github.com/argoproj/argo-cd/v2@v2.10.5/docs/snyk/v2.9.0-rc3/quay.io_argoproj_argocd_v2.9.0-rc3.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="30 known vulnerabilities found in 99 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #4b45a9; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card .label { 205 background-color: #767676; 206 border: 2px solid #767676; 207 color: white; 208 padding: 0.25rem 0.75rem; 209 font-size: 0.875rem; 210 text-transform: uppercase; 211 display: inline-block; 212 margin: 0; 213 border-radius: 0.25rem; 214 } 215 216 .card .label__text { 217 vertical-align: text-top; 218 font-weight: bold; 219 } 220 221 .card .label--critical { 222 background-color: #AB1A1A; 223 border-color: #AB1A1A; 224 } 225 226 .card .label--high { 227 background-color: #CE5019; 228 border-color: #CE5019; 229 } 230 231 .card .label--medium { 232 background-color: #D68000; 233 border-color: #D68000; 234 } 235 236 .card .label--low { 237 background-color: #88879E; 238 border-color: #88879E; 239 } 240 241 .severity--low { 242 border-color: #88879E; 243 } 244 245 .severity--medium { 246 border-color: #D68000; 247 } 248 249 .severity--high { 250 border-color: #CE5019; 251 } 252 253 .severity--critical { 254 border-color: #AB1A1A; 255 } 256 257 .card--vuln { 258 padding-top: 4em; 259 } 260 261 .card--vuln .label { 262 left: 0; 263 position: absolute; 264 top: 1.1em; 265 padding-left: 1.9em; 266 padding-right: 1.9em; 267 border-radius: 0 0.25rem 0.25rem 0; 268 } 269 270 .card--vuln .card__section h2 { 271 font-size: 22px; 272 margin-bottom: 0.5em; 273 } 274 275 .card--vuln .card__section p { 276 margin: 0 0 0.5em 0; 277 } 278 279 .card--vuln .card__meta { 280 padding: 0 0 0 1em; 281 margin: 0; 282 font-size: 1.1em; 283 } 284 285 .card .card__meta__paths { 286 font-size: 0.9em; 287 } 288 289 .card--vuln .card__title { 290 font-size: 28px; 291 margin-top: 0; 292 } 293 294 .card--vuln .card__cta p { 295 margin: 0; 296 text-align: right; 297 } 298 299 .source-panel { 300 clear: both; 301 display: flex; 302 justify-content: flex-start; 303 flex-direction: column; 304 align-items: flex-start; 305 padding: 0.5em 0; 306 width: fit-content; 307 } 308 309 310 311 </style> 312 <style type="text/css"> 313 .metatable { 314 text-size-adjust: 100%; 315 -webkit-font-smoothing: antialiased; 316 -webkit-box-direction: normal; 317 color: inherit; 318 font-feature-settings: "pnum"; 319 box-sizing: border-box; 320 background: transparent; 321 border: 0; 322 font: inherit; 323 font-size: 100%; 324 margin: 0; 325 outline: none; 326 padding: 0; 327 text-align: left; 328 text-decoration: none; 329 vertical-align: baseline; 330 z-index: auto; 331 margin-top: 12px; 332 border-collapse: collapse; 333 border-spacing: 0; 334 font-variant-numeric: tabular-nums; 335 max-width: 51.75em; 336 } 337 338 tbody { 339 text-size-adjust: 100%; 340 -webkit-font-smoothing: antialiased; 341 -webkit-box-direction: normal; 342 color: inherit; 343 font-feature-settings: "pnum"; 344 border-collapse: collapse; 345 border-spacing: 0; 346 box-sizing: border-box; 347 background: transparent; 348 border: 0; 349 font: inherit; 350 font-size: 100%; 351 margin: 0; 352 outline: none; 353 padding: 0; 354 text-align: left; 355 text-decoration: none; 356 vertical-align: baseline; 357 z-index: auto; 358 display: flex; 359 flex-wrap: wrap; 360 } 361 362 .meta-row { 363 text-size-adjust: 100%; 364 -webkit-font-smoothing: antialiased; 365 -webkit-box-direction: normal; 366 color: inherit; 367 font-feature-settings: "pnum"; 368 border-collapse: collapse; 369 border-spacing: 0; 370 box-sizing: border-box; 371 background: transparent; 372 border: 0; 373 font: inherit; 374 font-size: 100%; 375 outline: none; 376 text-align: left; 377 text-decoration: none; 378 vertical-align: baseline; 379 z-index: auto; 380 display: flex; 381 align-items: start; 382 border-top: 1px solid #d3d3d9; 383 padding: 8px 0 0 0; 384 border-bottom: none; 385 margin: 8px; 386 width: 47.75%; 387 } 388 389 .meta-row-label { 390 text-size-adjust: 100%; 391 -webkit-font-smoothing: antialiased; 392 -webkit-box-direction: normal; 393 font-feature-settings: "pnum"; 394 border-collapse: collapse; 395 border-spacing: 0; 396 color: #4c4a73; 397 box-sizing: border-box; 398 background: transparent; 399 border: 0; 400 font: inherit; 401 margin: 0; 402 outline: none; 403 text-decoration: none; 404 z-index: auto; 405 align-self: start; 406 flex: 1; 407 font-size: 1rem; 408 line-height: 1.5rem; 409 padding: 0; 410 text-align: left; 411 vertical-align: top; 412 text-transform: none; 413 letter-spacing: 0; 414 } 415 416 .meta-row-value { 417 text-size-adjust: 100%; 418 -webkit-font-smoothing: antialiased; 419 -webkit-box-direction: normal; 420 color: inherit; 421 font-feature-settings: "pnum"; 422 border-collapse: collapse; 423 border-spacing: 0; 424 word-break: break-word; 425 box-sizing: border-box; 426 background: transparent; 427 border: 0; 428 font: inherit; 429 font-size: 100%; 430 margin: 0; 431 outline: none; 432 padding: 0; 433 text-align: right; 434 text-decoration: none; 435 vertical-align: baseline; 436 z-index: auto; 437 } 438 </style> 439 </head> 440 441 <body class="section-projects"> 442 <main class="layout-stacked"> 443 <div class="layout-stacked__header header"> 444 <header class="project__header"> 445 <div class="layout-container"> 446 <a class="brand" href="https://snyk.io" title="Snyk"> 447 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 448 <title>Snyk - Open Source Security</title> 449 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 450 <g fill="#fff"> 451 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 452 </g> 453 </g> 454 </svg> 455 </a> 456 <div class="header-wrap"> 457 <h1 class="project__header__title">Snyk test report</h1> 458 459 <p class="timestamp">October 29th 2023, 12:18:58 am (UTC+00:00)</p> 460 </div> 461 <div class="source-panel"> 462 <span>Scanned the following paths:</span> 463 <ul> 464 <li class="paths">quay.io/argoproj/argocd:v2.9.0-rc3/argoproj/argocd (deb)</li><li class="paths">quay.io/argoproj/argocd:v2.9.0-rc3/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:v2.9.0-rc3 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:v2.9.0-rc3/helm/v3 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:v2.9.0-rc3/git-lfs/git-lfs (gomodules)</li> 465 </ul> 466 </div> 467 468 <div class="meta-counts"> 469 <div class="meta-count"><span>30</span> <span>known vulnerabilities</span></div> 470 <div class="meta-count"><span>99 vulnerable dependency paths</span></div> 471 <div class="meta-count"><span>2185</span> <span>dependencies</span></div> 472 </div><!-- .meta-counts --> 473 </div><!-- .layout-container--short --> 474 </header><!-- .project__header --> 475 </div><!-- .layout-stacked__header --> 476 477 <div class="layout-container" style="padding-top: 35px;"> 478 <div class="cards--vuln filter--patch filter--ignore"> 479 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 480 <h2 class="card__title">Denial of Service (DoS)</h2> 481 <div class="card__section"> 482 483 <div class="label label--high"> 484 <span class="label__text">high severity</span> 485 </div> 486 487 <hr/> 488 489 <ul class="card__meta"> 490 <li class="card__meta__item"> 491 Package Manager: golang 492 </li> 493 <li class="card__meta__item"> 494 Vulnerable module: 495 496 google.golang.org/grpc 497 </li> 498 499 <li class="card__meta__item">Introduced through: 500 501 github.com/argoproj/argo-cd/v2@* and google.golang.org/grpc@v1.56.2 502 503 </li> 504 </ul> 505 506 <hr/> 507 508 509 <h3 class="card__section__title">Detailed paths</h3> 510 511 <ul class="card__meta__paths"> 512 <li> 513 <span class="list-paths__item__introduced"><em>Introduced through</em>: 514 github.com/argoproj/argo-cd/v2@* 515 <span class="list-paths__item__arrow">›</span> 516 google.golang.org/grpc@v1.56.2 517 518 </span> 519 520 </li> 521 </ul><!-- .list-paths --> 522 523 </div><!-- .card__section --> 524 525 <hr/> 526 <!-- Overview --> 527 <h2 id="overview">Overview</h2> 528 <p><a href="https://pkg.go.dev/google.golang.org/grpc">google.golang.org/grpc</a> is a Go implementation of gRPC</p> 529 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.</p> 530 <h2 id="remediation">Remediation</h2> 531 <p>Upgrade <code>google.golang.org/grpc</code> to version 1.56.3, 1.57.1, 1.58.3 or higher.</p> 532 <h2 id="references">References</h2> 533 <ul> 534 <li><a href="https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79">Github Commit</a></li> 535 <li><a href="https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49">GitHub Commit</a></li> 536 <li><a href="https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e">GitHub Commit</a></li> 537 <li><a href="https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148">GitHub Commit</a></li> 538 <li><a href="https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f">GitHub Commit</a></li> 539 <li><a href="https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5">GitHub Commit</a></li> 540 <li><a href="https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61">GitHub Commit</a></li> 541 <li><a href="https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832">GitHub Commit</a></li> 542 <li><a href="https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13">GitHub Commit</a></li> 543 <li><a href="https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/">Snyk Blog</a></li> 544 <li><a href="https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/">Vulnerability Discovery</a></li> 545 <li><a href="https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack">Vulnerability Explanation</a></li> 546 <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA - Known Exploited Vulnerabilities</a></li> 547 </ul> 548 549 <hr/> 550 551 <div class="cta card__cta"> 552 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGGRPC-5953328">More about this vulnerability</a></p> 553 </div> 554 555 </div><!-- .card --> 556 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 557 <h2 class="card__title">Denial of Service (DoS)</h2> 558 <div class="card__section"> 559 560 <div class="label label--high"> 561 <span class="label__text">high severity</span> 562 </div> 563 564 <hr/> 565 566 <ul class="card__meta"> 567 <li class="card__meta__item"> 568 Package Manager: golang 569 </li> 570 <li class="card__meta__item"> 571 Vulnerable module: 572 573 golang.org/x/net/http2 574 </li> 575 576 <li class="card__meta__item">Introduced through: 577 578 github.com/argoproj/argo-cd/v2@* and golang.org/x/net/http2@v0.15.0 579 580 </li> 581 </ul> 582 583 <hr/> 584 585 586 <h3 class="card__section__title">Detailed paths</h3> 587 588 <ul class="card__meta__paths"> 589 <li> 590 <span class="list-paths__item__introduced"><em>Introduced through</em>: 591 github.com/argoproj/argo-cd/v2@* 592 <span class="list-paths__item__arrow">›</span> 593 golang.org/x/net/http2@v0.15.0 594 595 </span> 596 597 </li> 598 <li> 599 <span class="list-paths__item__introduced"><em>Introduced through</em>: 600 helm.sh/helm/v3@* 601 <span class="list-paths__item__arrow">›</span> 602 golang.org/x/net/http2@v0.8.0 603 604 </span> 605 606 </li> 607 </ul><!-- .list-paths --> 608 609 </div><!-- .card__section --> 610 611 <hr/> 612 <!-- Overview --> 613 <h2 id="overview">Overview</h2> 614 <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p> 615 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.</p> 616 <h2 id="remediation">Remediation</h2> 617 <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.17.0 or higher.</p> 618 <h2 id="references">References</h2> 619 <ul> 620 <li><a href="https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79">Github Commit</a></li> 621 <li><a href="https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49">GitHub Commit</a></li> 622 <li><a href="https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e">GitHub Commit</a></li> 623 <li><a href="https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148">GitHub Commit</a></li> 624 <li><a href="https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f">GitHub Commit</a></li> 625 <li><a href="https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5">GitHub Commit</a></li> 626 <li><a href="https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61">GitHub Commit</a></li> 627 <li><a href="https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832">GitHub Commit</a></li> 628 <li><a href="https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13">GitHub Commit</a></li> 629 <li><a href="https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/">Snyk Blog</a></li> 630 <li><a href="https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/">Vulnerability Discovery</a></li> 631 <li><a href="https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack">Vulnerability Explanation</a></li> 632 <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA - Known Exploited Vulnerabilities</a></li> 633 </ul> 634 635 <hr/> 636 637 <div class="cta card__cta"> 638 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327">More about this vulnerability</a></p> 639 </div> 640 641 </div><!-- .card --> 642 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 643 <h2 class="card__title">Directory Traversal</h2> 644 <div class="card__section"> 645 646 <div class="label label--high"> 647 <span class="label__text">high severity</span> 648 </div> 649 650 <hr/> 651 652 <ul class="card__meta"> 653 <li class="card__meta__item"> 654 Package Manager: golang 655 </li> 656 <li class="card__meta__item"> 657 Vulnerable module: 658 659 github.com/cyphar/filepath-securejoin 660 </li> 661 662 <li class="card__meta__item">Introduced through: 663 664 helm.sh/helm/v3@* and github.com/cyphar/filepath-securejoin@v0.2.3 665 666 </li> 667 </ul> 668 669 <hr/> 670 671 672 <h3 class="card__section__title">Detailed paths</h3> 673 674 <ul class="card__meta__paths"> 675 <li> 676 <span class="list-paths__item__introduced"><em>Introduced through</em>: 677 helm.sh/helm/v3@* 678 <span class="list-paths__item__arrow">›</span> 679 github.com/cyphar/filepath-securejoin@v0.2.3 680 681 </span> 682 683 </li> 684 </ul><!-- .list-paths --> 685 686 </div><!-- .card__section --> 687 688 <hr/> 689 <!-- Overview --> 690 <h2 id="overview">Overview</h2> 691 <p>Affected versions of this package are vulnerable to Directory Traversal via the <code>filepath.FromSlash()</code> function, allwoing attackers to generate paths that were outside of the provided <code>rootfs</code>.</p> 692 <p><strong>Note:</strong> 693 This vulnerability is only exploitable on Windows OS.</p> 694 <h2 id="details">Details</h2> 695 <p>A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.</p> 696 <p>Directory Traversal vulnerabilities can be generally divided into two types:</p> 697 <ul> 698 <li><strong>Information Disclosure</strong>: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.</li> 699 </ul> 700 <p><code>st</code> is a module for serving static files on web pages, and contains a <a href="https://snyk.io/vuln/npm:st:20140206">vulnerability of this type</a>. In our example, we will serve files from the <code>public</code> route.</p> 701 <p>If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.</p> 702 <pre><code>curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa 703 </code></pre> 704 <p><strong>Note</strong> <code>%2e</code> is the URL encoded version of <code>.</code> (dot).</p> 705 <ul> 706 <li><strong>Writing arbitrary files</strong>: Allows the attacker to create or replace existing files. This type of vulnerability is also known as <code>Zip-Slip</code>.</li> 707 </ul> 708 <p>One way to achieve this is by using a malicious <code>zip</code> archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.</p> 709 <p>The following is an example of a <code>zip</code> archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in <code>/root/.ssh/</code> overwriting the <code>authorized_keys</code> file:</p> 710 <pre><code>2018-04-15 22:04:29 ..... 19 19 good.txt 711 2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys 712 </code></pre> 713 <h2 id="remediation">Remediation</h2> 714 <p>Upgrade <code>github.com/cyphar/filepath-securejoin</code> to version 0.2.4 or higher.</p> 715 <h2 id="references">References</h2> 716 <ul> 717 <li><a href="https://github.com/cyphar/filepath-securejoin/commit/c121231e1276e11049547bee5ce68d5a2cfe2d9b">GitHub Commit</a></li> 718 <li><a href="https://github.com/cyphar/filepath-securejoin/pull/9">GitHub PR</a></li> 719 <li><a href="https://github.com/cyphar/filepath-securejoin/releases/tag/v0.2.4">GitHub Release</a></li> 720 </ul> 721 722 <hr/> 723 724 <div class="cta card__cta"> 725 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602">More about this vulnerability</a></p> 726 </div> 727 728 </div><!-- .card --> 729 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 730 <h2 class="card__title">CVE-2020-22916</h2> 731 <div class="card__section"> 732 733 <div class="label label--medium"> 734 <span class="label__text">medium severity</span> 735 </div> 736 737 <hr/> 738 739 <ul class="card__meta"> 740 <li class="card__meta__item"> 741 Package Manager: ubuntu:22.04 742 </li> 743 <li class="card__meta__item"> 744 Vulnerable module: 745 746 xz-utils/liblzma5 747 </li> 748 749 <li class="card__meta__item">Introduced through: 750 751 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and xz-utils/liblzma5@5.2.5-2ubuntu1 752 753 </li> 754 </ul> 755 756 <hr/> 757 758 759 <h3 class="card__section__title">Detailed paths</h3> 760 761 <ul class="card__meta__paths"> 762 <li> 763 <span class="list-paths__item__introduced"><em>Introduced through</em>: 764 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 765 <span class="list-paths__item__arrow">›</span> 766 xz-utils/liblzma5@5.2.5-2ubuntu1 767 768 </span> 769 770 </li> 771 </ul><!-- .list-paths --> 772 773 </div><!-- .card__section --> 774 775 <hr/> 776 <!-- Overview --> 777 <h2 id="nvd-description">NVD Description</h2> 778 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>xz-utils</code> package and not the <code>xz-utils</code> package as distributed by <code>Ubuntu</code>.</em> 779 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 780 <p>** DISPUTED ** An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.</p> 781 <h2 id="remediation">Remediation</h2> 782 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>xz-utils</code>.</p> 783 <h2 id="references">References</h2> 784 <ul> 785 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-22916">ADVISORY</a></li> 786 <li><a href="https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability">cve@mitre.org</a></li> 787 <li><a href="https://tukaani.org/xz/">cve@mitre.org</a></li> 788 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2234987">cve@mitre.org</a></li> 789 <li><a href="https://bugzilla.suse.com/show_bug.cgi?id=1214590">cve@mitre.org</a></li> 790 <li><a href="https://github.com/tukaani-project/xz/issues/61">cve@mitre.org</a></li> 791 <li><a href="https://security-tracker.debian.org/tracker/CVE-2020-22916">cve@mitre.org</a></li> 792 <li><a href="http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability">cve@mitre.org</a></li> 793 </ul> 794 795 <hr/> 796 797 <div class="cta card__cta"> 798 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-XZUTILS-5854647">More about this vulnerability</a></p> 799 </div> 800 801 </div><!-- .card --> 802 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 803 <h2 class="card__title">Out-of-bounds Write</h2> 804 <div class="card__section"> 805 806 <div class="label label--medium"> 807 <span class="label__text">medium severity</span> 808 </div> 809 810 <hr/> 811 812 <ul class="card__meta"> 813 <li class="card__meta__item"> 814 Package Manager: ubuntu:22.04 815 </li> 816 <li class="card__meta__item"> 817 Vulnerable module: 818 819 perl/perl-modules-5.34 820 </li> 821 822 <li class="card__meta__item">Introduced through: 823 824 825 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3, git@1:2.34.1-1ubuntu1.10 and others 826 </li> 827 </ul> 828 829 <hr/> 830 831 832 <h3 class="card__section__title">Detailed paths</h3> 833 834 <ul class="card__meta__paths"> 835 <li> 836 <span class="list-paths__item__introduced"><em>Introduced through</em>: 837 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 838 <span class="list-paths__item__arrow">›</span> 839 git@1:2.34.1-1ubuntu1.10 840 <span class="list-paths__item__arrow">›</span> 841 perl@5.34.0-3ubuntu1.2 842 <span class="list-paths__item__arrow">›</span> 843 perl/perl-modules-5.34@5.34.0-3ubuntu1.2 844 845 </span> 846 847 </li> 848 <li> 849 <span class="list-paths__item__introduced"><em>Introduced through</em>: 850 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 851 <span class="list-paths__item__arrow">›</span> 852 git@1:2.34.1-1ubuntu1.10 853 <span class="list-paths__item__arrow">›</span> 854 perl@5.34.0-3ubuntu1.2 855 <span class="list-paths__item__arrow">›</span> 856 perl/libperl5.34@5.34.0-3ubuntu1.2 857 <span class="list-paths__item__arrow">›</span> 858 perl/perl-modules-5.34@5.34.0-3ubuntu1.2 859 860 </span> 861 862 </li> 863 <li> 864 <span class="list-paths__item__introduced"><em>Introduced through</em>: 865 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 866 <span class="list-paths__item__arrow">›</span> 867 git@1:2.34.1-1ubuntu1.10 868 <span class="list-paths__item__arrow">›</span> 869 perl@5.34.0-3ubuntu1.2 870 <span class="list-paths__item__arrow">›</span> 871 perl/libperl5.34@5.34.0-3ubuntu1.2 872 873 </span> 874 875 </li> 876 <li> 877 <span class="list-paths__item__introduced"><em>Introduced through</em>: 878 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 879 <span class="list-paths__item__arrow">›</span> 880 git@1:2.34.1-1ubuntu1.10 881 <span class="list-paths__item__arrow">›</span> 882 perl@5.34.0-3ubuntu1.2 883 884 </span> 885 886 </li> 887 <li> 888 <span class="list-paths__item__introduced"><em>Introduced through</em>: 889 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 890 <span class="list-paths__item__arrow">›</span> 891 perl/perl-base@5.34.0-3ubuntu1.2 892 893 </span> 894 895 </li> 896 </ul><!-- .list-paths --> 897 898 </div><!-- .card__section --> 899 900 <hr/> 901 <!-- Overview --> 902 <h2 id="nvd-description">NVD Description</h2> 903 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>perl</code> package and not the <code>perl</code> package as distributed by <code>Ubuntu</code>.</em> 904 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 905 <p>In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.</p> 906 <h2 id="remediation">Remediation</h2> 907 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>perl</code>.</p> 908 <h2 id="references">References</h2> 909 <ul> 910 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48522">ADVISORY</a></li> 911 <li><a href="https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345">cve@mitre.org</a></li> 912 <li><a href="https://security.netapp.com/advisory/ntap-20230915-0008/">cve@mitre.org</a></li> 913 </ul> 914 915 <hr/> 916 917 <div class="cta card__cta"> 918 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PERL-5854824">More about this vulnerability</a></p> 919 </div> 920 921 </div><!-- .card --> 922 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 923 <h2 class="card__title">Access of Uninitialized Pointer</h2> 924 <div class="card__section"> 925 926 <div class="label label--medium"> 927 <span class="label__text">medium severity</span> 928 </div> 929 930 <hr/> 931 932 <ul class="card__meta"> 933 <li class="card__meta__item"> 934 Package Manager: ubuntu:22.04 935 </li> 936 <li class="card__meta__item"> 937 Vulnerable module: 938 939 krb5/libk5crypto3 940 </li> 941 942 <li class="card__meta__item">Introduced through: 943 944 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 945 946 </li> 947 </ul> 948 949 <hr/> 950 951 952 <h3 class="card__section__title">Detailed paths</h3> 953 954 <ul class="card__meta__paths"> 955 <li> 956 <span class="list-paths__item__introduced"><em>Introduced through</em>: 957 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 958 <span class="list-paths__item__arrow">›</span> 959 krb5/libk5crypto3@1.19.2-2ubuntu0.2 960 961 </span> 962 963 </li> 964 <li> 965 <span class="list-paths__item__introduced"><em>Introduced through</em>: 966 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 967 <span class="list-paths__item__arrow">›</span> 968 adduser@3.118ubuntu5 969 <span class="list-paths__item__arrow">›</span> 970 shadow/passwd@1:4.8.1-2ubuntu2.1 971 <span class="list-paths__item__arrow">›</span> 972 pam/libpam-modules@1.4.0-11ubuntu2.3 973 <span class="list-paths__item__arrow">›</span> 974 libnsl/libnsl2@1.3.0-2build2 975 <span class="list-paths__item__arrow">›</span> 976 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 977 <span class="list-paths__item__arrow">›</span> 978 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 979 <span class="list-paths__item__arrow">›</span> 980 krb5/libk5crypto3@1.19.2-2ubuntu0.2 981 982 </span> 983 984 </li> 985 <li> 986 <span class="list-paths__item__introduced"><em>Introduced through</em>: 987 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 988 <span class="list-paths__item__arrow">›</span> 989 adduser@3.118ubuntu5 990 <span class="list-paths__item__arrow">›</span> 991 shadow/passwd@1:4.8.1-2ubuntu2.1 992 <span class="list-paths__item__arrow">›</span> 993 pam/libpam-modules@1.4.0-11ubuntu2.3 994 <span class="list-paths__item__arrow">›</span> 995 libnsl/libnsl2@1.3.0-2build2 996 <span class="list-paths__item__arrow">›</span> 997 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 998 <span class="list-paths__item__arrow">›</span> 999 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1000 <span class="list-paths__item__arrow">›</span> 1001 krb5/libkrb5-3@1.19.2-2ubuntu0.2 1002 <span class="list-paths__item__arrow">›</span> 1003 krb5/libk5crypto3@1.19.2-2ubuntu0.2 1004 1005 </span> 1006 1007 </li> 1008 <li> 1009 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1010 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1011 <span class="list-paths__item__arrow">›</span> 1012 krb5/libkrb5-3@1.19.2-2ubuntu0.2 1013 1014 </span> 1015 1016 </li> 1017 <li> 1018 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1019 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1020 <span class="list-paths__item__arrow">›</span> 1021 adduser@3.118ubuntu5 1022 <span class="list-paths__item__arrow">›</span> 1023 shadow/passwd@1:4.8.1-2ubuntu2.1 1024 <span class="list-paths__item__arrow">›</span> 1025 pam/libpam-modules@1.4.0-11ubuntu2.3 1026 <span class="list-paths__item__arrow">›</span> 1027 libnsl/libnsl2@1.3.0-2build2 1028 <span class="list-paths__item__arrow">›</span> 1029 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 1030 <span class="list-paths__item__arrow">›</span> 1031 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1032 <span class="list-paths__item__arrow">›</span> 1033 krb5/libkrb5-3@1.19.2-2ubuntu0.2 1034 1035 </span> 1036 1037 </li> 1038 <li> 1039 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1040 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1041 <span class="list-paths__item__arrow">›</span> 1042 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1043 1044 </span> 1045 1046 </li> 1047 <li> 1048 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1049 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1050 <span class="list-paths__item__arrow">›</span> 1051 openssh/openssh-client@1:8.9p1-3ubuntu0.4 1052 <span class="list-paths__item__arrow">›</span> 1053 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1054 1055 </span> 1056 1057 </li> 1058 <li> 1059 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1060 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1061 <span class="list-paths__item__arrow">›</span> 1062 git@1:2.34.1-1ubuntu1.10 1063 <span class="list-paths__item__arrow">›</span> 1064 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 1065 <span class="list-paths__item__arrow">›</span> 1066 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1067 1068 </span> 1069 1070 </li> 1071 <li> 1072 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1073 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1074 <span class="list-paths__item__arrow">›</span> 1075 git@1:2.34.1-1ubuntu1.10 1076 <span class="list-paths__item__arrow">›</span> 1077 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 1078 <span class="list-paths__item__arrow">›</span> 1079 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 1080 <span class="list-paths__item__arrow">›</span> 1081 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1082 1083 </span> 1084 1085 </li> 1086 <li> 1087 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1088 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1089 <span class="list-paths__item__arrow">›</span> 1090 adduser@3.118ubuntu5 1091 <span class="list-paths__item__arrow">›</span> 1092 shadow/passwd@1:4.8.1-2ubuntu2.1 1093 <span class="list-paths__item__arrow">›</span> 1094 pam/libpam-modules@1.4.0-11ubuntu2.3 1095 <span class="list-paths__item__arrow">›</span> 1096 libnsl/libnsl2@1.3.0-2build2 1097 <span class="list-paths__item__arrow">›</span> 1098 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 1099 <span class="list-paths__item__arrow">›</span> 1100 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 1101 1102 </span> 1103 1104 </li> 1105 <li> 1106 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1107 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1108 <span class="list-paths__item__arrow">›</span> 1109 krb5/libkrb5support0@1.19.2-2ubuntu0.2 1110 1111 </span> 1112 1113 </li> 1114 </ul><!-- .list-paths --> 1115 1116 </div><!-- .card__section --> 1117 1118 <hr/> 1119 <!-- Overview --> 1120 <h2 id="nvd-description">NVD Description</h2> 1121 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu</code>.</em> 1122 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1123 <p>lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.</p> 1124 <h2 id="remediation">Remediation</h2> 1125 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p> 1126 <h2 id="references">References</h2> 1127 <ul> 1128 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-36054">ADVISORY</a></li> 1129 <li><a href="https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd">cve@mitre.org</a></li> 1130 <li><a href="https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final">cve@mitre.org</a></li> 1131 <li><a href="https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final">cve@mitre.org</a></li> 1132 <li><a href="https://web.mit.edu/kerberos/www/advisories/">cve@mitre.org</a></li> 1133 <li><a href="https://security.netapp.com/advisory/ntap-20230908-0004/">cve@mitre.org</a></li> 1134 <li><a href="https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html">cve@mitre.org</a></li> 1135 </ul> 1136 1137 <hr/> 1138 1139 <div class="cta card__cta"> 1140 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-5838335">More about this vulnerability</a></p> 1141 </div> 1142 1143 </div><!-- .card --> 1144 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1145 <h2 class="card__title">LGPL-3.0 license</h2> 1146 <div class="card__section"> 1147 1148 <div class="label label--medium"> 1149 <span class="label__text">medium severity</span> 1150 </div> 1151 1152 <hr/> 1153 1154 <ul class="card__meta"> 1155 <li class="card__meta__item"> 1156 Package Manager: golang 1157 </li> 1158 <li class="card__meta__item"> 1159 Module: 1160 1161 gopkg.in/retry.v1 1162 </li> 1163 1164 <li class="card__meta__item">Introduced through: 1165 1166 github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 1167 1168 </li> 1169 </ul> 1170 1171 <hr/> 1172 1173 1174 <h3 class="card__section__title">Detailed paths</h3> 1175 1176 <ul class="card__meta__paths"> 1177 <li> 1178 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1179 github.com/argoproj/argo-cd/v2@* 1180 <span class="list-paths__item__arrow">›</span> 1181 gopkg.in/retry.v1@v1.0.3 1182 1183 </span> 1184 1185 </li> 1186 </ul><!-- .list-paths --> 1187 1188 </div><!-- .card__section --> 1189 1190 <hr/> 1191 <!-- Overview --> 1192 <p>LGPL-3.0 license</p> 1193 1194 <hr/> 1195 1196 <div class="cta card__cta"> 1197 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p> 1198 </div> 1199 1200 </div><!-- .card --> 1201 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1202 <h2 class="card__title">Memory Leak</h2> 1203 <div class="card__section"> 1204 1205 <div class="label label--medium"> 1206 <span class="label__text">medium severity</span> 1207 </div> 1208 1209 <hr/> 1210 1211 <ul class="card__meta"> 1212 <li class="card__meta__item"> 1213 Package Manager: ubuntu:22.04 1214 </li> 1215 <li class="card__meta__item"> 1216 Vulnerable module: 1217 1218 glibc/libc-bin 1219 </li> 1220 1221 <li class="card__meta__item">Introduced through: 1222 1223 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and glibc/libc-bin@2.35-0ubuntu3.4 1224 1225 </li> 1226 </ul> 1227 1228 <hr/> 1229 1230 1231 <h3 class="card__section__title">Detailed paths</h3> 1232 1233 <ul class="card__meta__paths"> 1234 <li> 1235 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1236 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1237 <span class="list-paths__item__arrow">›</span> 1238 glibc/libc-bin@2.35-0ubuntu3.4 1239 1240 </span> 1241 1242 </li> 1243 <li> 1244 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1245 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1246 <span class="list-paths__item__arrow">›</span> 1247 glibc/libc6@2.35-0ubuntu3.4 1248 1249 </span> 1250 1251 </li> 1252 </ul><!-- .list-paths --> 1253 1254 </div><!-- .card__section --> 1255 1256 <hr/> 1257 <!-- Overview --> 1258 <h2 id="nvd-description">NVD Description</h2> 1259 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 1260 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1261 <p>A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.</p> 1262 <h2 id="remediation">Remediation</h2> 1263 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p> 1264 <h2 id="references">References</h2> 1265 <ul> 1266 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-5156">ADVISORY</a></li> 1267 <li><a href="https://access.redhat.com/security/cve/CVE-2023-5156">secalert@redhat.com</a></li> 1268 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2240541">secalert@redhat.com</a></li> 1269 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=30884">secalert@redhat.com</a></li> 1270 <li><a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ec6b95c3303c700eb89eebeda2d7264cc184a796">secalert@redhat.com</a></li> 1271 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/4">secalert@redhat.com</a></li> 1272 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/5">secalert@redhat.com</a></li> 1273 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/6">secalert@redhat.com</a></li> 1274 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/8">secalert@redhat.com</a></li> 1275 </ul> 1276 1277 <hr/> 1278 1279 <div class="cta card__cta"> 1280 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-5919741">More about this vulnerability</a></p> 1281 </div> 1282 1283 </div><!-- .card --> 1284 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1285 <h2 class="card__title">MPL-2.0 license</h2> 1286 <div class="card__section"> 1287 1288 <div class="label label--medium"> 1289 <span class="label__text">medium severity</span> 1290 </div> 1291 1292 <hr/> 1293 1294 <ul class="card__meta"> 1295 <li class="card__meta__item"> 1296 Package Manager: golang 1297 </li> 1298 <li class="card__meta__item"> 1299 Module: 1300 1301 github.com/r3labs/diff 1302 </li> 1303 1304 <li class="card__meta__item">Introduced through: 1305 1306 github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 1307 1308 </li> 1309 </ul> 1310 1311 <hr/> 1312 1313 1314 <h3 class="card__section__title">Detailed paths</h3> 1315 1316 <ul class="card__meta__paths"> 1317 <li> 1318 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1319 github.com/argoproj/argo-cd/v2@* 1320 <span class="list-paths__item__arrow">›</span> 1321 github.com/r3labs/diff@v1.1.0 1322 1323 </span> 1324 1325 </li> 1326 </ul><!-- .list-paths --> 1327 1328 </div><!-- .card__section --> 1329 1330 <hr/> 1331 <!-- Overview --> 1332 <p>MPL-2.0 license</p> 1333 1334 <hr/> 1335 1336 <div class="cta card__cta"> 1337 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:MPL-2.0">More about this vulnerability</a></p> 1338 </div> 1339 1340 </div><!-- .card --> 1341 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1342 <h2 class="card__title">MPL-2.0 license</h2> 1343 <div class="card__section"> 1344 1345 <div class="label label--medium"> 1346 <span class="label__text">medium severity</span> 1347 </div> 1348 1349 <hr/> 1350 1351 <ul class="card__meta"> 1352 <li class="card__meta__item"> 1353 Package Manager: golang 1354 </li> 1355 <li class="card__meta__item"> 1356 Module: 1357 1358 github.com/hashicorp/go-version 1359 </li> 1360 1361 <li class="card__meta__item">Introduced through: 1362 1363 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 1364 1365 </li> 1366 </ul> 1367 1368 <hr/> 1369 1370 1371 <h3 class="card__section__title">Detailed paths</h3> 1372 1373 <ul class="card__meta__paths"> 1374 <li> 1375 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1376 github.com/argoproj/argo-cd/v2@* 1377 <span class="list-paths__item__arrow">›</span> 1378 github.com/hashicorp/go-version@v1.2.1 1379 1380 </span> 1381 1382 </li> 1383 </ul><!-- .list-paths --> 1384 1385 </div><!-- .card__section --> 1386 1387 <hr/> 1388 <!-- Overview --> 1389 <p>MPL-2.0 license</p> 1390 1391 <hr/> 1392 1393 <div class="cta card__cta"> 1394 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1395 </div> 1396 1397 </div><!-- .card --> 1398 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1399 <h2 class="card__title">MPL-2.0 license</h2> 1400 <div class="card__section"> 1401 1402 <div class="label label--medium"> 1403 <span class="label__text">medium severity</span> 1404 </div> 1405 1406 <hr/> 1407 1408 <ul class="card__meta"> 1409 <li class="card__meta__item"> 1410 Package Manager: golang 1411 </li> 1412 <li class="card__meta__item"> 1413 Module: 1414 1415 github.com/hashicorp/go-retryablehttp 1416 </li> 1417 1418 <li class="card__meta__item">Introduced through: 1419 1420 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 1421 1422 </li> 1423 </ul> 1424 1425 <hr/> 1426 1427 1428 <h3 class="card__section__title">Detailed paths</h3> 1429 1430 <ul class="card__meta__paths"> 1431 <li> 1432 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1433 github.com/argoproj/argo-cd/v2@* 1434 <span class="list-paths__item__arrow">›</span> 1435 github.com/hashicorp/go-retryablehttp@v0.7.4 1436 1437 </span> 1438 1439 </li> 1440 </ul><!-- .list-paths --> 1441 1442 </div><!-- .card__section --> 1443 1444 <hr/> 1445 <!-- Overview --> 1446 <p>MPL-2.0 license</p> 1447 1448 <hr/> 1449 1450 <div class="cta card__cta"> 1451 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1452 </div> 1453 1454 </div><!-- .card --> 1455 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1456 <h2 class="card__title">MPL-2.0 license</h2> 1457 <div class="card__section"> 1458 1459 <div class="label label--medium"> 1460 <span class="label__text">medium severity</span> 1461 </div> 1462 1463 <hr/> 1464 1465 <ul class="card__meta"> 1466 <li class="card__meta__item"> 1467 Package Manager: golang 1468 </li> 1469 <li class="card__meta__item"> 1470 Module: 1471 1472 github.com/hashicorp/go-multierror 1473 </li> 1474 1475 <li class="card__meta__item">Introduced through: 1476 1477 helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 1478 1479 </li> 1480 </ul> 1481 1482 <hr/> 1483 1484 1485 <h3 class="card__section__title">Detailed paths</h3> 1486 1487 <ul class="card__meta__paths"> 1488 <li> 1489 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1490 helm.sh/helm/v3@* 1491 <span class="list-paths__item__arrow">›</span> 1492 github.com/hashicorp/go-multierror@v1.1.1 1493 1494 </span> 1495 1496 </li> 1497 </ul><!-- .list-paths --> 1498 1499 </div><!-- .card__section --> 1500 1501 <hr/> 1502 <!-- Overview --> 1503 <p>MPL-2.0 license</p> 1504 1505 <hr/> 1506 1507 <div class="cta card__cta"> 1508 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1509 </div> 1510 1511 </div><!-- .card --> 1512 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1513 <h2 class="card__title">MPL-2.0 license</h2> 1514 <div class="card__section"> 1515 1516 <div class="label label--medium"> 1517 <span class="label__text">medium severity</span> 1518 </div> 1519 1520 <hr/> 1521 1522 <ul class="card__meta"> 1523 <li class="card__meta__item"> 1524 Package Manager: golang 1525 </li> 1526 <li class="card__meta__item"> 1527 Module: 1528 1529 github.com/hashicorp/go-cleanhttp 1530 </li> 1531 1532 <li class="card__meta__item">Introduced through: 1533 1534 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1535 1536 </li> 1537 </ul> 1538 1539 <hr/> 1540 1541 1542 <h3 class="card__section__title">Detailed paths</h3> 1543 1544 <ul class="card__meta__paths"> 1545 <li> 1546 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1547 github.com/argoproj/argo-cd/v2@* 1548 <span class="list-paths__item__arrow">›</span> 1549 github.com/hashicorp/go-cleanhttp@v0.5.2 1550 1551 </span> 1552 1553 </li> 1554 </ul><!-- .list-paths --> 1555 1556 </div><!-- .card__section --> 1557 1558 <hr/> 1559 <!-- Overview --> 1560 <p>MPL-2.0 license</p> 1561 1562 <hr/> 1563 1564 <div class="cta card__cta"> 1565 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1566 </div> 1567 1568 </div><!-- .card --> 1569 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1570 <h2 class="card__title">MPL-2.0 license</h2> 1571 <div class="card__section"> 1572 1573 <div class="label label--medium"> 1574 <span class="label__text">medium severity</span> 1575 </div> 1576 1577 <hr/> 1578 1579 <ul class="card__meta"> 1580 <li class="card__meta__item"> 1581 Package Manager: golang 1582 </li> 1583 <li class="card__meta__item"> 1584 Module: 1585 1586 github.com/gosimple/slug 1587 </li> 1588 1589 <li class="card__meta__item">Introduced through: 1590 1591 github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1 1592 1593 </li> 1594 </ul> 1595 1596 <hr/> 1597 1598 1599 <h3 class="card__section__title">Detailed paths</h3> 1600 1601 <ul class="card__meta__paths"> 1602 <li> 1603 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1604 github.com/argoproj/argo-cd/v2@* 1605 <span class="list-paths__item__arrow">›</span> 1606 github.com/gosimple/slug@v1.13.1 1607 1608 </span> 1609 1610 </li> 1611 </ul><!-- .list-paths --> 1612 1613 </div><!-- .card__section --> 1614 1615 <hr/> 1616 <!-- Overview --> 1617 <p>MPL-2.0 license</p> 1618 1619 <hr/> 1620 1621 <div class="cta card__cta"> 1622 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1623 </div> 1624 1625 </div><!-- .card --> 1626 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1627 <h2 class="card__title">CVE-2022-46908</h2> 1628 <div class="card__section"> 1629 1630 <div class="label label--low"> 1631 <span class="label__text">low severity</span> 1632 </div> 1633 1634 <hr/> 1635 1636 <ul class="card__meta"> 1637 <li class="card__meta__item"> 1638 Package Manager: ubuntu:22.04 1639 </li> 1640 <li class="card__meta__item"> 1641 Vulnerable module: 1642 1643 sqlite3/libsqlite3-0 1644 </li> 1645 1646 <li class="card__meta__item">Introduced through: 1647 1648 1649 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3, gnupg2/gpg@2.2.27-3ubuntu2.1 and others 1650 </li> 1651 </ul> 1652 1653 <hr/> 1654 1655 1656 <h3 class="card__section__title">Detailed paths</h3> 1657 1658 <ul class="card__meta__paths"> 1659 <li> 1660 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1661 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1662 <span class="list-paths__item__arrow">›</span> 1663 gnupg2/gpg@2.2.27-3ubuntu2.1 1664 <span class="list-paths__item__arrow">›</span> 1665 sqlite3/libsqlite3-0@3.37.2-2ubuntu0.1 1666 1667 </span> 1668 1669 </li> 1670 </ul><!-- .list-paths --> 1671 1672 </div><!-- .card__section --> 1673 1674 <hr/> 1675 <!-- Overview --> 1676 <h2 id="nvd-description">NVD Description</h2> 1677 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1678 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1679 <p>SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.</p> 1680 <h2 id="remediation">Remediation</h2> 1681 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>sqlite3</code>.</p> 1682 <h2 id="references">References</h2> 1683 <ul> 1684 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-46908">ADVISORY</a></li> 1685 <li><a href="https://sqlite.org/src/info/cefc032473ac5ad2">cve@mitre.org</a></li> 1686 <li><a href="https://sqlite.org/forum/forumpost/07beac8056151b2f">cve@mitre.org</a></li> 1687 <li><a href="https://news.ycombinator.com/item?id=33948588">cve@mitre.org</a></li> 1688 <li><a href="https://security.netapp.com/advisory/ntap-20230203-0005/">cve@mitre.org</a></li> 1689 </ul> 1690 1691 <hr/> 1692 1693 <div class="cta card__cta"> 1694 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-SQLITE3-3167716">More about this vulnerability</a></p> 1695 </div> 1696 1697 </div><!-- .card --> 1698 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1699 <h2 class="card__title">Arbitrary Code Injection</h2> 1700 <div class="card__section"> 1701 1702 <div class="label label--low"> 1703 <span class="label__text">low severity</span> 1704 </div> 1705 1706 <hr/> 1707 1708 <ul class="card__meta"> 1709 <li class="card__meta__item"> 1710 Package Manager: ubuntu:22.04 1711 </li> 1712 <li class="card__meta__item"> 1713 Vulnerable module: 1714 1715 shadow/passwd 1716 </li> 1717 1718 <li class="card__meta__item">Introduced through: 1719 1720 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and shadow/passwd@1:4.8.1-2ubuntu2.1 1721 1722 </li> 1723 </ul> 1724 1725 <hr/> 1726 1727 1728 <h3 class="card__section__title">Detailed paths</h3> 1729 1730 <ul class="card__meta__paths"> 1731 <li> 1732 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1733 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1734 <span class="list-paths__item__arrow">›</span> 1735 shadow/passwd@1:4.8.1-2ubuntu2.1 1736 1737 </span> 1738 1739 </li> 1740 <li> 1741 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1742 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1743 <span class="list-paths__item__arrow">›</span> 1744 adduser@3.118ubuntu5 1745 <span class="list-paths__item__arrow">›</span> 1746 shadow/passwd@1:4.8.1-2ubuntu2.1 1747 1748 </span> 1749 1750 </li> 1751 <li> 1752 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1753 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1754 <span class="list-paths__item__arrow">›</span> 1755 openssh/openssh-client@1:8.9p1-3ubuntu0.4 1756 <span class="list-paths__item__arrow">›</span> 1757 shadow/passwd@1:4.8.1-2ubuntu2.1 1758 1759 </span> 1760 1761 </li> 1762 <li> 1763 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1764 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1765 <span class="list-paths__item__arrow">›</span> 1766 shadow/login@1:4.8.1-2ubuntu2.1 1767 1768 </span> 1769 1770 </li> 1771 </ul><!-- .list-paths --> 1772 1773 </div><!-- .card__section --> 1774 1775 <hr/> 1776 <!-- Overview --> 1777 <h2 id="nvd-description">NVD Description</h2> 1778 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>shadow</code> package and not the <code>shadow</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1779 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1780 <p>In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.</p> 1781 <h2 id="remediation">Remediation</h2> 1782 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>shadow</code>.</p> 1783 <h2 id="references">References</h2> 1784 <ul> 1785 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383">ADVISORY</a></li> 1786 <li><a href="https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d">cve@mitre.org</a></li> 1787 <li><a href="https://github.com/shadow-maint/shadow/pull/687">cve@mitre.org</a></li> 1788 <li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/">cve@mitre.org</a></li> 1789 <li><a href="https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797">cve@mitre.org</a></li> 1790 </ul> 1791 1792 <hr/> 1793 1794 <div class="cta card__cta"> 1795 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-SHADOW-5425688">More about this vulnerability</a></p> 1796 </div> 1797 1798 </div><!-- .card --> 1799 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1800 <h2 class="card__title">Out-of-bounds Write</h2> 1801 <div class="card__section"> 1802 1803 <div class="label label--low"> 1804 <span class="label__text">low severity</span> 1805 </div> 1806 1807 <hr/> 1808 1809 <ul class="card__meta"> 1810 <li class="card__meta__item"> 1811 Package Manager: ubuntu:22.04 1812 </li> 1813 <li class="card__meta__item"> 1814 Vulnerable module: 1815 1816 procps/libprocps8 1817 </li> 1818 1819 <li class="card__meta__item">Introduced through: 1820 1821 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and procps/libprocps8@2:3.3.17-6ubuntu2 1822 1823 </li> 1824 </ul> 1825 1826 <hr/> 1827 1828 1829 <h3 class="card__section__title">Detailed paths</h3> 1830 1831 <ul class="card__meta__paths"> 1832 <li> 1833 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1834 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1835 <span class="list-paths__item__arrow">›</span> 1836 procps/libprocps8@2:3.3.17-6ubuntu2 1837 1838 </span> 1839 1840 </li> 1841 <li> 1842 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1843 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1844 <span class="list-paths__item__arrow">›</span> 1845 procps@2:3.3.17-6ubuntu2 1846 <span class="list-paths__item__arrow">›</span> 1847 procps/libprocps8@2:3.3.17-6ubuntu2 1848 1849 </span> 1850 1851 </li> 1852 <li> 1853 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1854 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1855 <span class="list-paths__item__arrow">›</span> 1856 procps@2:3.3.17-6ubuntu2 1857 1858 </span> 1859 1860 </li> 1861 </ul><!-- .list-paths --> 1862 1863 </div><!-- .card__section --> 1864 1865 <hr/> 1866 <!-- Overview --> 1867 <h2 id="nvd-description">NVD Description</h2> 1868 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>procps</code> package and not the <code>procps</code> package as distributed by <code>Ubuntu</code>.</em> 1869 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1870 <p>Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.</p> 1871 <h2 id="remediation">Remediation</h2> 1872 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>procps</code>.</p> 1873 <h2 id="references">References</h2> 1874 <ul> 1875 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-4016">ADVISORY</a></li> 1876 <li><a href="https://gitlab.com/procps-ng/procps">trellixpsirt@trellix.com</a></li> 1877 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/">trellixpsirt@trellix.com</a></li> 1878 </ul> 1879 1880 <hr/> 1881 1882 <div class="cta card__cta"> 1883 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PROCPS-5816665">More about this vulnerability</a></p> 1884 </div> 1885 1886 </div><!-- .card --> 1887 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1888 <h2 class="card__title">Uncontrolled Recursion</h2> 1889 <div class="card__section"> 1890 1891 <div class="label label--low"> 1892 <span class="label__text">low severity</span> 1893 </div> 1894 1895 <hr/> 1896 1897 <ul class="card__meta"> 1898 <li class="card__meta__item"> 1899 Package Manager: ubuntu:22.04 1900 </li> 1901 <li class="card__meta__item"> 1902 Vulnerable module: 1903 1904 pcre3/libpcre3 1905 </li> 1906 1907 <li class="card__meta__item">Introduced through: 1908 1909 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1910 1911 </li> 1912 </ul> 1913 1914 <hr/> 1915 1916 1917 <h3 class="card__section__title">Detailed paths</h3> 1918 1919 <ul class="card__meta__paths"> 1920 <li> 1921 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1922 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1923 <span class="list-paths__item__arrow">›</span> 1924 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1925 1926 </span> 1927 1928 </li> 1929 <li> 1930 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1931 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 1932 <span class="list-paths__item__arrow">›</span> 1933 grep@3.7-1build1 1934 <span class="list-paths__item__arrow">›</span> 1935 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1936 1937 </span> 1938 1939 </li> 1940 </ul><!-- .list-paths --> 1941 1942 </div><!-- .card__section --> 1943 1944 <hr/> 1945 <!-- Overview --> 1946 <h2 id="nvd-description">NVD Description</h2> 1947 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pcre3</code> package and not the <code>pcre3</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1948 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1949 <p>In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.</p> 1950 <h2 id="remediation">Remediation</h2> 1951 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>pcre3</code>.</p> 1952 <h2 id="references">References</h2> 1953 <ul> 1954 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164">ADVISORY</a></li> 1955 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164">CVE Details</a></li> 1956 <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-11164">Debian Security Tracker</a></li> 1957 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 1958 <li><a href="http://openwall.com/lists/oss-security/2017/07/11/3">OSS security Advisory</a></li> 1959 <li><a href="http://www.securityfocus.com/bid/99575">Security Focus</a></li> 1960 <li><a href="http://www.openwall.com/lists/oss-security/2023/04/11/1">cve@mitre.org</a></li> 1961 <li><a href="http://www.openwall.com/lists/oss-security/2023/04/12/1">cve@mitre.org</a></li> 1962 </ul> 1963 1964 <hr/> 1965 1966 <div class="cta card__cta"> 1967 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PCRE3-2799820">More about this vulnerability</a></p> 1968 </div> 1969 1970 </div><!-- .card --> 1971 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1972 <h2 class="card__title">Release of Invalid Pointer or Reference</h2> 1973 <div class="card__section"> 1974 1975 <div class="label label--low"> 1976 <span class="label__text">low severity</span> 1977 </div> 1978 1979 <hr/> 1980 1981 <ul class="card__meta"> 1982 <li class="card__meta__item"> 1983 Package Manager: ubuntu:22.04 1984 </li> 1985 <li class="card__meta__item"> 1986 Vulnerable module: 1987 1988 patch 1989 </li> 1990 1991 <li class="card__meta__item">Introduced through: 1992 1993 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and patch@2.7.6-7build2 1994 1995 </li> 1996 </ul> 1997 1998 <hr/> 1999 2000 2001 <h3 class="card__section__title">Detailed paths</h3> 2002 2003 <ul class="card__meta__paths"> 2004 <li> 2005 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2006 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2007 <span class="list-paths__item__arrow">›</span> 2008 patch@2.7.6-7build2 2009 2010 </span> 2011 2012 </li> 2013 </ul><!-- .list-paths --> 2014 2015 </div><!-- .card__section --> 2016 2017 <hr/> 2018 <!-- Overview --> 2019 <h2 id="nvd-description">NVD Description</h2> 2020 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2021 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2022 <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p> 2023 <h2 id="remediation">Remediation</h2> 2024 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p> 2025 <h2 id="references">References</h2> 2026 <ul> 2027 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261">ADVISORY</a></li> 2028 <li><a href="https://savannah.gnu.org/bugs/?61685">MISC</a></li> 2029 </ul> 2030 2031 <hr/> 2032 2033 <div class="cta card__cta"> 2034 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PATCH-2780071">More about this vulnerability</a></p> 2035 </div> 2036 2037 </div><!-- .card --> 2038 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2039 <h2 class="card__title">Double Free</h2> 2040 <div class="card__section"> 2041 2042 <div class="label label--low"> 2043 <span class="label__text">low severity</span> 2044 </div> 2045 2046 <hr/> 2047 2048 <ul class="card__meta"> 2049 <li class="card__meta__item"> 2050 Package Manager: ubuntu:22.04 2051 </li> 2052 <li class="card__meta__item"> 2053 Vulnerable module: 2054 2055 patch 2056 </li> 2057 2058 <li class="card__meta__item">Introduced through: 2059 2060 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and patch@2.7.6-7build2 2061 2062 </li> 2063 </ul> 2064 2065 <hr/> 2066 2067 2068 <h3 class="card__section__title">Detailed paths</h3> 2069 2070 <ul class="card__meta__paths"> 2071 <li> 2072 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2073 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2074 <span class="list-paths__item__arrow">›</span> 2075 patch@2.7.6-7build2 2076 2077 </span> 2078 2079 </li> 2080 </ul><!-- .list-paths --> 2081 2082 </div><!-- .card__section --> 2083 2084 <hr/> 2085 <!-- Overview --> 2086 <h2 id="nvd-description">NVD Description</h2> 2087 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2088 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2089 <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p> 2090 <h2 id="remediation">Remediation</h2> 2091 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p> 2092 <h2 id="references">References</h2> 2093 <ul> 2094 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952">ADVISORY</a></li> 2095 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952">CVE Details</a></li> 2096 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6952">Debian Security Tracker</a></li> 2097 <li><a href="https://security.gentoo.org/glsa/201904-17">Gentoo Security Advisory</a></li> 2098 <li><a href="https://savannah.gnu.org/bugs/index.php?53133">MISC</a></li> 2099 <li><a href="https://access.redhat.com/errata/RHSA-2019:2033">REDHAT</a></li> 2100 <li><a href="http://www.securityfocus.com/bid/103047">Security Focus</a></li> 2101 </ul> 2102 2103 <hr/> 2104 2105 <div class="cta card__cta"> 2106 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PATCH-2784568">More about this vulnerability</a></p> 2107 </div> 2108 2109 </div><!-- .card --> 2110 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2111 <h2 class="card__title">CVE-2023-28531</h2> 2112 <div class="card__section"> 2113 2114 <div class="label label--low"> 2115 <span class="label__text">low severity</span> 2116 </div> 2117 2118 <hr/> 2119 2120 <ul class="card__meta"> 2121 <li class="card__meta__item"> 2122 Package Manager: ubuntu:22.04 2123 </li> 2124 <li class="card__meta__item"> 2125 Vulnerable module: 2126 2127 openssh/openssh-client 2128 </li> 2129 2130 <li class="card__meta__item">Introduced through: 2131 2132 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and openssh/openssh-client@1:8.9p1-3ubuntu0.4 2133 2134 </li> 2135 </ul> 2136 2137 <hr/> 2138 2139 2140 <h3 class="card__section__title">Detailed paths</h3> 2141 2142 <ul class="card__meta__paths"> 2143 <li> 2144 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2145 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2146 <span class="list-paths__item__arrow">›</span> 2147 openssh/openssh-client@1:8.9p1-3ubuntu0.4 2148 2149 </span> 2150 2151 </li> 2152 </ul><!-- .list-paths --> 2153 2154 </div><!-- .card__section --> 2155 2156 <hr/> 2157 <!-- Overview --> 2158 <h2 id="nvd-description">NVD Description</h2> 2159 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2160 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2161 <p>ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.</p> 2162 <h2 id="remediation">Remediation</h2> 2163 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p> 2164 <h2 id="references">References</h2> 2165 <ul> 2166 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-28531">ADVISORY</a></li> 2167 <li><a href="https://www.openwall.com/lists/oss-security/2023/03/15/8">cve@mitre.org</a></li> 2168 <li><a href="https://security.netapp.com/advisory/ntap-20230413-0008/">cve@mitre.org</a></li> 2169 <li><a href="https://security.gentoo.org/glsa/202307-01">cve@mitre.org</a></li> 2170 </ul> 2171 2172 <hr/> 2173 2174 <div class="cta card__cta"> 2175 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSH-3367022">More about this vulnerability</a></p> 2176 </div> 2177 2178 </div><!-- .card --> 2179 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2180 <h2 class="card__title">NULL Pointer Dereference</h2> 2181 <div class="card__section"> 2182 2183 <div class="label label--low"> 2184 <span class="label__text">low severity</span> 2185 </div> 2186 2187 <hr/> 2188 2189 <ul class="card__meta"> 2190 <li class="card__meta__item"> 2191 Package Manager: ubuntu:22.04 2192 </li> 2193 <li class="card__meta__item"> 2194 Vulnerable module: 2195 2196 openldap/libldap-2.5-0 2197 </li> 2198 2199 <li class="card__meta__item">Introduced through: 2200 2201 2202 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others 2203 </li> 2204 </ul> 2205 2206 <hr/> 2207 2208 2209 <h3 class="card__section__title">Detailed paths</h3> 2210 2211 <ul class="card__meta__paths"> 2212 <li> 2213 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2214 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2215 <span class="list-paths__item__arrow">›</span> 2216 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2217 <span class="list-paths__item__arrow">›</span> 2218 openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 2219 2220 </span> 2221 2222 </li> 2223 <li> 2224 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2225 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2226 <span class="list-paths__item__arrow">›</span> 2227 git@1:2.34.1-1ubuntu1.10 2228 <span class="list-paths__item__arrow">›</span> 2229 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2230 <span class="list-paths__item__arrow">›</span> 2231 openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 2232 2233 </span> 2234 2235 </li> 2236 <li> 2237 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2238 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2239 <span class="list-paths__item__arrow">›</span> 2240 openldap/libldap-common@2.5.16+dfsg-0ubuntu0.22.04.1 2241 2242 </span> 2243 2244 </li> 2245 </ul><!-- .list-paths --> 2246 2247 </div><!-- .card__section --> 2248 2249 <hr/> 2250 <!-- Overview --> 2251 <h2 id="nvd-description">NVD Description</h2> 2252 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openldap</code> package and not the <code>openldap</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2253 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2254 <p>A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.</p> 2255 <h2 id="remediation">Remediation</h2> 2256 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openldap</code>.</p> 2257 <h2 id="references">References</h2> 2258 <ul> 2259 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2953">ADVISORY</a></li> 2260 <li><a href="https://access.redhat.com/security/cve/CVE-2023-2953">secalert@redhat.com</a></li> 2261 <li><a href="https://bugs.openldap.org/show_bug.cgi?id=9904">secalert@redhat.com</a></li> 2262 <li><a href="https://security.netapp.com/advisory/ntap-20230703-0005/">secalert@redhat.com</a></li> 2263 <li><a href="https://support.apple.com/kb/HT213843">secalert@redhat.com</a></li> 2264 <li><a href="https://support.apple.com/kb/HT213844">secalert@redhat.com</a></li> 2265 <li><a href="https://support.apple.com/kb/HT213845">secalert@redhat.com</a></li> 2266 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/47">secalert@redhat.com</a></li> 2267 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/48">secalert@redhat.com</a></li> 2268 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/52">secalert@redhat.com</a></li> 2269 </ul> 2270 2271 <hr/> 2272 2273 <div class="cta card__cta"> 2274 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-OPENLDAP-5661784">More about this vulnerability</a></p> 2275 </div> 2276 2277 </div><!-- .card --> 2278 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2279 <h2 class="card__title">Resource Exhaustion</h2> 2280 <div class="card__section"> 2281 2282 <div class="label label--low"> 2283 <span class="label__text">low severity</span> 2284 </div> 2285 2286 <hr/> 2287 2288 <ul class="card__meta"> 2289 <li class="card__meta__item"> 2290 Package Manager: ubuntu:22.04 2291 </li> 2292 <li class="card__meta__item"> 2293 Vulnerable module: 2294 2295 libzstd/libzstd1 2296 </li> 2297 2298 <li class="card__meta__item">Introduced through: 2299 2300 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and libzstd/libzstd1@1.4.8+dfsg-3build1 2301 2302 </li> 2303 </ul> 2304 2305 <hr/> 2306 2307 2308 <h3 class="card__section__title">Detailed paths</h3> 2309 2310 <ul class="card__meta__paths"> 2311 <li> 2312 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2313 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2314 <span class="list-paths__item__arrow">›</span> 2315 libzstd/libzstd1@1.4.8+dfsg-3build1 2316 2317 </span> 2318 2319 </li> 2320 </ul><!-- .list-paths --> 2321 2322 </div><!-- .card__section --> 2323 2324 <hr/> 2325 <!-- Overview --> 2326 <h2 id="nvd-description">NVD Description</h2> 2327 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libzstd</code> package and not the <code>libzstd</code> package as distributed by <code>Ubuntu</code>.</em> 2328 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2329 <p>A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.</p> 2330 <h2 id="remediation">Remediation</h2> 2331 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>libzstd</code>.</p> 2332 <h2 id="references">References</h2> 2333 <ul> 2334 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-4899">ADVISORY</a></li> 2335 <li><a href="https://github.com/facebook/zstd/issues/3200">secalert@redhat.com</a></li> 2336 <li><a href="https://security.netapp.com/advisory/ntap-20230725-0005/">secalert@redhat.com</a></li> 2337 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/">secalert@redhat.com</a></li> 2338 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/">secalert@redhat.com</a></li> 2339 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/">secalert@redhat.com</a></li> 2340 </ul> 2341 2342 <hr/> 2343 2344 <div class="cta card__cta"> 2345 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-LIBZSTD-3368800">More about this vulnerability</a></p> 2346 </div> 2347 2348 </div><!-- .card --> 2349 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2350 <h2 class="card__title">Integer Overflow or Wraparound</h2> 2351 <div class="card__section"> 2352 2353 <div class="label label--low"> 2354 <span class="label__text">low severity</span> 2355 </div> 2356 2357 <hr/> 2358 2359 <ul class="card__meta"> 2360 <li class="card__meta__item"> 2361 Package Manager: ubuntu:22.04 2362 </li> 2363 <li class="card__meta__item"> 2364 Vulnerable module: 2365 2366 krb5/libk5crypto3 2367 </li> 2368 2369 <li class="card__meta__item">Introduced through: 2370 2371 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and krb5/libk5crypto3@1.19.2-2ubuntu0.2 2372 2373 </li> 2374 </ul> 2375 2376 <hr/> 2377 2378 2379 <h3 class="card__section__title">Detailed paths</h3> 2380 2381 <ul class="card__meta__paths"> 2382 <li> 2383 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2384 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2385 <span class="list-paths__item__arrow">›</span> 2386 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2387 2388 </span> 2389 2390 </li> 2391 <li> 2392 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2393 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2394 <span class="list-paths__item__arrow">›</span> 2395 adduser@3.118ubuntu5 2396 <span class="list-paths__item__arrow">›</span> 2397 shadow/passwd@1:4.8.1-2ubuntu2.1 2398 <span class="list-paths__item__arrow">›</span> 2399 pam/libpam-modules@1.4.0-11ubuntu2.3 2400 <span class="list-paths__item__arrow">›</span> 2401 libnsl/libnsl2@1.3.0-2build2 2402 <span class="list-paths__item__arrow">›</span> 2403 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2404 <span class="list-paths__item__arrow">›</span> 2405 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2406 <span class="list-paths__item__arrow">›</span> 2407 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2408 2409 </span> 2410 2411 </li> 2412 <li> 2413 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2414 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2415 <span class="list-paths__item__arrow">›</span> 2416 adduser@3.118ubuntu5 2417 <span class="list-paths__item__arrow">›</span> 2418 shadow/passwd@1:4.8.1-2ubuntu2.1 2419 <span class="list-paths__item__arrow">›</span> 2420 pam/libpam-modules@1.4.0-11ubuntu2.3 2421 <span class="list-paths__item__arrow">›</span> 2422 libnsl/libnsl2@1.3.0-2build2 2423 <span class="list-paths__item__arrow">›</span> 2424 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2425 <span class="list-paths__item__arrow">›</span> 2426 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2427 <span class="list-paths__item__arrow">›</span> 2428 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2429 <span class="list-paths__item__arrow">›</span> 2430 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2431 2432 </span> 2433 2434 </li> 2435 <li> 2436 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2437 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2438 <span class="list-paths__item__arrow">›</span> 2439 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2440 2441 </span> 2442 2443 </li> 2444 <li> 2445 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2446 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2447 <span class="list-paths__item__arrow">›</span> 2448 adduser@3.118ubuntu5 2449 <span class="list-paths__item__arrow">›</span> 2450 shadow/passwd@1:4.8.1-2ubuntu2.1 2451 <span class="list-paths__item__arrow">›</span> 2452 pam/libpam-modules@1.4.0-11ubuntu2.3 2453 <span class="list-paths__item__arrow">›</span> 2454 libnsl/libnsl2@1.3.0-2build2 2455 <span class="list-paths__item__arrow">›</span> 2456 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2457 <span class="list-paths__item__arrow">›</span> 2458 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2459 <span class="list-paths__item__arrow">›</span> 2460 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2461 2462 </span> 2463 2464 </li> 2465 <li> 2466 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2467 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2468 <span class="list-paths__item__arrow">›</span> 2469 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2470 2471 </span> 2472 2473 </li> 2474 <li> 2475 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2476 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2477 <span class="list-paths__item__arrow">›</span> 2478 openssh/openssh-client@1:8.9p1-3ubuntu0.4 2479 <span class="list-paths__item__arrow">›</span> 2480 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2481 2482 </span> 2483 2484 </li> 2485 <li> 2486 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2487 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2488 <span class="list-paths__item__arrow">›</span> 2489 git@1:2.34.1-1ubuntu1.10 2490 <span class="list-paths__item__arrow">›</span> 2491 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2492 <span class="list-paths__item__arrow">›</span> 2493 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2494 2495 </span> 2496 2497 </li> 2498 <li> 2499 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2500 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2501 <span class="list-paths__item__arrow">›</span> 2502 git@1:2.34.1-1ubuntu1.10 2503 <span class="list-paths__item__arrow">›</span> 2504 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2505 <span class="list-paths__item__arrow">›</span> 2506 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 2507 <span class="list-paths__item__arrow">›</span> 2508 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2509 2510 </span> 2511 2512 </li> 2513 <li> 2514 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2515 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2516 <span class="list-paths__item__arrow">›</span> 2517 adduser@3.118ubuntu5 2518 <span class="list-paths__item__arrow">›</span> 2519 shadow/passwd@1:4.8.1-2ubuntu2.1 2520 <span class="list-paths__item__arrow">›</span> 2521 pam/libpam-modules@1.4.0-11ubuntu2.3 2522 <span class="list-paths__item__arrow">›</span> 2523 libnsl/libnsl2@1.3.0-2build2 2524 <span class="list-paths__item__arrow">›</span> 2525 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2526 <span class="list-paths__item__arrow">›</span> 2527 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2528 2529 </span> 2530 2531 </li> 2532 <li> 2533 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2534 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2535 <span class="list-paths__item__arrow">›</span> 2536 krb5/libkrb5support0@1.19.2-2ubuntu0.2 2537 2538 </span> 2539 2540 </li> 2541 </ul><!-- .list-paths --> 2542 2543 </div><!-- .card__section --> 2544 2545 <hr/> 2546 <!-- Overview --> 2547 <h2 id="nvd-description">NVD Description</h2> 2548 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2549 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2550 <p>An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.</p> 2551 <h2 id="remediation">Remediation</h2> 2552 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p> 2553 <h2 id="references">References</h2> 2554 <ul> 2555 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709">CVE Details</a></li> 2556 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-5709">Debian Security Tracker</a></li> 2557 <li><a href="https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow">GitHub Additional Information</a></li> 2558 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 2559 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709">Ubuntu CVE Tracker</a></li> 2560 </ul> 2561 2562 <hr/> 2563 2564 <div class="cta card__cta"> 2565 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-2797765">More about this vulnerability</a></p> 2566 </div> 2567 2568 </div><!-- .card --> 2569 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2570 <h2 class="card__title">Out-of-bounds Write</h2> 2571 <div class="card__section"> 2572 2573 <div class="label label--low"> 2574 <span class="label__text">low severity</span> 2575 </div> 2576 2577 <hr/> 2578 2579 <ul class="card__meta"> 2580 <li class="card__meta__item"> 2581 Package Manager: ubuntu:22.04 2582 </li> 2583 <li class="card__meta__item"> 2584 Vulnerable module: 2585 2586 gnupg2/gpgv 2587 </li> 2588 2589 <li class="card__meta__item">Introduced through: 2590 2591 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and gnupg2/gpgv@2.2.27-3ubuntu2.1 2592 2593 </li> 2594 </ul> 2595 2596 <hr/> 2597 2598 2599 <h3 class="card__section__title">Detailed paths</h3> 2600 2601 <ul class="card__meta__paths"> 2602 <li> 2603 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2604 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2605 <span class="list-paths__item__arrow">›</span> 2606 gnupg2/gpgv@2.2.27-3ubuntu2.1 2607 2608 </span> 2609 2610 </li> 2611 <li> 2612 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2613 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2614 <span class="list-paths__item__arrow">›</span> 2615 apt@2.4.10 2616 <span class="list-paths__item__arrow">›</span> 2617 gnupg2/gpgv@2.2.27-3ubuntu2.1 2618 2619 </span> 2620 2621 </li> 2622 <li> 2623 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2624 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2625 <span class="list-paths__item__arrow">›</span> 2626 gnupg2/gnupg@2.2.27-3ubuntu2.1 2627 <span class="list-paths__item__arrow">›</span> 2628 gnupg2/gpgv@2.2.27-3ubuntu2.1 2629 2630 </span> 2631 2632 </li> 2633 <li> 2634 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2635 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2636 <span class="list-paths__item__arrow">›</span> 2637 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2638 <span class="list-paths__item__arrow">›</span> 2639 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2640 2641 </span> 2642 2643 </li> 2644 <li> 2645 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2646 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2647 <span class="list-paths__item__arrow">›</span> 2648 gnupg2/gpg@2.2.27-3ubuntu2.1 2649 <span class="list-paths__item__arrow">›</span> 2650 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2651 2652 </span> 2653 2654 </li> 2655 <li> 2656 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2657 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2658 <span class="list-paths__item__arrow">›</span> 2659 gnupg2/gnupg@2.2.27-3ubuntu2.1 2660 <span class="list-paths__item__arrow">›</span> 2661 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2662 <span class="list-paths__item__arrow">›</span> 2663 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2664 2665 </span> 2666 2667 </li> 2668 <li> 2669 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2670 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2671 <span class="list-paths__item__arrow">›</span> 2672 gnupg2/gnupg@2.2.27-3ubuntu2.1 2673 <span class="list-paths__item__arrow">›</span> 2674 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2675 <span class="list-paths__item__arrow">›</span> 2676 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2677 2678 </span> 2679 2680 </li> 2681 <li> 2682 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2683 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2684 <span class="list-paths__item__arrow">›</span> 2685 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2686 2687 </span> 2688 2689 </li> 2690 <li> 2691 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2692 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2693 <span class="list-paths__item__arrow">›</span> 2694 gnupg2/gnupg@2.2.27-3ubuntu2.1 2695 <span class="list-paths__item__arrow">›</span> 2696 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2697 2698 </span> 2699 2700 </li> 2701 <li> 2702 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2703 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2704 <span class="list-paths__item__arrow">›</span> 2705 gnupg2/gnupg@2.2.27-3ubuntu2.1 2706 <span class="list-paths__item__arrow">›</span> 2707 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2708 <span class="list-paths__item__arrow">›</span> 2709 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2710 2711 </span> 2712 2713 </li> 2714 <li> 2715 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2716 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2717 <span class="list-paths__item__arrow">›</span> 2718 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 2719 2720 </span> 2721 2722 </li> 2723 <li> 2724 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2725 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2726 <span class="list-paths__item__arrow">›</span> 2727 gnupg2/gnupg@2.2.27-3ubuntu2.1 2728 <span class="list-paths__item__arrow">›</span> 2729 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 2730 2731 </span> 2732 2733 </li> 2734 <li> 2735 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2736 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2737 <span class="list-paths__item__arrow">›</span> 2738 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 2739 2740 </span> 2741 2742 </li> 2743 <li> 2744 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2745 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2746 <span class="list-paths__item__arrow">›</span> 2747 gnupg2/gnupg@2.2.27-3ubuntu2.1 2748 <span class="list-paths__item__arrow">›</span> 2749 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 2750 2751 </span> 2752 2753 </li> 2754 <li> 2755 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2756 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2757 <span class="list-paths__item__arrow">›</span> 2758 gnupg2/gpg@2.2.27-3ubuntu2.1 2759 2760 </span> 2761 2762 </li> 2763 <li> 2764 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2765 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2766 <span class="list-paths__item__arrow">›</span> 2767 gnupg2/gnupg@2.2.27-3ubuntu2.1 2768 <span class="list-paths__item__arrow">›</span> 2769 gnupg2/gpg@2.2.27-3ubuntu2.1 2770 2771 </span> 2772 2773 </li> 2774 <li> 2775 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2776 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2777 <span class="list-paths__item__arrow">›</span> 2778 gnupg2/gnupg@2.2.27-3ubuntu2.1 2779 <span class="list-paths__item__arrow">›</span> 2780 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2781 <span class="list-paths__item__arrow">›</span> 2782 gnupg2/gpg@2.2.27-3ubuntu2.1 2783 2784 </span> 2785 2786 </li> 2787 <li> 2788 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2789 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2790 <span class="list-paths__item__arrow">›</span> 2791 gnupg2/gnupg@2.2.27-3ubuntu2.1 2792 <span class="list-paths__item__arrow">›</span> 2793 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2794 <span class="list-paths__item__arrow">›</span> 2795 gnupg2/gpg@2.2.27-3ubuntu2.1 2796 2797 </span> 2798 2799 </li> 2800 <li> 2801 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2802 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2803 <span class="list-paths__item__arrow">›</span> 2804 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2805 2806 </span> 2807 2808 </li> 2809 <li> 2810 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2811 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2812 <span class="list-paths__item__arrow">›</span> 2813 gnupg2/gnupg@2.2.27-3ubuntu2.1 2814 <span class="list-paths__item__arrow">›</span> 2815 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2816 2817 </span> 2818 2819 </li> 2820 <li> 2821 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2822 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2823 <span class="list-paths__item__arrow">›</span> 2824 gnupg2/gnupg@2.2.27-3ubuntu2.1 2825 <span class="list-paths__item__arrow">›</span> 2826 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2827 <span class="list-paths__item__arrow">›</span> 2828 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2829 2830 </span> 2831 2832 </li> 2833 <li> 2834 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2835 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2836 <span class="list-paths__item__arrow">›</span> 2837 gnupg2/gnupg@2.2.27-3ubuntu2.1 2838 <span class="list-paths__item__arrow">›</span> 2839 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2840 <span class="list-paths__item__arrow">›</span> 2841 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2842 2843 </span> 2844 2845 </li> 2846 <li> 2847 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2848 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2849 <span class="list-paths__item__arrow">›</span> 2850 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2851 2852 </span> 2853 2854 </li> 2855 <li> 2856 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2857 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2858 <span class="list-paths__item__arrow">›</span> 2859 gnupg2/gnupg@2.2.27-3ubuntu2.1 2860 <span class="list-paths__item__arrow">›</span> 2861 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2862 2863 </span> 2864 2865 </li> 2866 <li> 2867 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2868 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2869 <span class="list-paths__item__arrow">›</span> 2870 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2871 2872 </span> 2873 2874 </li> 2875 <li> 2876 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2877 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2878 <span class="list-paths__item__arrow">›</span> 2879 gnupg2/gnupg@2.2.27-3ubuntu2.1 2880 <span class="list-paths__item__arrow">›</span> 2881 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2882 2883 </span> 2884 2885 </li> 2886 <li> 2887 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2888 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2889 <span class="list-paths__item__arrow">›</span> 2890 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2891 2892 </span> 2893 2894 </li> 2895 <li> 2896 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2897 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2898 <span class="list-paths__item__arrow">›</span> 2899 gnupg2/gnupg@2.2.27-3ubuntu2.1 2900 <span class="list-paths__item__arrow">›</span> 2901 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2902 2903 </span> 2904 2905 </li> 2906 <li> 2907 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2908 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2909 <span class="list-paths__item__arrow">›</span> 2910 gnupg2/gnupg@2.2.27-3ubuntu2.1 2911 2912 </span> 2913 2914 </li> 2915 </ul><!-- .list-paths --> 2916 2917 </div><!-- .card__section --> 2918 2919 <hr/> 2920 <!-- Overview --> 2921 <h2 id="nvd-description">NVD Description</h2> 2922 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gnupg2</code> package and not the <code>gnupg2</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2923 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2924 <p>GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.</p> 2925 <h2 id="remediation">Remediation</h2> 2926 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>gnupg2</code>.</p> 2927 <h2 id="references">References</h2> 2928 <ul> 2929 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219">ADVISORY</a></li> 2930 <li><a href="https://access.redhat.com/security/cve/CVE-2022-3219">secalert@redhat.com</a></li> 2931 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2127010">secalert@redhat.com</a></li> 2932 <li><a href="https://dev.gnupg.org/D556">secalert@redhat.com</a></li> 2933 <li><a href="https://dev.gnupg.org/T5993">secalert@redhat.com</a></li> 2934 <li><a href="https://marc.info/?l=oss-security&m=165696590211434&w=4">secalert@redhat.com</a></li> 2935 <li><a href="https://security.netapp.com/advisory/ntap-20230324-0001/">secalert@redhat.com</a></li> 2936 </ul> 2937 2938 <hr/> 2939 2940 <div class="cta card__cta"> 2941 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GNUPG2-3035409">More about this vulnerability</a></p> 2942 </div> 2943 2944 </div><!-- .card --> 2945 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2946 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2947 <div class="card__section"> 2948 2949 <div class="label label--low"> 2950 <span class="label__text">low severity</span> 2951 </div> 2952 2953 <hr/> 2954 2955 <ul class="card__meta"> 2956 <li class="card__meta__item"> 2957 Package Manager: ubuntu:22.04 2958 </li> 2959 <li class="card__meta__item"> 2960 Vulnerable module: 2961 2962 glibc/libc-bin 2963 </li> 2964 2965 <li class="card__meta__item">Introduced through: 2966 2967 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and glibc/libc-bin@2.35-0ubuntu3.4 2968 2969 </li> 2970 </ul> 2971 2972 <hr/> 2973 2974 2975 <h3 class="card__section__title">Detailed paths</h3> 2976 2977 <ul class="card__meta__paths"> 2978 <li> 2979 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2980 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2981 <span class="list-paths__item__arrow">›</span> 2982 glibc/libc-bin@2.35-0ubuntu3.4 2983 2984 </span> 2985 2986 </li> 2987 <li> 2988 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2989 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 2990 <span class="list-paths__item__arrow">›</span> 2991 glibc/libc6@2.35-0ubuntu3.4 2992 2993 </span> 2994 2995 </li> 2996 </ul><!-- .list-paths --> 2997 2998 </div><!-- .card__section --> 2999 3000 <hr/> 3001 <!-- Overview --> 3002 <h2 id="nvd-description">NVD Description</h2> 3003 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3004 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3005 <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.</p> 3006 <h2 id="remediation">Remediation</h2> 3007 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p> 3008 <h2 id="references">References</h2> 3009 <ul> 3010 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013">ADVISORY</a></li> 3011 <li><a href="https://twitter.com/solardiz/status/795601240151457793">cve@mitre.org</a></li> 3012 <li><a href="https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/">cve@mitre.org</a></li> 3013 <li><a href="https://akkadia.org/drepper/SHA-crypt.txt">cve@mitre.org</a></li> 3014 </ul> 3015 3016 <hr/> 3017 3018 <div class="cta card__cta"> 3019 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-2801292">More about this vulnerability</a></p> 3020 </div> 3021 3022 </div><!-- .card --> 3023 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3024 <h2 class="card__title">Improper Input Validation</h2> 3025 <div class="card__section"> 3026 3027 <div class="label label--low"> 3028 <span class="label__text">low severity</span> 3029 </div> 3030 3031 <hr/> 3032 3033 <ul class="card__meta"> 3034 <li class="card__meta__item"> 3035 Package Manager: ubuntu:22.04 3036 </li> 3037 <li class="card__meta__item"> 3038 Vulnerable module: 3039 3040 git/git-man 3041 </li> 3042 3043 <li class="card__meta__item">Introduced through: 3044 3045 3046 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3, git@1:2.34.1-1ubuntu1.10 and others 3047 </li> 3048 </ul> 3049 3050 <hr/> 3051 3052 3053 <h3 class="card__section__title">Detailed paths</h3> 3054 3055 <ul class="card__meta__paths"> 3056 <li> 3057 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3058 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3059 <span class="list-paths__item__arrow">›</span> 3060 git@1:2.34.1-1ubuntu1.10 3061 <span class="list-paths__item__arrow">›</span> 3062 git/git-man@1:2.34.1-1ubuntu1.10 3063 3064 </span> 3065 3066 </li> 3067 <li> 3068 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3069 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3070 <span class="list-paths__item__arrow">›</span> 3071 git@1:2.34.1-1ubuntu1.10 3072 3073 </span> 3074 3075 </li> 3076 <li> 3077 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3078 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3079 <span class="list-paths__item__arrow">›</span> 3080 git-lfs@3.0.2-1ubuntu0.2 3081 <span class="list-paths__item__arrow">›</span> 3082 git@1:2.34.1-1ubuntu1.10 3083 3084 </span> 3085 3086 </li> 3087 </ul><!-- .list-paths --> 3088 3089 </div><!-- .card__section --> 3090 3091 <hr/> 3092 <!-- Overview --> 3093 <h2 id="nvd-description">NVD Description</h2> 3094 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3095 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3096 <p>GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).</p> 3097 <h2 id="remediation">Remediation</h2> 3098 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>git</code>.</p> 3099 <h2 id="references">References</h2> 3100 <ul> 3101 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000021">ADVISORY</a></li> 3102 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-1000021">Debian Security Tracker</a></li> 3103 <li><a href="http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html">http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html</a></li> 3104 </ul> 3105 3106 <hr/> 3107 3108 <div class="cta card__cta"> 3109 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GIT-2798113">More about this vulnerability</a></p> 3110 </div> 3111 3112 </div><!-- .card --> 3113 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3114 <h2 class="card__title">Uncontrolled Recursion</h2> 3115 <div class="card__section"> 3116 3117 <div class="label label--low"> 3118 <span class="label__text">low severity</span> 3119 </div> 3120 3121 <hr/> 3122 3123 <ul class="card__meta"> 3124 <li class="card__meta__item"> 3125 Package Manager: ubuntu:22.04 3126 </li> 3127 <li class="card__meta__item"> 3128 Vulnerable module: 3129 3130 gcc-12/libstdc++6 3131 </li> 3132 3133 <li class="card__meta__item">Introduced through: 3134 3135 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 3136 3137 </li> 3138 </ul> 3139 3140 <hr/> 3141 3142 3143 <h3 class="card__section__title">Detailed paths</h3> 3144 3145 <ul class="card__meta__paths"> 3146 <li> 3147 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3148 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3149 <span class="list-paths__item__arrow">›</span> 3150 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 3151 3152 </span> 3153 3154 </li> 3155 <li> 3156 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3157 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3158 <span class="list-paths__item__arrow">›</span> 3159 apt@2.4.10 3160 <span class="list-paths__item__arrow">›</span> 3161 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 3162 3163 </span> 3164 3165 </li> 3166 <li> 3167 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3168 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3169 <span class="list-paths__item__arrow">›</span> 3170 apt@2.4.10 3171 <span class="list-paths__item__arrow">›</span> 3172 apt/libapt-pkg6.0@2.4.10 3173 <span class="list-paths__item__arrow">›</span> 3174 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 3175 3176 </span> 3177 3178 </li> 3179 <li> 3180 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3181 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3182 <span class="list-paths__item__arrow">›</span> 3183 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 3184 3185 </span> 3186 3187 </li> 3188 <li> 3189 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3190 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3191 <span class="list-paths__item__arrow">›</span> 3192 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 3193 3194 </span> 3195 3196 </li> 3197 </ul><!-- .list-paths --> 3198 3199 </div><!-- .card__section --> 3200 3201 <hr/> 3202 <!-- Overview --> 3203 <h2 id="nvd-description">NVD Description</h2> 3204 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gcc-12</code> package and not the <code>gcc-12</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3205 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3206 <p>libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.</p> 3207 <h2 id="remediation">Remediation</h2> 3208 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>gcc-12</code>.</p> 3209 <h2 id="references">References</h2> 3210 <ul> 3211 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-27943">ADVISORY</a></li> 3212 <li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039">cve@mitre.org</a></li> 3213 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=28995">cve@mitre.org</a></li> 3214 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/">cve@mitre.org</a></li> 3215 </ul> 3216 3217 <hr/> 3218 3219 <div class="cta card__cta"> 3220 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GCC12-5861847">More about this vulnerability</a></p> 3221 </div> 3222 3223 </div><!-- .card --> 3224 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3225 <h2 class="card__title">Improper Input Validation</h2> 3226 <div class="card__section"> 3227 3228 <div class="label label--low"> 3229 <span class="label__text">low severity</span> 3230 </div> 3231 3232 <hr/> 3233 3234 <ul class="card__meta"> 3235 <li class="card__meta__item"> 3236 Package Manager: ubuntu:22.04 3237 </li> 3238 <li class="card__meta__item"> 3239 Vulnerable module: 3240 3241 coreutils 3242 </li> 3243 3244 <li class="card__meta__item">Introduced through: 3245 3246 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and coreutils@8.32-4.1ubuntu1 3247 3248 </li> 3249 </ul> 3250 3251 <hr/> 3252 3253 3254 <h3 class="card__section__title">Detailed paths</h3> 3255 3256 <ul class="card__meta__paths"> 3257 <li> 3258 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3259 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3260 <span class="list-paths__item__arrow">›</span> 3261 coreutils@8.32-4.1ubuntu1 3262 3263 </span> 3264 3265 </li> 3266 </ul><!-- .list-paths --> 3267 3268 </div><!-- .card__section --> 3269 3270 <hr/> 3271 <!-- Overview --> 3272 <h2 id="nvd-description">NVD Description</h2> 3273 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3274 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3275 <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.</p> 3276 <h2 id="remediation">Remediation</h2> 3277 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>coreutils</code>.</p> 3278 <h2 id="references">References</h2> 3279 <ul> 3280 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781">ADVISORY</a></li> 3281 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2781">Debian Security Tracker</a></li> 3282 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 3283 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/2">OSS security Advisory</a></li> 3284 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/3">OSS security Advisory</a></li> 3285 </ul> 3286 3287 <hr/> 3288 3289 <div class="cta card__cta"> 3290 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-COREUTILS-2801226">More about this vulnerability</a></p> 3291 </div> 3292 3293 </div><!-- .card --> 3294 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3295 <h2 class="card__title">Out-of-bounds Write</h2> 3296 <div class="card__section"> 3297 3298 <div class="label label--low"> 3299 <span class="label__text">low severity</span> 3300 </div> 3301 3302 <hr/> 3303 3304 <ul class="card__meta"> 3305 <li class="card__meta__item"> 3306 Package Manager: ubuntu:22.04 3307 </li> 3308 <li class="card__meta__item"> 3309 Vulnerable module: 3310 3311 bash 3312 </li> 3313 3314 <li class="card__meta__item">Introduced through: 3315 3316 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 and bash@5.1-6ubuntu1 3317 3318 </li> 3319 </ul> 3320 3321 <hr/> 3322 3323 3324 <h3 class="card__section__title">Detailed paths</h3> 3325 3326 <ul class="card__meta__paths"> 3327 <li> 3328 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3329 docker-image|quay.io/argoproj/argocd@v2.9.0-rc3 3330 <span class="list-paths__item__arrow">›</span> 3331 bash@5.1-6ubuntu1 3332 3333 </span> 3334 3335 </li> 3336 </ul><!-- .list-paths --> 3337 3338 </div><!-- .card__section --> 3339 3340 <hr/> 3341 <!-- Overview --> 3342 <h2 id="nvd-description">NVD Description</h2> 3343 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>bash</code> package and not the <code>bash</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3344 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3345 <p>A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.</p> 3346 <h2 id="remediation">Remediation</h2> 3347 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>bash</code>.</p> 3348 <h2 id="references">References</h2> 3349 <ul> 3350 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3715">ADVISORY</a></li> 3351 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2126720">secalert@redhat.com</a></li> 3352 </ul> 3353 3354 <hr/> 3355 3356 <div class="cta card__cta"> 3357 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-BASH-3098342">More about this vulnerability</a></p> 3358 </div> 3359 3360 </div><!-- .card --> 3361 </div><!-- cards --> 3362 </div> 3363 </main><!-- .layout-stacked__content --> 3364 </body> 3365 3366 </html>