Skip to content

Instantly share code, notes, and snippets.

@thomasdarimont

thomasdarimont/keycloak-18-custom-findings.txt

Last active May 8, 2022 21:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save thomasdarimont/efb1a1327a585517db5a047401852a88 to your computer and use it in GitHub Desktop.
Save thomasdarimont/efb1a1327a585517db5a047401852a88 to your computer and use it in GitHub Desktop.
Download ZIP
CVEs reported in Keycloak Image quay.io/keycloak/keycloak:18.0.0 by aquasec/trivy
Raw
keycloak-18-custom-findings.txt
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT
2022-05-07T11:40:04.324Z INFO Detected OS: redhat
2022-05-07T11:40:04.324Z INFO Detecting RHEL/CentOS vulnerabilities...
2022-05-07T11:40:04.356Z INFO Number of language-specific files: 1
2022-05-07T11:40:04.356Z INFO Detecting jar vulnerabilities...
thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT (redhat 8.5)
===========================================================
Total: 104 (UNKNOWN: 0, LOW: 37, MEDIUM: 65, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-20.el8 | | avahi: Local DoS by event-busy-loop |
| | | | | | from writing long lines to |
| | | | | | /run/avahi-daemon/socket |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3468 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2017-6519 | LOW | | | avahi: Multicast DNS |
| | | | | | responds to unicast queries |
| | | | | | outside of local network |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-6519 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| bzip2-libs | CVE-2019-12900 | | 1.0.6-26.el8 | | bzip2: out-of-bounds write |
| | | | | | in function BZ2_decompress |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| cups-libs | CVE-2021-25317 | | 1:2.2.6-40.el8 | | cups: insecure permissions |
| | | | | | of /var/log/cups allows |
| | | | | | for symlink attacks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25317 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| curl | CVE-2022-22576 | MEDIUM | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| dbus-libs | CVE-2020-35512 | LOW | 1:1.12.8-14.el8 | | dbus: users with the same numeric UID |
| | | | | | could lead to use-after-free and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35512 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| expat | CVE-2021-45960 | MEDIUM | 2.2.5-4.el8_5.3 | | expat: Large number of prefixed XML |
| | | | | | attributes on a single tag can... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45960 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-46143 | | | | expat: Integer overflow |
| | | | | | in doProlog in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-46143 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22822 | | | | expat: Integer overflow in |
| | | | | | addBinding in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22822 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22823 | | | | expat: Integer overflow in |
| | | | | | build_model in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22823 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22824 | | | | expat: Integer overflow in |
| | | | | | defineAttribute in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22824 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22825 | | | | expat: Integer overflow |
| | | | | | in lookup in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22825 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22826 | | | | expat: Integer overflow in |
| | | | | | nextScaffoldPart in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22826 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-22827 | | | | expat: Integer overflow |
| | | | | | in storeAtts in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22827 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-25314 | | | | expat: integer overflow |
| | | | | | in copyString() |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25314 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| file-libs | CVE-2019-8905 | LOW | 5.33-20.el8 | | file: stack-based buffer over-read |
| | | | | | in do_core_note in readelf.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8905 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-8906 | | | | file: out-of-bounds read in |
| | | | | | do_core_note in readelf.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8906 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| freetype | CVE-2022-27404 | MEDIUM | 2.9.1-4.el8_3.1 | | FreeType: Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27405 | | | | FreeType: Segementation Fault |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27405 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27406 | | | | Freetype: Segmentation violation |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27406 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| glib2 | CVE-2018-16428 | LOW | 2.56.4-156.el8 | | glib2: NULL pointer dereference in |
| | | | | | g_markup_parse_context_end_parse() |
| | | | | | function in gmarkup.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16428 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| gmp | CVE-2021-43618 | | 1:6.1.2-10.el8 | | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| gnutls | CVE-2021-4209 | | 3.6.16-4.el8 | | GnuTLS: Null pointer |
| | | | | | dereference in MD_UPDATE |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-4209 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| krb5-libs | CVE-2020-17049 | MEDIUM | 1.18.2-14.el8 | | Kerberos: delegation |
| | | | | | constrain bypass in S4U2Proxy |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17049 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow |
| | | | | | in AllocateDataSet() in |
| | | | | | cmscgats.c leading to |
| | | | | | heap-based buffer overflow... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16435 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libarchive | CVE-2022-26280 | HIGH | 3.3.3-3.el8_5 | | libarchive: an out-of-bounds read via |
| | | | | | the component zipx_lzma_alone_init |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-26280 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-21674 | MEDIUM | | | libarchive: heap-based |
| | | | | | buffer overflow in |
| | | | | | archive_string_append_from_wcs |
| | | | | | function in archive_string.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-21674 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2017-14166 | LOW | | | libarchive: Heap-based buffer |
| | | | | | over-read in the atol8 function |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14166 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2017-14501 | | | | libarchive: Out-of-bounds |
| | | | | | read in parse_file_info |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14501 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-1000879 | | | | libarchive: NULL pointer dereference in |
| | | | | | ACL parser resulting in a denial of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000879 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-1000880 | | | | libarchive: Improper input |
| | | | | | validation in WARC parser |
| | | | | | resulting in a denial of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000880 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libcom_err | CVE-2022-1304 | MEDIUM | 1.45.6-2.el8 | | e2fsprogs: out-of-bounds |
| | | | | | read/write via crafted filesystem |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1304 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| libcurl | CVE-2022-22576 | | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| libgcc | CVE-2018-20673 | | 8.5.0-4.el8_5 | | libiberty: Integer overflow in |
| | | | | | demangle_template() function |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-42694 | | | | Developer environment: |
| | | | | | Homoglyph characters can |
| | | | | | lead to trojan source attack |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in |
| | | | | | demangle_template function |
| | | | | | resulting in a denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-14250 | | | | binutils: integer overflow in |
| | | | | | simple-object-elf.c leads to |
| | | | | | a heap-based buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-6.el8 | | Libgcrypt: physical addresses |
| | | | | | being available to other processes |
| | | | | | leads to a flush-and-reload... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12904 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-40528 | | | | libgcrypt: ElGamal implementation |
| | | | | | allows plaintext recovery |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| libjpeg-turbo | CVE-2019-2201 | | 1.5.3-12.el8 | | libjpeg-turbo: several integer |
| | | | | | overflows and subsequent |
| | | | | | segfaults when attempting to |
| | | | | | compress/decompress gigapixel... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-2201 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-13790 | | | | libjpeg-turbo: heap-based buffer |
| | | | | | over-read in get_rgb_row() in rdppm.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13790 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2020-17541 | | | | libjpeg-turbo: Stack-based buffer |
| | | | | | overflow in the "transform" component |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17541 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in |
| | | | | | png_image_free in png.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-7317 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libsolv | CVE-2021-44568 | MEDIUM | 0.7.19-1.el8 | | libsolv: heap-overflows in |
| | | | | | resolve_dependencies function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44568 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44569 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44569 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44570 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44570 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44571 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44571 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44573 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44573 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44574 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44574 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44575 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44575 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44576 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44576 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-44577 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44577 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libssh | CVE-2021-3634 | LOW | 0.9.4-3.el8 | | libssh: possible heap-based |
| | | | | | buffer overflow when rekeying |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3634 |
+---------------------+ + + +---------------+ +
| libssh-config | | | | | |
| | | | | | |
| | | | | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libstdc++ | CVE-2018-20673 | MEDIUM | 8.5.0-4.el8_5 | | libiberty: Integer overflow in |
| | | | | | demangle_template() function |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-42694 | | | | Developer environment: |
| | | | | | Homoglyph characters can |
| | | | | | lead to trojan source attack |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in |
| | | | | | demangle_template function |
| | | | | | resulting in a denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-14250 | | | | binutils: integer overflow in |
| | | | | | simple-object-elf.c leads to |
| | | | | | a heap-based buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in |
| | | | | | _asn1_expand_object_id(ptree) |
| | | | | | leads to memory exhaustion |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libxml2 | CVE-2022-29824 | MEDIUM | 2.9.7-12.el8_5 | | libxml2: integer overflows |
| | | | | | in xmlBuf and xmlBuffer |
| | | | | | lead to out-of-bounds write |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29824 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition |
| | | | | | allows attacker to access |
| | | | | | world-readable destination file |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-3.el8_4 | | lz4: heap-based buffer |
| | | | | | overflow in LZ4_write32 |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| ncurses-base | CVE-2021-39537 | | 6.1-9.20180224.el8 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer |
| | | | | | dereference at function |
| | | | | | _nc_parse_entry in parse_entry.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference |
| | | | | | at function _nc_name_match |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+
| ncurses-libs | CVE-2021-39537 | MEDIUM | | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer |
| | | | | | dereference at function |
| | | | | | _nc_parse_entry in parse_entry.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference |
| | | | | | at function _nc_name_match |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| nettle | CVE-2021-3580 | MEDIUM | 3.4.1-7.el8 | | nettle: Remote crash |
| | | | | | in RSA decryption via |
| | | | | | manipulated ciphertext |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| nss | CVE-2020-12401 | | 3.67.0-7.el8_5 | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+
| nss-softokn | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+
| nss-softokn-freebl | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+
| nss-sysinit | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +---------------+-----------------------------------------+
| nss-util | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +---------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| openldap | CVE-2022-29155 | MEDIUM | 2.4.46-18.el8 | | openldap: OpenLDAP SQL injection |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29155 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| openssl-libs | CVE-2021-3712 | | 1:1.1.1k-6.el8_5 | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2022-1292 | | | | openssl: c_rehash script |
| | | | | | allows command injection |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1292 |
+---------------------+------------------+ +--------------------+---------------+-----------------------------------------+
| pcre2 | CVE-2022-1586 | | 10.32-2.el8 | | pcre2: Out-of-bounds read in |
| | | | | | compile_xclass_matchingpath |
| | | | | | in pcre2_jit_compile.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1586 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| platform-python-pip | CVE-2018-20225 | LOW | 9.0.3-20.el8 | | python-pip: when --extra-index-url |
| | | | | | option is used and package |
| | | | | | does not already exist... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20225 |
+---------------------+ + + +---------------+ +
| python3-pip-wheel | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| rpm | CVE-2021-35937 | MEDIUM | 4.14.3-19.el8_5.2 | | rpm: TOCTOU race in |
| | | | | | checks for unsafe symlinks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-35938 | | | | rpm: races with |
| | | | | | chown/chmod/capabilities |
| | | | | | calls during installation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-35939 | | | | rpm: checks for unsafe |
| | | | | | symlinks are not performed |
| | | | | | for intermediary directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
+---------------------+------------------+ + +---------------+-----------------------------------------+
| rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in |
| | | | | | checks for unsafe symlinks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-35938 | | | | rpm: races with |
| | | | | | chown/chmod/capabilities |
| | | | | | calls during installation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-35939 | | | | rpm: checks for unsafe |
| | | | | | symlinks are not performed |
| | | | | | for intermediary directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| sqlite-libs | CVE-2019-19244 | LOW | 3.26.0-15.el8 | | sqlite: allows a crash |
| | | | | | if a sub-select uses both |
| | | | | | DISTINCT and window... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19244 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9936 | | | | sqlite: heap-based buffer |
| | | | | | over-read in function |
| | | | | | fts5HashEntrySort in sqlite3.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9936 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2019-9937 | | | | sqlite: null-pointer |
| | | | | | dereference in function |
| | | | | | fts5ChunkIterate in sqlite3.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9937 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-45346 | | | | sqlite: crafted SQL query |
| | | | | | allows a malicious user to |
| | | | | | obtain sensitive information... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45346 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| systemd-libs | CVE-2018-20839 | MEDIUM | 239-51.el8_5.5 | | systemd: mishandling of the |
| | | | | | current keyboard mode check |
| | | | | | leading to passwords being... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20839 |
+ +------------------+ + +---------------+-----------------------------------------+
| | CVE-2021-3997 | | | | systemd: Uncontrolled recursion in |
| | | | | | systemd-tmpfiles when removing files |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3997 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| zlib | CVE-2018-25032 | HIGH | 1.2.11-18.el8_5 | | zlib: A flaw found in |
| | | | | | zlib when compressing (not |
| | | | | | decompressing) certain inputs... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 |
+---------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
Java (jar)
==========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Raw
keycloak-18-findings-custom-image-alpine.txt
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT
2022-05-08T20:55:26.819Z INFO Detected OS: alpine
2022-05-08T20:55:26.819Z INFO Detecting Alpine vulnerabilities...
2022-05-08T20:55:26.823Z INFO Number of language-specific files: 1
2022-05-08T20:55:26.823Z INFO Detecting jar vulnerabilities...
thomasdarimont/custom-keycloakx:1.0.0-SNAPSHOT (alpine 3.15.4)
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Java (jar)
==========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Raw
keycloak-18-findings.txt
docker run --privileged --rm -v /home/tom/.trivy/cache:/root/.cache/ -v /var/run/docker.sock:/var/run/docker.sock:z aquasec/trivy:0.27.1 image quay.io/keycloak/keycloak:18.0.0
2022-05-07T10:49:55.396Z INFO Detecting RHEL/CentOS vulnerabilities...
2022-05-07T10:49:55.416Z INFO Number of language-specific files: 1
2022-05-07T10:49:55.416Z INFO Detecting jar vulnerabilities...
quay.io/keycloak/keycloak:18.0.0 (redhat 8.5)
=============================================
Total: 104 (UNKNOWN: 0, LOW: 37, MEDIUM: 65, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-20.el8 | | avahi: Local DoS by event-busy-loop |
| | | | | | from writing long lines to |
| | | | | | /run/avahi-daemon/socket |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3468 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2017-6519 | LOW | | | avahi: Multicast DNS |
| | | | | | responds to unicast queries |
| | | | | | outside of local network |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-6519 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| bzip2-libs | CVE-2019-12900 | | 1.0.6-26.el8 | | bzip2: out-of-bounds write |
| | | | | | in function BZ2_decompress |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12900 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| cups-libs | CVE-2021-25317 | | 1:2.2.6-40.el8 | | cups: insecure permissions |
| | | | | | of /var/log/cups allows |
| | | | | | for symlink attacks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-25317 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| curl | CVE-2022-22576 | MEDIUM | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| dbus-libs | CVE-2020-35512 | LOW | 1:1.12.8-14.el8 | | dbus: users with the same numeric UID |
| | | | | | could lead to use-after-free and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35512 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| expat | CVE-2021-45960 | MEDIUM | 2.2.5-4.el8_5.3 | | expat: Large number of prefixed XML |
| | | | | | attributes on a single tag can... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45960 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-46143 | | | | expat: Integer overflow |
| | | | | | in doProlog in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-46143 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22822 | | | | expat: Integer overflow in |
| | | | | | addBinding in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22822 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22823 | | | | expat: Integer overflow in |
| | | | | | build_model in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22823 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22824 | | | | expat: Integer overflow in |
| | | | | | defineAttribute in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22824 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22825 | | | | expat: Integer overflow |
| | | | | | in lookup in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22825 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22826 | | | | expat: Integer overflow in |
| | | | | | nextScaffoldPart in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22826 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-22827 | | | | expat: Integer overflow |
| | | | | | in storeAtts in xmlparse.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22827 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-25314 | | | | expat: integer overflow |
| | | | | | in copyString() |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25314 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| file-libs | CVE-2019-8905 | LOW | 5.33-20.el8 | | file: stack-based buffer over-read |
| | | | | | in do_core_note in readelf.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8905 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2019-8906 | | | | file: out-of-bounds read in |
| | | | | | do_core_note in readelf.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-8906 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| freetype | CVE-2022-27404 | MEDIUM | 2.9.1-4.el8_3.1 | | FreeType: Buffer Overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27404 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27405 | | | | FreeType: Segementation Fault |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27405 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27406 | | | | Freetype: Segmentation violation |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27406 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| glib2 | CVE-2018-16428 | LOW | 2.56.4-156.el8 | | glib2: NULL pointer dereference in |
| | | | | | g_markup_parse_context_end_parse() |
| | | | | | function in gmarkup.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16428 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| gmp | CVE-2021-43618 | | 1:6.1.2-10.el8 | | gmp: Integer overflow and resultant |
| | | | | | buffer overflow via crafted input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-43618 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| gnutls | CVE-2021-4209 | | 3.6.16-4.el8 | | GnuTLS: Null pointer |
| | | | | | dereference in MD_UPDATE |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-4209 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| krb5-libs | CVE-2020-17049 | MEDIUM | 1.18.2-14.el8 | | Kerberos: delegation |
| | | | | | constrain bypass in S4U2Proxy |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17049 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow |
| | | | | | in AllocateDataSet() in |
| | | | | | cmscgats.c leading to |
| | | | | | heap-based buffer overflow... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-16435 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libarchive | CVE-2022-26280 | HIGH | 3.3.3-3.el8_5 | | libarchive: an out-of-bounds read via |
| | | | | | the component zipx_lzma_alone_init |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-26280 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-21674 | MEDIUM | | | libarchive: heap-based |
| | | | | | buffer overflow in |
| | | | | | archive_string_append_from_wcs |
| | | | | | function in archive_string.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-21674 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2017-14166 | LOW | | | libarchive: Heap-based buffer |
| | | | | | over-read in the atol8 function |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14166 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2017-14501 | | | | libarchive: Out-of-bounds |
| | | | | | read in parse_file_info |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-14501 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2018-1000879 | | | | libarchive: NULL pointer dereference in |
| | | | | | ACL parser resulting in a denial of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000879 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2018-1000880 | | | | libarchive: Improper input |
| | | | | | validation in WARC parser |
| | | | | | resulting in a denial of... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000880 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libcom_err | CVE-2022-1304 | MEDIUM | 1.45.6-2.el8 | | e2fsprogs: out-of-bounds |
| | | | | | read/write via crafted filesystem |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1304 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| libcurl | CVE-2022-22576 | | 7.61.1-22.el8 | | curl: OAUTH2 bearer bypass |
| | | | | | in connection re-use |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27774 | | | | curl: credential leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| libgcc | CVE-2018-20673 | | 8.5.0-4.el8_5 | | libiberty: Integer overflow in |
| | | | | | demangle_template() function |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-42694 | | | | Developer environment: |
| | | | | | Homoglyph characters can |
| | | | | | lead to trojan source attack |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in |
| | | | | | demangle_template function |
| | | | | | resulting in a denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2019-14250 | | | | binutils: integer overflow in |
| | | | | | simple-object-elf.c leads to |
| | | | | | a heap-based buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-6.el8 | | Libgcrypt: physical addresses |
| | | | | | being available to other processes |
| | | | | | leads to a flush-and-reload... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12904 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-40528 | | | | libgcrypt: ElGamal implementation |
| | | | | | allows plaintext recovery |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| libjpeg-turbo | CVE-2019-2201 | | 1.5.3-12.el8 | | libjpeg-turbo: several integer |
| | | | | | overflows and subsequent |
| | | | | | segfaults when attempting to |
| | | | | | compress/decompress gigapixel... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-2201 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2020-13790 | | | | libjpeg-turbo: heap-based buffer |
| | | | | | over-read in get_rgb_row() in rdppm.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13790 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2020-17541 | | | | libjpeg-turbo: Stack-based buffer |
| | | | | | overflow in the "transform" component |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-17541 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in |
| | | | | | png_image_free in png.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-7317 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libsolv | CVE-2021-44568 | MEDIUM | 0.7.19-1.el8 | | libsolv: heap-overflows in |
| | | | | | resolve_dependencies function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44568 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44569 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44569 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44570 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44570 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44571 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44571 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44573 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44573 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44574 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44574 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44575 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44575 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44576 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44576 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-44577 | | | | libsolv: Heap overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-44577 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libssh | CVE-2021-3634 | LOW | 0.9.4-3.el8 | | libssh: possible heap-based |
| | | | | | buffer overflow when rekeying |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3634 |
+---------------------+ + + +-----------------+ +
| libssh-config | | | | | |
| | | | | | |
| | | | | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libstdc++ | CVE-2018-20673 | MEDIUM | 8.5.0-4.el8_5 | | libiberty: Integer overflow in |
| | | | | | demangle_template() function |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20673 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-42694 | | | | Developer environment: |
| | | | | | Homoglyph characters can |
| | | | | | lead to trojan source attack |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42694 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-27943 | | | | : binutils: libiberty/rust-demangle.c |
| | | | | | in GNU GCC 11.2 allows stack |
| | | | | | exhaustion in demangle_const... |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-27943 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2018-20657 | LOW | | | libiberty: Memory leak in |
| | | | | | demangle_template function |
| | | | | | resulting in a denial of service... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20657 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2019-14250 | | | | binutils: integer overflow in |
| | | | | | simple-object-elf.c leads to |
| | | | | | a heap-based buffer overflow |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14250 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in |
| | | | | | _asn1_expand_object_id(ptree) |
| | | | | | leads to memory exhaustion |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libxml2 | CVE-2022-29824 | MEDIUM | 2.9.7-12.el8_5 | | libxml2: integer overflows |
| | | | | | in xmlBuf and xmlBuffer |
| | | | | | lead to out-of-bounds write |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29824 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition |
| | | | | | allows attacker to access |
| | | | | | world-readable destination file |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-3.el8_4 | | lz4: heap-based buffer |
| | | | | | overflow in LZ4_write32 |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| ncurses-base | CVE-2021-39537 | | 6.1-9.20180224.el8 | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer |
| | | | | | dereference at function |
| | | | | | _nc_parse_entry in parse_entry.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference |
| | | | | | at function _nc_name_match |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+
| ncurses-libs | CVE-2021-39537 | MEDIUM | | | ncurses: heap-based buffer overflow |
| | | | | | in _nc_captoinfo() in captoinfo.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-39537 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2018-19211 | LOW | | | ncurses: Null pointer |
| | | | | | dereference at function |
| | | | | | _nc_parse_entry in parse_entry.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19211 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2018-19217 | | | | ncurses: Null pointer dereference |
| | | | | | at function _nc_name_match |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-19217 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| nettle | CVE-2021-3580 | MEDIUM | 3.4.1-7.el8 | | nettle: Remote crash |
| | | | | | in RSA decryption via |
| | | | | | manipulated ciphertext |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| nss | CVE-2020-12401 | | 3.67.0-7.el8_5 | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+
| nss-softokn | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+
| nss-softokn-freebl | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+
| nss-sysinit | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+ +-----------------+-----------------------------------------+
| nss-util | CVE-2020-12401 | MEDIUM | | | nss: ECDSA timing |
| | | | | | attack mitigation bypass |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12401 |
+ +------------------+----------+ +-----------------+-----------------------------------------+
| | CVE-2020-12413 | LOW | | | nss: Information exposure when |
| | | | | | DH secret are reused across |
| | | | | | multiple TLS connections... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-12413 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| openldap | CVE-2022-29155 | MEDIUM | 2.4.46-18.el8 | | openldap: OpenLDAP SQL injection |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29155 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| openssl-libs | CVE-2021-3712 | | 1:1.1.1k-6.el8_5 | | openssl: Read buffer overruns |
| | | | | | processing ASN.1 strings |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2022-1292 | | | | openssl: c_rehash script |
| | | | | | allows command injection |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1292 |
+---------------------+------------------+ +--------------------+-----------------+-----------------------------------------+
| pcre2 | CVE-2022-1586 | | 10.32-2.el8 | | pcre2: Out-of-bounds read in |
| | | | | | compile_xclass_matchingpath |
| | | | | | in pcre2_jit_compile.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-1586 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| platform-python-pip | CVE-2018-20225 | LOW | 9.0.3-20.el8 | | python-pip: when --extra-index-url |
| | | | | | option is used and package |
| | | | | | does not already exist... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20225 |
+---------------------+ + + +-----------------+ +
| python3-pip-wheel | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| rpm | CVE-2021-35937 | MEDIUM | 4.14.3-19.el8_5.2 | | rpm: TOCTOU race in |
| | | | | | checks for unsafe symlinks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-35938 | | | | rpm: races with |
| | | | | | chown/chmod/capabilities |
| | | | | | calls during installation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-35939 | | | | rpm: checks for unsafe |
| | | | | | symlinks are not performed |
| | | | | | for intermediary directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
+---------------------+------------------+ + +-----------------+-----------------------------------------+
| rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in |
| | | | | | checks for unsafe symlinks |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-35938 | | | | rpm: races with |
| | | | | | chown/chmod/capabilities |
| | | | | | calls during installation |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-35939 | | | | rpm: checks for unsafe |
| | | | | | symlinks are not performed |
| | | | | | for intermediary directories |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| sqlite-libs | CVE-2019-19244 | LOW | 3.26.0-15.el8 | | sqlite: allows a crash |
| | | | | | if a sub-select uses both |
| | | | | | DISTINCT and window... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-19244 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2019-9936 | | | | sqlite: heap-based buffer |
| | | | | | over-read in function |
| | | | | | fts5HashEntrySort in sqlite3.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9936 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2019-9937 | | | | sqlite: null-pointer |
| | | | | | dereference in function |
| | | | | | fts5ChunkIterate in sqlite3.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-9937 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-45346 | | | | sqlite: crafted SQL query |
| | | | | | allows a malicious user to |
| | | | | | obtain sensitive information... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-45346 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| systemd-libs | CVE-2018-20839 | MEDIUM | 239-51.el8_5.5 | | systemd: mishandling of the |
| | | | | | current keyboard mode check |
| | | | | | leading to passwords being... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-20839 |
+ +------------------+ + +-----------------+-----------------------------------------+
| | CVE-2021-3997 | | | | systemd: Uncontrolled recursion in |
| | | | | | systemd-tmpfiles when removing files |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3997 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
| zlib | CVE-2018-25032 | HIGH | 1.2.11-17.el8 | 1.2.11-18.el8_5 | zlib: A flaw found in |
| | | | | | zlib when compressing (not |
| | | | | | decompressing) certain inputs... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 |
+---------------------+------------------+----------+--------------------+-----------------+-----------------------------------------+
2022-05-07T10:49:55.445Z INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
==========
Total: 5 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 3)
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.11.4 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
| (org.wildfly.security.wildfly-elytron-1.18.3.Final.jar) | | | | | via a large depth of nested objects |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
| com.h2database:h2 | CVE-2021-23463 | CRITICAL | 1.4.197 | 2.0.202 | h2database: XXE |
| (com.h2database.h2-1.4.197.jar) | | | | | injection vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23463 |
+ +------------------+ + +--------------------+---------------------------------------+
| | CVE-2021-42392 | | | 2.0.206 | h2: Remote Code Execution in Console |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-42392 |
+ +------------------+ + +--------------------+---------------------------------------+
| | CVE-2022-23221 | | | 2.1.210 | h2: Loading of custom classes |
| | | | | | from remote servers through JNDI |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-23221 |
+ +------------------+----------+ +--------------------+---------------------------------------+
| | GMS-2022-7 | UNKNOWN | | 2.0.206 | Improper Neutralization of |
| | | | | | Special Elements used in an OS |
| | | | | | Command ('OS Command... |
+---------------------------------------------------------+------------------+----------+-------------------+--------------------+---------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment