | | |
| | | | | | lead to trojan source attack | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c | | |
| | | | | | in GNU GCC 11.2 allows stack | | |
| | | | | | exhaustion in demangle_const... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | |
| | | | | | demangle_template function | | |
| | | | | | resulting in a denial of service... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2019-14250 | | | | binutils: integer overflow in | | |
| | | | | | simple-object-elf.c leads to | | |
| | | | | | a heap-based buffer overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in | | |
| | | | | | _asn1_expand_object_id(ptree) | | |
| | | | | | leads to memory exhaustion | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libxml2 | CVE-2022-29824 | MEDIUM | 2.9.7-12.el8_5 | | libxml2: integer overflows | | |
| | | | | | in xmlBuf and xmlBuffer | | |
| | | | | | lead to out-of-bounds write | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29824 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition | | |
| | | | | | allows attacker to access | | |
| | | | | | world-readable destination file | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-3.el8_4 | | lz4: heap-based buffer | | |
| | | | | | overflow in LZ4_write32 | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| ncurses-base | CVE-2021-39537 | | 6.1-9.20180224.el8 | | ncurses: heap-based buffer overflow | | |
| | | | | | in _nc_captoinfo() in captoinfo.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | |
| | | | | | dereference at function | | |
| | | | | | _nc_parse_entry in parse_entry.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference | | |
| | | | | | at function _nc_name_match | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 | | |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+ | |
| ncurses-libs | CVE-2021-39537 | MEDIUM | | | ncurses: heap-based buffer overflow | | |
| | | | | | in _nc_captoinfo() in captoinfo.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | |
| | | | | | dereference at function | | |
| | | | | | _nc_parse_entry in parse_entry.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference | | |
| | | | | | at function _nc_name_match | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| nettle | CVE-2021-3580 | MEDIUM | 3.4.1-7.el8 | | nettle: Remote crash | | |
| | | | | | in RSA decryption via | | |
| | | | | | manipulated ciphertext | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| nss | CVE-2020-12401 | | 3.67.0-7.el8_5 | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+ | |
| nss-softokn | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+ | |
| nss-softokn-freebl | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+ | |
| nss-sysinit | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+ | |
| nss-util | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +---------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| openldap | CVE-2022-29155 | MEDIUM | 2.4.46-18.el8 | | openldap: OpenLDAP SQL injection | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29155 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| openssl-libs | CVE-2021-3712 | | 1:1.1.1k-6.el8_5 | | openssl: Read buffer overruns | | |
| | | | | | processing ASN.1 strings | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2022-1292 | | | | openssl: c_rehash script | | |
| | | | | | allows command injection | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1292 | | |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+ | |
| pcre2 | CVE-2022-1586 | | 10.32-2.el8 | | pcre2: Out-of-bounds read in | | |
| | | | | | compile_xclass_matchingpath | | |
| | | | | | in pcre2_jit_compile.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1586 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| platform-python-pip | CVE-2018-20225 | LOW | 9.0.3-20.el8 | | python-pip: when --extra-index-url | | |
| | | | | | option is used and package | | |
| | | | | | does not already exist... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20225 | | |
+---------------------+ + + +---------------+ + | |
| python3-pip-wheel | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| rpm | CVE-2021-35937 | MEDIUM | 4.14.3-19.el8_5.2 | | rpm: TOCTOU race in | | |
| | | | | | checks for unsafe symlinks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-35938 | | | | rpm: races with | | |
| | | | | | chown/chmod/capabilities | | |
| | | | | | calls during installation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-35939 | | | | rpm: checks for unsafe | | |
| | | | | | symlinks are not performed | | |
| | | | | | for intermediary directories | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | | |
+---------------------+------------------+ + +---------------+-----------------------------------------+ | |
| rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in | | |
| | | | | | checks for unsafe symlinks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-35938 | | | | rpm: races with | | |
| | | | | | chown/chmod/capabilities | | |
| | | | | | calls during installation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-35939 | | | | rpm: checks for unsafe | | |
| | | | | | symlinks are not performed | | |
| | | | | | for intermediary directories | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| sqlite-libs | CVE-2019-19244 | LOW | 3.26.0-15.el8 | | sqlite: allows a crash | | |
| | | | | | if a sub-select uses both | | |
| | | | | | DISTINCT and window... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19244 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2019-9936 | | | | sqlite: heap-based buffer | | |
| | | | | | over-read in function | | |
| | | | | | fts5HashEntrySort in sqlite3.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9936 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2019-9937 | | | | sqlite: null-pointer | | |
| | | | | | dereference in function | | |
| | | | | | fts5ChunkIterate in sqlite3.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9937 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-45346 | | | | sqlite: crafted SQL query | | |
| | | | | | allows a malicious user to | | |
| | | | | | obtain sensitive information... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45346 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| systemd-libs | CVE-2018-20839 | MEDIUM | 239-51.el8_5.5 | | systemd: mishandling of the | | |
| | | | | | current keyboard mode check | | |
| | | | | | leading to passwords being... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20839 | | |
+ +------------------+ + +---------------+-----------------------------------------+ | |
| | CVE-2021-3997 | | | | systemd: Uncontrolled recursion in | | |
| | | | | | systemd-tmpfiles when removing files | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3997 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
| zlib | CVE-2018-25032 | HIGH | 1.2.11-18.el8_5 | | zlib: A flaw found in | | |
| | | | | | zlib when compressing (not | | |
| | | | | | decompressing) certain inputs... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+ | |
Java (jar) | |
========== | |
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT | |
2022-05-08T20:55:26.819Z INFO Detected OS: alpine | |
2022-05-08T20:55:26.819Z INFO Detecting Alpine vulnerabilities... | |
2022-05-08T20:55:26.823Z INFO Number of language-specific files: 1 | |
2022-05-08T20:55:26.823Z INFO Detecting jar vulnerabilities... | |
thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT (alpine 3.15.4) | |
============================================================== | |
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) | |
Java (jar) | |
========== | |
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image quay.io/keycloak/keycloak:18.0.0 | |
2022-05-07T10:49:55.396Z INFO Detecting RHEL/CentOS vulnerabilities... | |
2022-05-07T10:49:55.416Z INFO Number of language-specific files: 1 | |
2022-05-07T10:49:55.416Z INFO Detecting jar vulnerabilities... | |
quay.io/keycloak/keycloak:18.0.0 (redhat 8.5) | |
============================================= | |
Total: 104 (UNKNOWN: 0, LOW: 37, MEDIUM: 65, HIGH: 2, CRITICAL: 0) | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-20.el8 | | avahi: Local DoS by event-busy-loop | | |
| | | | | | from writing long lines to | | |
| | | | | | /run/avahi-daemon/socket | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3468 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2017-6519 | LOW | | | avahi: Multicast DNS | | |
| | | | | | responds to unicast queries | | |
| | | | | | outside of local network | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-6519 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| bzip2-libs | CVE-2019-12900 | | 1.0.6-26.el8 | | bzip2: out-of-bounds write | | |
| | | | | | in function BZ2_decompress | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| cups-libs | CVE-2021-25317 | | 1:2.2.6-40.el8 | | cups: insecure permissions | | |
| | | | | | of /var/log/cups allows | | |
| | | | | | for symlink attacks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25317 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| curl | CVE-2022-22576 | MEDIUM | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass | | |
| | | | | | in connection re-use | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27774 | | | | curl: credential leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| dbus-libs | CVE-2020-35512 | LOW | 1:1.12.8-14.el8 | | dbus: users with the same numeric UID | | |
| | | | | | could lead to use-after-free and... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35512 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| expat | CVE-2021-45960 | MEDIUM | 2.2.5-4.el8_5.3 | | expat: Large number of prefixed XML | | |
| | | | | | attributes on a single tag can... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45960 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-46143 | | | | expat: Integer overflow | | |
| | | | | | in doProlog in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-46143 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22822 | | | | expat: Integer overflow in | | |
| | | | | | addBinding in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22822 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22823 | | | | expat: Integer overflow in | | |
| | | | | | build_model in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22823 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22824 | | | | expat: Integer overflow in | | |
| | | | | | defineAttribute in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22824 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22825 | | | | expat: Integer overflow | | |
| | | | | | in lookup in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22825 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22826 | | | | expat: Integer overflow in | | |
| | | | | | nextScaffoldPart in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22826 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-22827 | | | | expat: Integer overflow | | |
| | | | | | in storeAtts in xmlparse.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22827 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-25314 | | | | expat: integer overflow | | |
| | | | | | in copyString() | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25314 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| file-libs | CVE-2019-8905 | LOW | 5.33-20.el8 | | file: stack-based buffer over-read | | |
| | | | | | in do_core_note in readelf.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8905 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2019-8906 | | | | file: out-of-bounds read in | | |
| | | | | | do_core_note in readelf.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8906 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| freetype | CVE-2022-27404 | MEDIUM | 2.9.1-4.el8_3.1 | | FreeType: Buffer Overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27405 | | | | FreeType: Segementation Fault | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27405 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27406 | | | | Freetype: Segmentation violation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27406 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| glib2 | CVE-2018-16428 | LOW | 2.56.4-156.el8 | | glib2: NULL pointer dereference in | | |
| | | | | | g_markup_parse_context_end_parse() | | |
| | | | | | function in gmarkup.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16428 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| gmp | CVE-2021-43618 | | 1:6.1.2-10.el8 | | gmp: Integer overflow and resultant | | |
| | | | | | buffer overflow via crafted input | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| gnutls | CVE-2021-4209 | | 3.6.16-4.el8 | | GnuTLS: Null pointer | | |
| | | | | | dereference in MD_UPDATE | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-4209 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| krb5-libs | CVE-2020-17049 | MEDIUM | 1.18.2-14.el8 | | Kerberos: delegation | | |
| | | | | | constrain bypass in S4U2Proxy | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17049 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow | | |
| | | | | | in AllocateDataSet() in | | |
| | | | | | cmscgats.c leading to | | |
| | | | | | heap-based buffer overflow... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16435 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libarchive | CVE-2022-26280 | HIGH | 3.3.3-3.el8_5 | | libarchive: an out-of-bounds read via | | |
| | | | | | the component zipx_lzma_alone_init | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-26280 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-21674 | MEDIUM | | | libarchive: heap-based | | |
| | | | | | buffer overflow in | | |
| | | | | | archive_string_append_from_wcs | | |
| | | | | | function in archive_string.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-21674 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2017-14166 | LOW | | | libarchive: Heap-based buffer | | |
| | | | | | over-read in the atol8 function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14166 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2017-14501 | | | | libarchive: Out-of-bounds | | |
| | | | | | read in parse_file_info | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14501 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2018-1000879 | | | | libarchive: NULL pointer dereference in | | |
| | | | | | ACL parser resulting in a denial of... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000879 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2018-1000880 | | | | libarchive: Improper input | | |
| | | | | | validation in WARC parser | | |
| | | | | | resulting in a denial of... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000880 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libcom_err | CVE-2022-1304 | MEDIUM | 1.45.6-2.el8 | | e2fsprogs: out-of-bounds | | |
| | | | | | read/write via crafted filesystem | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1304 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| libcurl | CVE-2022-22576 | | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass | | |
| | | | | | in connection re-use | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27774 | | | | curl: credential leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| libgcc | CVE-2018-20673 | | 8.5.0-4.el8_5 | | libiberty: Integer overflow in | | |
| | | | | | demangle_template() function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-42694 | | | | Developer environment: | | |
| | | | | | Homoglyph characters can | | |
| | | | | | lead to trojan source attack | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c | | |
| | | | | | in GNU GCC 11.2 allows stack | | |
| | | | | | exhaustion in demangle_const... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | |
| | | | | | demangle_template function | | |
| | | | | | resulting in a denial of service... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2019-14250 | | | | binutils: integer overflow in | | |
| | | | | | simple-object-elf.c leads to | | |
| | | | | | a heap-based buffer overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-6.el8 | | Libgcrypt: physical addresses | | |
| | | | | | being available to other processes | | |
| | | | | | leads to a flush-and-reload... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12904 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-40528 | | | | libgcrypt: ElGamal implementation | | |
| | | | | | allows plaintext recovery | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| libjpeg-turbo | CVE-2019-2201 | | 1.5.3-12.el8 | | libjpeg-turbo: several integer | | |
| | | | | | overflows and subsequent | | |
| | | | | | segfaults when attempting to | | |
| | | | | | compress/decompress gigapixel... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-2201 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2020-13790 | | | | libjpeg-turbo: heap-based buffer | | |
| | | | | | over-read in get_rgb_row() in rdppm.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13790 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2020-17541 | | | | libjpeg-turbo: Stack-based buffer | | |
| | | | | | overflow in the "transform" component | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17541 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in | | |
| | | | | | png_image_free in png.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-7317 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libsolv | CVE-2021-44568 | MEDIUM | 0.7.19-1.el8 | | libsolv: heap-overflows in | | |
| | | | | | resolve_dependencies function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44568 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44569 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44569 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44570 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44570 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44571 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44571 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44573 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44573 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44574 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44574 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44575 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44575 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44576 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44576 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-44577 | | | | libsolv: Heap overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44577 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libssh | CVE-2021-3634 | LOW | 0.9.4-3.el8 | | libssh: possible heap-based | | |
| | | | | | buffer overflow when rekeying | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3634 | | |
+---------------------+ + + +-----------------+ + | |
| libssh-config | | | | | | | |
| | | | | | | | |
| | | | | | | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libstdc++ | CVE-2018-20673 | MEDIUM | 8.5.0-4.el8_5 | | libiberty: Integer overflow in | | |
| | | | | | demangle_template() function | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-42694 | | | | Developer environment: | | |
| | | | | | Homoglyph characters can | | |
| | | | | | lead to trojan source attack | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c | | |
| | | | | | in GNU GCC 11.2 allows stack | | |
| | | | | | exhaustion in demangle_const... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | |
| | | | | | demangle_template function | | |
| | | | | | resulting in a denial of service... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2019-14250 | | | | binutils: integer overflow in | | |
| | | | | | simple-object-elf.c leads to | | |
| | | | | | a heap-based buffer overflow | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in | | |
| | | | | | _asn1_expand_object_id(ptree) | | |
| | | | | | leads to memory exhaustion | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libxml2 | CVE-2022-29824 | MEDIUM | 2.9.7-12.el8_5 | | libxml2: integer overflows | | |
| | | | | | in xmlBuf and xmlBuffer | | |
| | | | | | lead to out-of-bounds write | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29824 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition | | |
| | | | | | allows attacker to access | | |
| | | | | | world-readable destination file | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-3.el8_4 | | lz4: heap-based buffer | | |
| | | | | | overflow in LZ4_write32 | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| ncurses-base | CVE-2021-39537 | | 6.1-9.20180224.el8 | | ncurses: heap-based buffer overflow | | |
| | | | | | in _nc_captoinfo() in captoinfo.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | |
| | | | | | dereference at function | | |
| | | | | | _nc_parse_entry in parse_entry.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference | | |
| | | | | | at function _nc_name_match | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 | | |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+ | |
| ncurses-libs | CVE-2021-39537 | MEDIUM | | | ncurses: heap-based buffer overflow | | |
| | | | | | in _nc_captoinfo() in captoinfo.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | |
| | | | | | dereference at function | | |
| | | | | | _nc_parse_entry in parse_entry.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference | | |
| | | | | | at function _nc_name_match | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| nettle | CVE-2021-3580 | MEDIUM | 3.4.1-7.el8 | | nettle: Remote crash | | |
| | | | | | in RSA decryption via | | |
| | | | | | manipulated ciphertext | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| nss | CVE-2020-12401 | | 3.67.0-7.el8_5 | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+ | |
| nss-softokn | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+ | |
| nss-softokn-freebl | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+ | |
| nss-sysinit | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+ | |
| nss-util | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing | | |
| | | | | | attack mitigation bypass | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 | | |
+ +------------------+----------+ +-----------------+-----------------------------------------+ | |
| | CVE-2020-12413 | LOW | | | nss: Information exposure when | | |
| | | | | | DH secret are reused across | | |
| | | | | | multiple TLS connections... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| openldap | CVE-2022-29155 | MEDIUM | 2.4.46-18.el8 | | openldap: OpenLDAP SQL injection | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29155 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| openssl-libs | CVE-2021-3712 | | 1:1.1.1k-6.el8_5 | | openssl: Read buffer overruns | | |
| | | | | | processing ASN.1 strings | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2022-1292 | | | | openssl: c_rehash script | | |
| | | | | | allows command injection | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1292 | | |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+ | |
| pcre2 | CVE-2022-1586 | | 10.32-2.el8 | | pcre2: Out-of-bounds read in | | |
| | | | | | compile_xclass_matchingpath | | |
| | | | | | in pcre2_jit_compile.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1586 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| platform-python-pip | CVE-2018-20225 | LOW | 9.0.3-20.el8 | | python-pip: when --extra-index-url | | |
| | | | | | option is used and package | | |
| | | | | | does not already exist... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20225 | | |
+---------------------+ + + +-----------------+ + | |
| python3-pip-wheel | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| rpm | CVE-2021-35937 | MEDIUM | 4.14.3-19.el8_5.2 | | rpm: TOCTOU race in | | |
| | | | | | checks for unsafe symlinks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-35938 | | | | rpm: races with | | |
| | | | | | chown/chmod/capabilities | | |
| | | | | | calls during installation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-35939 | | | | rpm: checks for unsafe | | |
| | | | | | symlinks are not performed | | |
| | | | | | for intermediary directories | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | | |
+---------------------+------------------+ + +-----------------+-----------------------------------------+ | |
| rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in | | |
| | | | | | checks for unsafe symlinks | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-35938 | | | | rpm: races with | | |
| | | | | | chown/chmod/capabilities | | |
| | | | | | calls during installation | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-35939 | | | | rpm: checks for unsafe | | |
| | | | | | symlinks are not performed | | |
| | | | | | for intermediary directories | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| sqlite-libs | CVE-2019-19244 | LOW | 3.26.0-15.el8 | | sqlite: allows a crash | | |
| | | | | | if a sub-select uses both | | |
| | | | | | DISTINCT and window... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19244 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2019-9936 | | | | sqlite: heap-based buffer | | |
| | | | | | over-read in function | | |
| | | | | | fts5HashEntrySort in sqlite3.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9936 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2019-9937 | | | | sqlite: null-pointer | | |
| | | | | | dereference in function | | |
| | | | | | fts5ChunkIterate in sqlite3.c | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9937 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-45346 | | | | sqlite: crafted SQL query | | |
| | | | | | allows a malicious user to | | |
| | | | | | obtain sensitive information... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45346 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| systemd-libs | CVE-2018-20839 | MEDIUM | 239-51.el8_5.5 | | systemd: mishandling of the | | |
| | | | | | current keyboard mode check | | |
| | | | | | leading to passwords being... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20839 | | |
+ +------------------+ + +-----------------+-----------------------------------------+ | |
| | CVE-2021-3997 | | | | systemd: Uncontrolled recursion in | | |
| | | | | | systemd-tmpfiles when removing files | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3997 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
| zlib | CVE-2018-25032 | HIGH | 1.2.11-17.el8 | 1.2.11-18.el8_5 | zlib: A flaw found in | | |
| | | | | | zlib when compressing (not | | |
| | | | | | decompressing) certain inputs... | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+ | |
2022-05-07T10:49:55.445Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. | |
Java (jar) | |
========== | |
Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 3) | |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+ | |
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | | |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+ | |
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.11.4 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | |
| (org.wildfly.security.wildfly-elytron-1.18.3.Final.jar) | | | | | via a large depth of nested objects | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 | | |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+ | |
| com.h2database:h2 | CVE-2021-23463 | CRITICAL | 1.4.197 | 2.0.202 | h2database: XXE | | |
| (com.h2database.h2-1.4.197.jar) | | | | | injection vulnerability | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23463 | | |
+ +------------------+ + +--------------------+---------------------------------------+ | |
| | CVE-2021-42392 | | | 2.0.206 | h2: Remote Code Execution in Console | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42392 | | |
+ +------------------+ + +--------------------+---------------------------------------+ | |
| | CVE-2022-23221 | | | 2.1.210 | h2: Loading of custom classes | | |
| | | | | | from remote servers through JNDI | | |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23221 | | |
+ +------------------+----------+ +--------------------+---------------------------------------+ | |
| | GMS-2022-7 | UNKNOWN | | 2.0.206 | Improper Neutralization of | | |
| | | | | | Special Elements used in an OS | | |
| | | | | | Command ('OS Command... | | |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment