github.com/argoproj/argo-cd/v2@v2.10.9/docs/snyk/master/quay.io_argoproj_argocd_latest.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="28 known vulnerabilities found in 96 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #4b45a9; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card .label { 205 background-color: #767676; 206 border: 2px solid #767676; 207 color: white; 208 padding: 0.25rem 0.75rem; 209 font-size: 0.875rem; 210 text-transform: uppercase; 211 display: inline-block; 212 margin: 0; 213 border-radius: 0.25rem; 214 } 215 216 .card .label__text { 217 vertical-align: text-top; 218 font-weight: bold; 219 } 220 221 .card .label--critical { 222 background-color: #AB1A1A; 223 border-color: #AB1A1A; 224 } 225 226 .card .label--high { 227 background-color: #CE5019; 228 border-color: #CE5019; 229 } 230 231 .card .label--medium { 232 background-color: #D68000; 233 border-color: #D68000; 234 } 235 236 .card .label--low { 237 background-color: #88879E; 238 border-color: #88879E; 239 } 240 241 .severity--low { 242 border-color: #88879E; 243 } 244 245 .severity--medium { 246 border-color: #D68000; 247 } 248 249 .severity--high { 250 border-color: #CE5019; 251 } 252 253 .severity--critical { 254 border-color: #AB1A1A; 255 } 256 257 .card--vuln { 258 padding-top: 4em; 259 } 260 261 .card--vuln .label { 262 left: 0; 263 position: absolute; 264 top: 1.1em; 265 padding-left: 1.9em; 266 padding-right: 1.9em; 267 border-radius: 0 0.25rem 0.25rem 0; 268 } 269 270 .card--vuln .card__section h2 { 271 font-size: 22px; 272 margin-bottom: 0.5em; 273 } 274 275 .card--vuln .card__section p { 276 margin: 0 0 0.5em 0; 277 } 278 279 .card--vuln .card__meta { 280 padding: 0 0 0 1em; 281 margin: 0; 282 font-size: 1.1em; 283 } 284 285 .card .card__meta__paths { 286 font-size: 0.9em; 287 } 288 289 .card--vuln .card__title { 290 font-size: 28px; 291 margin-top: 0; 292 } 293 294 .card--vuln .card__cta p { 295 margin: 0; 296 text-align: right; 297 } 298 299 .source-panel { 300 clear: both; 301 display: flex; 302 justify-content: flex-start; 303 flex-direction: column; 304 align-items: flex-start; 305 padding: 0.5em 0; 306 width: fit-content; 307 } 308 309 310 311 </style> 312 <style type="text/css"> 313 .metatable { 314 text-size-adjust: 100%; 315 -webkit-font-smoothing: antialiased; 316 -webkit-box-direction: normal; 317 color: inherit; 318 font-feature-settings: "pnum"; 319 box-sizing: border-box; 320 background: transparent; 321 border: 0; 322 font: inherit; 323 font-size: 100%; 324 margin: 0; 325 outline: none; 326 padding: 0; 327 text-align: left; 328 text-decoration: none; 329 vertical-align: baseline; 330 z-index: auto; 331 margin-top: 12px; 332 border-collapse: collapse; 333 border-spacing: 0; 334 font-variant-numeric: tabular-nums; 335 max-width: 51.75em; 336 } 337 338 tbody { 339 text-size-adjust: 100%; 340 -webkit-font-smoothing: antialiased; 341 -webkit-box-direction: normal; 342 color: inherit; 343 font-feature-settings: "pnum"; 344 border-collapse: collapse; 345 border-spacing: 0; 346 box-sizing: border-box; 347 background: transparent; 348 border: 0; 349 font: inherit; 350 font-size: 100%; 351 margin: 0; 352 outline: none; 353 padding: 0; 354 text-align: left; 355 text-decoration: none; 356 vertical-align: baseline; 357 z-index: auto; 358 display: flex; 359 flex-wrap: wrap; 360 } 361 362 .meta-row { 363 text-size-adjust: 100%; 364 -webkit-font-smoothing: antialiased; 365 -webkit-box-direction: normal; 366 color: inherit; 367 font-feature-settings: "pnum"; 368 border-collapse: collapse; 369 border-spacing: 0; 370 box-sizing: border-box; 371 background: transparent; 372 border: 0; 373 font: inherit; 374 font-size: 100%; 375 outline: none; 376 text-align: left; 377 text-decoration: none; 378 vertical-align: baseline; 379 z-index: auto; 380 display: flex; 381 align-items: start; 382 border-top: 1px solid #d3d3d9; 383 padding: 8px 0 0 0; 384 border-bottom: none; 385 margin: 8px; 386 width: 47.75%; 387 } 388 389 .meta-row-label { 390 text-size-adjust: 100%; 391 -webkit-font-smoothing: antialiased; 392 -webkit-box-direction: normal; 393 font-feature-settings: "pnum"; 394 border-collapse: collapse; 395 border-spacing: 0; 396 color: #4c4a73; 397 box-sizing: border-box; 398 background: transparent; 399 border: 0; 400 font: inherit; 401 margin: 0; 402 outline: none; 403 text-decoration: none; 404 z-index: auto; 405 align-self: start; 406 flex: 1; 407 font-size: 1rem; 408 line-height: 1.5rem; 409 padding: 0; 410 text-align: left; 411 vertical-align: top; 412 text-transform: none; 413 letter-spacing: 0; 414 } 415 416 .meta-row-value { 417 text-size-adjust: 100%; 418 -webkit-font-smoothing: antialiased; 419 -webkit-box-direction: normal; 420 color: inherit; 421 font-feature-settings: "pnum"; 422 border-collapse: collapse; 423 border-spacing: 0; 424 word-break: break-word; 425 box-sizing: border-box; 426 background: transparent; 427 border: 0; 428 font: inherit; 429 font-size: 100%; 430 margin: 0; 431 outline: none; 432 padding: 0; 433 text-align: right; 434 text-decoration: none; 435 vertical-align: baseline; 436 z-index: auto; 437 } 438 </style> 439 </head> 440 441 <body class="section-projects"> 442 <main class="layout-stacked"> 443 <div class="layout-stacked__header header"> 444 <header class="project__header"> 445 <div class="layout-container"> 446 <a class="brand" href="https://snyk.io" title="Snyk"> 447 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 448 <title>Snyk - Open Source Security</title> 449 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 450 <g fill="#fff"> 451 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 452 </g> 453 </g> 454 </svg> 455 </a> 456 <div class="header-wrap"> 457 <h1 class="project__header__title">Snyk test report</h1> 458 459 <p class="timestamp">October 29th 2023, 12:15:33 am (UTC+00:00)</p> 460 </div> 461 <div class="source-panel"> 462 <span>Scanned the following paths:</span> 463 <ul> 464 <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd (deb)</li><li class="paths">quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/helm/v3 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/git-lfs/git-lfs (gomodules)</li> 465 </ul> 466 </div> 467 468 <div class="meta-counts"> 469 <div class="meta-count"><span>28</span> <span>known vulnerabilities</span></div> 470 <div class="meta-count"><span>96 vulnerable dependency paths</span></div> 471 <div class="meta-count"><span>2235</span> <span>dependencies</span></div> 472 </div><!-- .meta-counts --> 473 </div><!-- .layout-container--short --> 474 </header><!-- .project__header --> 475 </div><!-- .layout-stacked__header --> 476 477 <div class="layout-container" style="padding-top: 35px;"> 478 <div class="cards--vuln filter--patch filter--ignore"> 479 <div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high"> 480 <h2 class="card__title">Denial of Service (DoS)</h2> 481 <div class="card__section"> 482 483 <div class="label label--high"> 484 <span class="label__text">high severity</span> 485 </div> 486 487 <hr/> 488 489 <ul class="card__meta"> 490 <li class="card__meta__item"> 491 Package Manager: golang 492 </li> 493 <li class="card__meta__item"> 494 Vulnerable module: 495 496 golang.org/x/net/http2 497 </li> 498 499 <li class="card__meta__item">Introduced through: 500 501 helm.sh/helm/v3@* and golang.org/x/net/http2@v0.13.0 502 503 </li> 504 </ul> 505 506 <hr/> 507 508 509 <h3 class="card__section__title">Detailed paths</h3> 510 511 <ul class="card__meta__paths"> 512 <li> 513 <span class="list-paths__item__introduced"><em>Introduced through</em>: 514 helm.sh/helm/v3@* 515 <span class="list-paths__item__arrow">›</span> 516 golang.org/x/net/http2@v0.13.0 517 518 </span> 519 520 </li> 521 </ul><!-- .list-paths --> 522 523 </div><!-- .card__section --> 524 525 <hr/> 526 <!-- Overview --> 527 <h2 id="overview">Overview</h2> 528 <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p> 529 <p>Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.</p> 530 <h2 id="remediation">Remediation</h2> 531 <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.17.0 or higher.</p> 532 <h2 id="references">References</h2> 533 <ul> 534 <li><a href="https://github.com/helidon-io/helidon/commit/58f43670086e530750c7cb74b0bec92bf5189c79">Github Commit</a></li> 535 <li><a href="https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49">GitHub Commit</a></li> 536 <li><a href="https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e">GitHub Commit</a></li> 537 <li><a href="https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148">GitHub Commit</a></li> 538 <li><a href="https://github.com/gravitational/teleport/commit/15f34f927a45130408eb16ed09af5620270d4d1f">GitHub Commit</a></li> 539 <li><a href="https://github.com/kubernetes/apimachinery/commit/be9188050914374ee8128239e5a2e5998d7897f5">GitHub Commit</a></li> 540 <li><a href="https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61">GitHub Commit</a></li> 541 <li><a href="https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832">GitHub Commit</a></li> 542 <li><a href="https://github.com/operator-framework/operator-lifecycle-manager/commit/9ec03f07f942dc9cef736957fa152e39157d6e13">GitHub Commit</a></li> 543 <li><a href="https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/">Snyk Blog</a></li> 544 <li><a href="https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/">Vulnerability Discovery</a></li> 545 <li><a href="https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack">Vulnerability Explanation</a></li> 546 <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">CISA - Known Exploited Vulnerabilities</a></li> 547 </ul> 548 549 <hr/> 550 551 <div class="cta card__cta"> 552 <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327">More about this vulnerability</a></p> 553 </div> 554 555 </div><!-- .card --> 556 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 557 <h2 class="card__title">CVE-2020-22916</h2> 558 <div class="card__section"> 559 560 <div class="label label--medium"> 561 <span class="label__text">medium severity</span> 562 </div> 563 564 <hr/> 565 566 <ul class="card__meta"> 567 <li class="card__meta__item"> 568 Package Manager: ubuntu:22.04 569 </li> 570 <li class="card__meta__item"> 571 Vulnerable module: 572 573 xz-utils/liblzma5 574 </li> 575 576 <li class="card__meta__item">Introduced through: 577 578 docker-image|quay.io/argoproj/argocd@latest and xz-utils/liblzma5@5.2.5-2ubuntu1 579 580 </li> 581 </ul> 582 583 <hr/> 584 585 586 <h3 class="card__section__title">Detailed paths</h3> 587 588 <ul class="card__meta__paths"> 589 <li> 590 <span class="list-paths__item__introduced"><em>Introduced through</em>: 591 docker-image|quay.io/argoproj/argocd@latest 592 <span class="list-paths__item__arrow">›</span> 593 xz-utils/liblzma5@5.2.5-2ubuntu1 594 595 </span> 596 597 </li> 598 </ul><!-- .list-paths --> 599 600 </div><!-- .card__section --> 601 602 <hr/> 603 <!-- Overview --> 604 <h2 id="nvd-description">NVD Description</h2> 605 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>xz-utils</code> package and not the <code>xz-utils</code> package as distributed by <code>Ubuntu</code>.</em> 606 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 607 <p>** DISPUTED ** An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.</p> 608 <h2 id="remediation">Remediation</h2> 609 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>xz-utils</code>.</p> 610 <h2 id="references">References</h2> 611 <ul> 612 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-22916">ADVISORY</a></li> 613 <li><a href="https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability">cve@mitre.org</a></li> 614 <li><a href="https://tukaani.org/xz/">cve@mitre.org</a></li> 615 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2234987">cve@mitre.org</a></li> 616 <li><a href="https://bugzilla.suse.com/show_bug.cgi?id=1214590">cve@mitre.org</a></li> 617 <li><a href="https://github.com/tukaani-project/xz/issues/61">cve@mitre.org</a></li> 618 <li><a href="https://security-tracker.debian.org/tracker/CVE-2020-22916">cve@mitre.org</a></li> 619 <li><a href="http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability">cve@mitre.org</a></li> 620 </ul> 621 622 <hr/> 623 624 <div class="cta card__cta"> 625 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-XZUTILS-5854647">More about this vulnerability</a></p> 626 </div> 627 628 </div><!-- .card --> 629 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 630 <h2 class="card__title">Out-of-bounds Write</h2> 631 <div class="card__section"> 632 633 <div class="label label--medium"> 634 <span class="label__text">medium severity</span> 635 </div> 636 637 <hr/> 638 639 <ul class="card__meta"> 640 <li class="card__meta__item"> 641 Package Manager: ubuntu:22.04 642 </li> 643 <li class="card__meta__item"> 644 Vulnerable module: 645 646 perl/perl-modules-5.34 647 </li> 648 649 <li class="card__meta__item">Introduced through: 650 651 652 docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.10 and others 653 </li> 654 </ul> 655 656 <hr/> 657 658 659 <h3 class="card__section__title">Detailed paths</h3> 660 661 <ul class="card__meta__paths"> 662 <li> 663 <span class="list-paths__item__introduced"><em>Introduced through</em>: 664 docker-image|quay.io/argoproj/argocd@latest 665 <span class="list-paths__item__arrow">›</span> 666 git@1:2.34.1-1ubuntu1.10 667 <span class="list-paths__item__arrow">›</span> 668 perl@5.34.0-3ubuntu1.2 669 <span class="list-paths__item__arrow">›</span> 670 perl/perl-modules-5.34@5.34.0-3ubuntu1.2 671 672 </span> 673 674 </li> 675 <li> 676 <span class="list-paths__item__introduced"><em>Introduced through</em>: 677 docker-image|quay.io/argoproj/argocd@latest 678 <span class="list-paths__item__arrow">›</span> 679 git@1:2.34.1-1ubuntu1.10 680 <span class="list-paths__item__arrow">›</span> 681 perl@5.34.0-3ubuntu1.2 682 <span class="list-paths__item__arrow">›</span> 683 perl/libperl5.34@5.34.0-3ubuntu1.2 684 <span class="list-paths__item__arrow">›</span> 685 perl/perl-modules-5.34@5.34.0-3ubuntu1.2 686 687 </span> 688 689 </li> 690 <li> 691 <span class="list-paths__item__introduced"><em>Introduced through</em>: 692 docker-image|quay.io/argoproj/argocd@latest 693 <span class="list-paths__item__arrow">›</span> 694 git@1:2.34.1-1ubuntu1.10 695 <span class="list-paths__item__arrow">›</span> 696 perl@5.34.0-3ubuntu1.2 697 <span class="list-paths__item__arrow">›</span> 698 perl/libperl5.34@5.34.0-3ubuntu1.2 699 700 </span> 701 702 </li> 703 <li> 704 <span class="list-paths__item__introduced"><em>Introduced through</em>: 705 docker-image|quay.io/argoproj/argocd@latest 706 <span class="list-paths__item__arrow">›</span> 707 git@1:2.34.1-1ubuntu1.10 708 <span class="list-paths__item__arrow">›</span> 709 perl@5.34.0-3ubuntu1.2 710 711 </span> 712 713 </li> 714 <li> 715 <span class="list-paths__item__introduced"><em>Introduced through</em>: 716 docker-image|quay.io/argoproj/argocd@latest 717 <span class="list-paths__item__arrow">›</span> 718 perl/perl-base@5.34.0-3ubuntu1.2 719 720 </span> 721 722 </li> 723 </ul><!-- .list-paths --> 724 725 </div><!-- .card__section --> 726 727 <hr/> 728 <!-- Overview --> 729 <h2 id="nvd-description">NVD Description</h2> 730 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>perl</code> package and not the <code>perl</code> package as distributed by <code>Ubuntu</code>.</em> 731 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 732 <p>In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.</p> 733 <h2 id="remediation">Remediation</h2> 734 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>perl</code>.</p> 735 <h2 id="references">References</h2> 736 <ul> 737 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48522">ADVISORY</a></li> 738 <li><a href="https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345">cve@mitre.org</a></li> 739 <li><a href="https://security.netapp.com/advisory/ntap-20230915-0008/">cve@mitre.org</a></li> 740 </ul> 741 742 <hr/> 743 744 <div class="cta card__cta"> 745 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PERL-5854824">More about this vulnerability</a></p> 746 </div> 747 748 </div><!-- .card --> 749 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 750 <h2 class="card__title">Access of Uninitialized Pointer</h2> 751 <div class="card__section"> 752 753 <div class="label label--medium"> 754 <span class="label__text">medium severity</span> 755 </div> 756 757 <hr/> 758 759 <ul class="card__meta"> 760 <li class="card__meta__item"> 761 Package Manager: ubuntu:22.04 762 </li> 763 <li class="card__meta__item"> 764 Vulnerable module: 765 766 krb5/libk5crypto3 767 </li> 768 769 <li class="card__meta__item">Introduced through: 770 771 docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2ubuntu0.2 772 773 </li> 774 </ul> 775 776 <hr/> 777 778 779 <h3 class="card__section__title">Detailed paths</h3> 780 781 <ul class="card__meta__paths"> 782 <li> 783 <span class="list-paths__item__introduced"><em>Introduced through</em>: 784 docker-image|quay.io/argoproj/argocd@latest 785 <span class="list-paths__item__arrow">›</span> 786 krb5/libk5crypto3@1.19.2-2ubuntu0.2 787 788 </span> 789 790 </li> 791 <li> 792 <span class="list-paths__item__introduced"><em>Introduced through</em>: 793 docker-image|quay.io/argoproj/argocd@latest 794 <span class="list-paths__item__arrow">›</span> 795 adduser@3.118ubuntu5 796 <span class="list-paths__item__arrow">›</span> 797 shadow/passwd@1:4.8.1-2ubuntu2.1 798 <span class="list-paths__item__arrow">›</span> 799 pam/libpam-modules@1.4.0-11ubuntu2.3 800 <span class="list-paths__item__arrow">›</span> 801 libnsl/libnsl2@1.3.0-2build2 802 <span class="list-paths__item__arrow">›</span> 803 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 804 <span class="list-paths__item__arrow">›</span> 805 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 806 <span class="list-paths__item__arrow">›</span> 807 krb5/libk5crypto3@1.19.2-2ubuntu0.2 808 809 </span> 810 811 </li> 812 <li> 813 <span class="list-paths__item__introduced"><em>Introduced through</em>: 814 docker-image|quay.io/argoproj/argocd@latest 815 <span class="list-paths__item__arrow">›</span> 816 adduser@3.118ubuntu5 817 <span class="list-paths__item__arrow">›</span> 818 shadow/passwd@1:4.8.1-2ubuntu2.1 819 <span class="list-paths__item__arrow">›</span> 820 pam/libpam-modules@1.4.0-11ubuntu2.3 821 <span class="list-paths__item__arrow">›</span> 822 libnsl/libnsl2@1.3.0-2build2 823 <span class="list-paths__item__arrow">›</span> 824 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 825 <span class="list-paths__item__arrow">›</span> 826 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 827 <span class="list-paths__item__arrow">›</span> 828 krb5/libkrb5-3@1.19.2-2ubuntu0.2 829 <span class="list-paths__item__arrow">›</span> 830 krb5/libk5crypto3@1.19.2-2ubuntu0.2 831 832 </span> 833 834 </li> 835 <li> 836 <span class="list-paths__item__introduced"><em>Introduced through</em>: 837 docker-image|quay.io/argoproj/argocd@latest 838 <span class="list-paths__item__arrow">›</span> 839 krb5/libkrb5-3@1.19.2-2ubuntu0.2 840 841 </span> 842 843 </li> 844 <li> 845 <span class="list-paths__item__introduced"><em>Introduced through</em>: 846 docker-image|quay.io/argoproj/argocd@latest 847 <span class="list-paths__item__arrow">›</span> 848 adduser@3.118ubuntu5 849 <span class="list-paths__item__arrow">›</span> 850 shadow/passwd@1:4.8.1-2ubuntu2.1 851 <span class="list-paths__item__arrow">›</span> 852 pam/libpam-modules@1.4.0-11ubuntu2.3 853 <span class="list-paths__item__arrow">›</span> 854 libnsl/libnsl2@1.3.0-2build2 855 <span class="list-paths__item__arrow">›</span> 856 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 857 <span class="list-paths__item__arrow">›</span> 858 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 859 <span class="list-paths__item__arrow">›</span> 860 krb5/libkrb5-3@1.19.2-2ubuntu0.2 861 862 </span> 863 864 </li> 865 <li> 866 <span class="list-paths__item__introduced"><em>Introduced through</em>: 867 docker-image|quay.io/argoproj/argocd@latest 868 <span class="list-paths__item__arrow">›</span> 869 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 870 871 </span> 872 873 </li> 874 <li> 875 <span class="list-paths__item__introduced"><em>Introduced through</em>: 876 docker-image|quay.io/argoproj/argocd@latest 877 <span class="list-paths__item__arrow">›</span> 878 openssh/openssh-client@1:8.9p1-3ubuntu0.4 879 <span class="list-paths__item__arrow">›</span> 880 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 881 882 </span> 883 884 </li> 885 <li> 886 <span class="list-paths__item__introduced"><em>Introduced through</em>: 887 docker-image|quay.io/argoproj/argocd@latest 888 <span class="list-paths__item__arrow">›</span> 889 git@1:2.34.1-1ubuntu1.10 890 <span class="list-paths__item__arrow">›</span> 891 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 892 <span class="list-paths__item__arrow">›</span> 893 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 894 895 </span> 896 897 </li> 898 <li> 899 <span class="list-paths__item__introduced"><em>Introduced through</em>: 900 docker-image|quay.io/argoproj/argocd@latest 901 <span class="list-paths__item__arrow">›</span> 902 git@1:2.34.1-1ubuntu1.10 903 <span class="list-paths__item__arrow">›</span> 904 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 905 <span class="list-paths__item__arrow">›</span> 906 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 907 <span class="list-paths__item__arrow">›</span> 908 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 909 910 </span> 911 912 </li> 913 <li> 914 <span class="list-paths__item__introduced"><em>Introduced through</em>: 915 docker-image|quay.io/argoproj/argocd@latest 916 <span class="list-paths__item__arrow">›</span> 917 adduser@3.118ubuntu5 918 <span class="list-paths__item__arrow">›</span> 919 shadow/passwd@1:4.8.1-2ubuntu2.1 920 <span class="list-paths__item__arrow">›</span> 921 pam/libpam-modules@1.4.0-11ubuntu2.3 922 <span class="list-paths__item__arrow">›</span> 923 libnsl/libnsl2@1.3.0-2build2 924 <span class="list-paths__item__arrow">›</span> 925 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 926 <span class="list-paths__item__arrow">›</span> 927 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 928 929 </span> 930 931 </li> 932 <li> 933 <span class="list-paths__item__introduced"><em>Introduced through</em>: 934 docker-image|quay.io/argoproj/argocd@latest 935 <span class="list-paths__item__arrow">›</span> 936 krb5/libkrb5support0@1.19.2-2ubuntu0.2 937 938 </span> 939 940 </li> 941 </ul><!-- .list-paths --> 942 943 </div><!-- .card__section --> 944 945 <hr/> 946 <!-- Overview --> 947 <h2 id="nvd-description">NVD Description</h2> 948 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu</code>.</em> 949 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 950 <p>lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.</p> 951 <h2 id="remediation">Remediation</h2> 952 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p> 953 <h2 id="references">References</h2> 954 <ul> 955 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-36054">ADVISORY</a></li> 956 <li><a href="https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd">cve@mitre.org</a></li> 957 <li><a href="https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final">cve@mitre.org</a></li> 958 <li><a href="https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final">cve@mitre.org</a></li> 959 <li><a href="https://web.mit.edu/kerberos/www/advisories/">cve@mitre.org</a></li> 960 <li><a href="https://security.netapp.com/advisory/ntap-20230908-0004/">cve@mitre.org</a></li> 961 <li><a href="https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html">cve@mitre.org</a></li> 962 </ul> 963 964 <hr/> 965 966 <div class="cta card__cta"> 967 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-5838335">More about this vulnerability</a></p> 968 </div> 969 970 </div><!-- .card --> 971 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 972 <h2 class="card__title">LGPL-3.0 license</h2> 973 <div class="card__section"> 974 975 <div class="label label--medium"> 976 <span class="label__text">medium severity</span> 977 </div> 978 979 <hr/> 980 981 <ul class="card__meta"> 982 <li class="card__meta__item"> 983 Package Manager: golang 984 </li> 985 <li class="card__meta__item"> 986 Module: 987 988 gopkg.in/retry.v1 989 </li> 990 991 <li class="card__meta__item">Introduced through: 992 993 github.com/argoproj/argo-cd/v2@* and gopkg.in/retry.v1@v1.0.3 994 995 </li> 996 </ul> 997 998 <hr/> 999 1000 1001 <h3 class="card__section__title">Detailed paths</h3> 1002 1003 <ul class="card__meta__paths"> 1004 <li> 1005 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1006 github.com/argoproj/argo-cd/v2@* 1007 <span class="list-paths__item__arrow">›</span> 1008 gopkg.in/retry.v1@v1.0.3 1009 1010 </span> 1011 1012 </li> 1013 </ul><!-- .list-paths --> 1014 1015 </div><!-- .card__section --> 1016 1017 <hr/> 1018 <!-- Overview --> 1019 <p>LGPL-3.0 license</p> 1020 1021 <hr/> 1022 1023 <div class="cta card__cta"> 1024 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p> 1025 </div> 1026 1027 </div><!-- .card --> 1028 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1029 <h2 class="card__title">Memory Leak</h2> 1030 <div class="card__section"> 1031 1032 <div class="label label--medium"> 1033 <span class="label__text">medium severity</span> 1034 </div> 1035 1036 <hr/> 1037 1038 <ul class="card__meta"> 1039 <li class="card__meta__item"> 1040 Package Manager: ubuntu:22.04 1041 </li> 1042 <li class="card__meta__item"> 1043 Vulnerable module: 1044 1045 glibc/libc-bin 1046 </li> 1047 1048 <li class="card__meta__item">Introduced through: 1049 1050 docker-image|quay.io/argoproj/argocd@latest and glibc/libc-bin@2.35-0ubuntu3.4 1051 1052 </li> 1053 </ul> 1054 1055 <hr/> 1056 1057 1058 <h3 class="card__section__title">Detailed paths</h3> 1059 1060 <ul class="card__meta__paths"> 1061 <li> 1062 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1063 docker-image|quay.io/argoproj/argocd@latest 1064 <span class="list-paths__item__arrow">›</span> 1065 glibc/libc-bin@2.35-0ubuntu3.4 1066 1067 </span> 1068 1069 </li> 1070 <li> 1071 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1072 docker-image|quay.io/argoproj/argocd@latest 1073 <span class="list-paths__item__arrow">›</span> 1074 glibc/libc6@2.35-0ubuntu3.4 1075 1076 </span> 1077 1078 </li> 1079 </ul><!-- .list-paths --> 1080 1081 </div><!-- .card__section --> 1082 1083 <hr/> 1084 <!-- Overview --> 1085 <h2 id="nvd-description">NVD Description</h2> 1086 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 1087 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1088 <p>A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.</p> 1089 <h2 id="remediation">Remediation</h2> 1090 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p> 1091 <h2 id="references">References</h2> 1092 <ul> 1093 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-5156">ADVISORY</a></li> 1094 <li><a href="https://access.redhat.com/security/cve/CVE-2023-5156">secalert@redhat.com</a></li> 1095 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2240541">secalert@redhat.com</a></li> 1096 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=30884">secalert@redhat.com</a></li> 1097 <li><a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ec6b95c3303c700eb89eebeda2d7264cc184a796">secalert@redhat.com</a></li> 1098 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/4">secalert@redhat.com</a></li> 1099 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/5">secalert@redhat.com</a></li> 1100 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/6">secalert@redhat.com</a></li> 1101 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/03/8">secalert@redhat.com</a></li> 1102 </ul> 1103 1104 <hr/> 1105 1106 <div class="cta card__cta"> 1107 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-5919741">More about this vulnerability</a></p> 1108 </div> 1109 1110 </div><!-- .card --> 1111 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1112 <h2 class="card__title">MPL-2.0 license</h2> 1113 <div class="card__section"> 1114 1115 <div class="label label--medium"> 1116 <span class="label__text">medium severity</span> 1117 </div> 1118 1119 <hr/> 1120 1121 <ul class="card__meta"> 1122 <li class="card__meta__item"> 1123 Package Manager: golang 1124 </li> 1125 <li class="card__meta__item"> 1126 Module: 1127 1128 github.com/r3labs/diff 1129 </li> 1130 1131 <li class="card__meta__item">Introduced through: 1132 1133 github.com/argoproj/argo-cd/v2@* and github.com/r3labs/diff@v1.1.0 1134 1135 </li> 1136 </ul> 1137 1138 <hr/> 1139 1140 1141 <h3 class="card__section__title">Detailed paths</h3> 1142 1143 <ul class="card__meta__paths"> 1144 <li> 1145 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1146 github.com/argoproj/argo-cd/v2@* 1147 <span class="list-paths__item__arrow">›</span> 1148 github.com/r3labs/diff@v1.1.0 1149 1150 </span> 1151 1152 </li> 1153 </ul><!-- .list-paths --> 1154 1155 </div><!-- .card__section --> 1156 1157 <hr/> 1158 <!-- Overview --> 1159 <p>MPL-2.0 license</p> 1160 1161 <hr/> 1162 1163 <div class="cta card__cta"> 1164 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:MPL-2.0">More about this vulnerability</a></p> 1165 </div> 1166 1167 </div><!-- .card --> 1168 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1169 <h2 class="card__title">MPL-2.0 license</h2> 1170 <div class="card__section"> 1171 1172 <div class="label label--medium"> 1173 <span class="label__text">medium severity</span> 1174 </div> 1175 1176 <hr/> 1177 1178 <ul class="card__meta"> 1179 <li class="card__meta__item"> 1180 Package Manager: golang 1181 </li> 1182 <li class="card__meta__item"> 1183 Module: 1184 1185 github.com/hashicorp/go-version 1186 </li> 1187 1188 <li class="card__meta__item">Introduced through: 1189 1190 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-version@v1.2.1 1191 1192 </li> 1193 </ul> 1194 1195 <hr/> 1196 1197 1198 <h3 class="card__section__title">Detailed paths</h3> 1199 1200 <ul class="card__meta__paths"> 1201 <li> 1202 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1203 github.com/argoproj/argo-cd/v2@* 1204 <span class="list-paths__item__arrow">›</span> 1205 github.com/hashicorp/go-version@v1.2.1 1206 1207 </span> 1208 1209 </li> 1210 </ul><!-- .list-paths --> 1211 1212 </div><!-- .card__section --> 1213 1214 <hr/> 1215 <!-- Overview --> 1216 <p>MPL-2.0 license</p> 1217 1218 <hr/> 1219 1220 <div class="cta card__cta"> 1221 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1222 </div> 1223 1224 </div><!-- .card --> 1225 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1226 <h2 class="card__title">MPL-2.0 license</h2> 1227 <div class="card__section"> 1228 1229 <div class="label label--medium"> 1230 <span class="label__text">medium severity</span> 1231 </div> 1232 1233 <hr/> 1234 1235 <ul class="card__meta"> 1236 <li class="card__meta__item"> 1237 Package Manager: golang 1238 </li> 1239 <li class="card__meta__item"> 1240 Module: 1241 1242 github.com/hashicorp/go-retryablehttp 1243 </li> 1244 1245 <li class="card__meta__item">Introduced through: 1246 1247 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-retryablehttp@v0.7.4 1248 1249 </li> 1250 </ul> 1251 1252 <hr/> 1253 1254 1255 <h3 class="card__section__title">Detailed paths</h3> 1256 1257 <ul class="card__meta__paths"> 1258 <li> 1259 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1260 github.com/argoproj/argo-cd/v2@* 1261 <span class="list-paths__item__arrow">›</span> 1262 github.com/hashicorp/go-retryablehttp@v0.7.4 1263 1264 </span> 1265 1266 </li> 1267 </ul><!-- .list-paths --> 1268 1269 </div><!-- .card__section --> 1270 1271 <hr/> 1272 <!-- Overview --> 1273 <p>MPL-2.0 license</p> 1274 1275 <hr/> 1276 1277 <div class="cta card__cta"> 1278 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1279 </div> 1280 1281 </div><!-- .card --> 1282 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1283 <h2 class="card__title">MPL-2.0 license</h2> 1284 <div class="card__section"> 1285 1286 <div class="label label--medium"> 1287 <span class="label__text">medium severity</span> 1288 </div> 1289 1290 <hr/> 1291 1292 <ul class="card__meta"> 1293 <li class="card__meta__item"> 1294 Package Manager: golang 1295 </li> 1296 <li class="card__meta__item"> 1297 Module: 1298 1299 github.com/hashicorp/go-multierror 1300 </li> 1301 1302 <li class="card__meta__item">Introduced through: 1303 1304 helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 1305 1306 </li> 1307 </ul> 1308 1309 <hr/> 1310 1311 1312 <h3 class="card__section__title">Detailed paths</h3> 1313 1314 <ul class="card__meta__paths"> 1315 <li> 1316 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1317 helm.sh/helm/v3@* 1318 <span class="list-paths__item__arrow">›</span> 1319 github.com/hashicorp/go-multierror@v1.1.1 1320 1321 </span> 1322 1323 </li> 1324 </ul><!-- .list-paths --> 1325 1326 </div><!-- .card__section --> 1327 1328 <hr/> 1329 <!-- Overview --> 1330 <p>MPL-2.0 license</p> 1331 1332 <hr/> 1333 1334 <div class="cta card__cta"> 1335 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1336 </div> 1337 1338 </div><!-- .card --> 1339 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1340 <h2 class="card__title">MPL-2.0 license</h2> 1341 <div class="card__section"> 1342 1343 <div class="label label--medium"> 1344 <span class="label__text">medium severity</span> 1345 </div> 1346 1347 <hr/> 1348 1349 <ul class="card__meta"> 1350 <li class="card__meta__item"> 1351 Package Manager: golang 1352 </li> 1353 <li class="card__meta__item"> 1354 Module: 1355 1356 github.com/hashicorp/go-cleanhttp 1357 </li> 1358 1359 <li class="card__meta__item">Introduced through: 1360 1361 github.com/argoproj/argo-cd/v2@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1362 1363 </li> 1364 </ul> 1365 1366 <hr/> 1367 1368 1369 <h3 class="card__section__title">Detailed paths</h3> 1370 1371 <ul class="card__meta__paths"> 1372 <li> 1373 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1374 github.com/argoproj/argo-cd/v2@* 1375 <span class="list-paths__item__arrow">›</span> 1376 github.com/hashicorp/go-cleanhttp@v0.5.2 1377 1378 </span> 1379 1380 </li> 1381 </ul><!-- .list-paths --> 1382 1383 </div><!-- .card__section --> 1384 1385 <hr/> 1386 <!-- Overview --> 1387 <p>MPL-2.0 license</p> 1388 1389 <hr/> 1390 1391 <div class="cta card__cta"> 1392 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1393 </div> 1394 1395 </div><!-- .card --> 1396 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1397 <h2 class="card__title">MPL-2.0 license</h2> 1398 <div class="card__section"> 1399 1400 <div class="label label--medium"> 1401 <span class="label__text">medium severity</span> 1402 </div> 1403 1404 <hr/> 1405 1406 <ul class="card__meta"> 1407 <li class="card__meta__item"> 1408 Package Manager: golang 1409 </li> 1410 <li class="card__meta__item"> 1411 Module: 1412 1413 github.com/gosimple/slug 1414 </li> 1415 1416 <li class="card__meta__item">Introduced through: 1417 1418 github.com/argoproj/argo-cd/v2@* and github.com/gosimple/slug@v1.13.1 1419 1420 </li> 1421 </ul> 1422 1423 <hr/> 1424 1425 1426 <h3 class="card__section__title">Detailed paths</h3> 1427 1428 <ul class="card__meta__paths"> 1429 <li> 1430 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1431 github.com/argoproj/argo-cd/v2@* 1432 <span class="list-paths__item__arrow">›</span> 1433 github.com/gosimple/slug@v1.13.1 1434 1435 </span> 1436 1437 </li> 1438 </ul><!-- .list-paths --> 1439 1440 </div><!-- .card__section --> 1441 1442 <hr/> 1443 <!-- Overview --> 1444 <p>MPL-2.0 license</p> 1445 1446 <hr/> 1447 1448 <div class="cta card__cta"> 1449 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1450 </div> 1451 1452 </div><!-- .card --> 1453 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1454 <h2 class="card__title">CVE-2022-46908</h2> 1455 <div class="card__section"> 1456 1457 <div class="label label--low"> 1458 <span class="label__text">low severity</span> 1459 </div> 1460 1461 <hr/> 1462 1463 <ul class="card__meta"> 1464 <li class="card__meta__item"> 1465 Package Manager: ubuntu:22.04 1466 </li> 1467 <li class="card__meta__item"> 1468 Vulnerable module: 1469 1470 sqlite3/libsqlite3-0 1471 </li> 1472 1473 <li class="card__meta__item">Introduced through: 1474 1475 1476 docker-image|quay.io/argoproj/argocd@latest, gnupg2/gpg@2.2.27-3ubuntu2.1 and others 1477 </li> 1478 </ul> 1479 1480 <hr/> 1481 1482 1483 <h3 class="card__section__title">Detailed paths</h3> 1484 1485 <ul class="card__meta__paths"> 1486 <li> 1487 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1488 docker-image|quay.io/argoproj/argocd@latest 1489 <span class="list-paths__item__arrow">›</span> 1490 gnupg2/gpg@2.2.27-3ubuntu2.1 1491 <span class="list-paths__item__arrow">›</span> 1492 sqlite3/libsqlite3-0@3.37.2-2ubuntu0.1 1493 1494 </span> 1495 1496 </li> 1497 </ul><!-- .list-paths --> 1498 1499 </div><!-- .card__section --> 1500 1501 <hr/> 1502 <!-- Overview --> 1503 <h2 id="nvd-description">NVD Description</h2> 1504 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1505 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1506 <p>SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.</p> 1507 <h2 id="remediation">Remediation</h2> 1508 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>sqlite3</code>.</p> 1509 <h2 id="references">References</h2> 1510 <ul> 1511 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-46908">ADVISORY</a></li> 1512 <li><a href="https://sqlite.org/src/info/cefc032473ac5ad2">cve@mitre.org</a></li> 1513 <li><a href="https://sqlite.org/forum/forumpost/07beac8056151b2f">cve@mitre.org</a></li> 1514 <li><a href="https://news.ycombinator.com/item?id=33948588">cve@mitre.org</a></li> 1515 <li><a href="https://security.netapp.com/advisory/ntap-20230203-0005/">cve@mitre.org</a></li> 1516 </ul> 1517 1518 <hr/> 1519 1520 <div class="cta card__cta"> 1521 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-SQLITE3-3167716">More about this vulnerability</a></p> 1522 </div> 1523 1524 </div><!-- .card --> 1525 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1526 <h2 class="card__title">Arbitrary Code Injection</h2> 1527 <div class="card__section"> 1528 1529 <div class="label label--low"> 1530 <span class="label__text">low severity</span> 1531 </div> 1532 1533 <hr/> 1534 1535 <ul class="card__meta"> 1536 <li class="card__meta__item"> 1537 Package Manager: ubuntu:22.04 1538 </li> 1539 <li class="card__meta__item"> 1540 Vulnerable module: 1541 1542 shadow/passwd 1543 </li> 1544 1545 <li class="card__meta__item">Introduced through: 1546 1547 docker-image|quay.io/argoproj/argocd@latest and shadow/passwd@1:4.8.1-2ubuntu2.1 1548 1549 </li> 1550 </ul> 1551 1552 <hr/> 1553 1554 1555 <h3 class="card__section__title">Detailed paths</h3> 1556 1557 <ul class="card__meta__paths"> 1558 <li> 1559 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1560 docker-image|quay.io/argoproj/argocd@latest 1561 <span class="list-paths__item__arrow">›</span> 1562 shadow/passwd@1:4.8.1-2ubuntu2.1 1563 1564 </span> 1565 1566 </li> 1567 <li> 1568 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1569 docker-image|quay.io/argoproj/argocd@latest 1570 <span class="list-paths__item__arrow">›</span> 1571 adduser@3.118ubuntu5 1572 <span class="list-paths__item__arrow">›</span> 1573 shadow/passwd@1:4.8.1-2ubuntu2.1 1574 1575 </span> 1576 1577 </li> 1578 <li> 1579 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1580 docker-image|quay.io/argoproj/argocd@latest 1581 <span class="list-paths__item__arrow">›</span> 1582 openssh/openssh-client@1:8.9p1-3ubuntu0.4 1583 <span class="list-paths__item__arrow">›</span> 1584 shadow/passwd@1:4.8.1-2ubuntu2.1 1585 1586 </span> 1587 1588 </li> 1589 <li> 1590 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1591 docker-image|quay.io/argoproj/argocd@latest 1592 <span class="list-paths__item__arrow">›</span> 1593 shadow/login@1:4.8.1-2ubuntu2.1 1594 1595 </span> 1596 1597 </li> 1598 </ul><!-- .list-paths --> 1599 1600 </div><!-- .card__section --> 1601 1602 <hr/> 1603 <!-- Overview --> 1604 <h2 id="nvd-description">NVD Description</h2> 1605 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>shadow</code> package and not the <code>shadow</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1606 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1607 <p>In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.</p> 1608 <h2 id="remediation">Remediation</h2> 1609 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>shadow</code>.</p> 1610 <h2 id="references">References</h2> 1611 <ul> 1612 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383">ADVISORY</a></li> 1613 <li><a href="https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d">cve@mitre.org</a></li> 1614 <li><a href="https://github.com/shadow-maint/shadow/pull/687">cve@mitre.org</a></li> 1615 <li><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/">cve@mitre.org</a></li> 1616 <li><a href="https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797">cve@mitre.org</a></li> 1617 </ul> 1618 1619 <hr/> 1620 1621 <div class="cta card__cta"> 1622 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-SHADOW-5425688">More about this vulnerability</a></p> 1623 </div> 1624 1625 </div><!-- .card --> 1626 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1627 <h2 class="card__title">Out-of-bounds Write</h2> 1628 <div class="card__section"> 1629 1630 <div class="label label--low"> 1631 <span class="label__text">low severity</span> 1632 </div> 1633 1634 <hr/> 1635 1636 <ul class="card__meta"> 1637 <li class="card__meta__item"> 1638 Package Manager: ubuntu:22.04 1639 </li> 1640 <li class="card__meta__item"> 1641 Vulnerable module: 1642 1643 procps/libprocps8 1644 </li> 1645 1646 <li class="card__meta__item">Introduced through: 1647 1648 docker-image|quay.io/argoproj/argocd@latest and procps/libprocps8@2:3.3.17-6ubuntu2 1649 1650 </li> 1651 </ul> 1652 1653 <hr/> 1654 1655 1656 <h3 class="card__section__title">Detailed paths</h3> 1657 1658 <ul class="card__meta__paths"> 1659 <li> 1660 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1661 docker-image|quay.io/argoproj/argocd@latest 1662 <span class="list-paths__item__arrow">›</span> 1663 procps/libprocps8@2:3.3.17-6ubuntu2 1664 1665 </span> 1666 1667 </li> 1668 <li> 1669 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1670 docker-image|quay.io/argoproj/argocd@latest 1671 <span class="list-paths__item__arrow">›</span> 1672 procps@2:3.3.17-6ubuntu2 1673 <span class="list-paths__item__arrow">›</span> 1674 procps/libprocps8@2:3.3.17-6ubuntu2 1675 1676 </span> 1677 1678 </li> 1679 <li> 1680 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1681 docker-image|quay.io/argoproj/argocd@latest 1682 <span class="list-paths__item__arrow">›</span> 1683 procps@2:3.3.17-6ubuntu2 1684 1685 </span> 1686 1687 </li> 1688 </ul><!-- .list-paths --> 1689 1690 </div><!-- .card__section --> 1691 1692 <hr/> 1693 <!-- Overview --> 1694 <h2 id="nvd-description">NVD Description</h2> 1695 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>procps</code> package and not the <code>procps</code> package as distributed by <code>Ubuntu</code>.</em> 1696 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1697 <p>Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.</p> 1698 <h2 id="remediation">Remediation</h2> 1699 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>procps</code>.</p> 1700 <h2 id="references">References</h2> 1701 <ul> 1702 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-4016">ADVISORY</a></li> 1703 <li><a href="https://gitlab.com/procps-ng/procps">trellixpsirt@trellix.com</a></li> 1704 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/">trellixpsirt@trellix.com</a></li> 1705 </ul> 1706 1707 <hr/> 1708 1709 <div class="cta card__cta"> 1710 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PROCPS-5816665">More about this vulnerability</a></p> 1711 </div> 1712 1713 </div><!-- .card --> 1714 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1715 <h2 class="card__title">Uncontrolled Recursion</h2> 1716 <div class="card__section"> 1717 1718 <div class="label label--low"> 1719 <span class="label__text">low severity</span> 1720 </div> 1721 1722 <hr/> 1723 1724 <ul class="card__meta"> 1725 <li class="card__meta__item"> 1726 Package Manager: ubuntu:22.04 1727 </li> 1728 <li class="card__meta__item"> 1729 Vulnerable module: 1730 1731 pcre3/libpcre3 1732 </li> 1733 1734 <li class="card__meta__item">Introduced through: 1735 1736 docker-image|quay.io/argoproj/argocd@latest and pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1737 1738 </li> 1739 </ul> 1740 1741 <hr/> 1742 1743 1744 <h3 class="card__section__title">Detailed paths</h3> 1745 1746 <ul class="card__meta__paths"> 1747 <li> 1748 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1749 docker-image|quay.io/argoproj/argocd@latest 1750 <span class="list-paths__item__arrow">›</span> 1751 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1752 1753 </span> 1754 1755 </li> 1756 <li> 1757 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1758 docker-image|quay.io/argoproj/argocd@latest 1759 <span class="list-paths__item__arrow">›</span> 1760 grep@3.7-1build1 1761 <span class="list-paths__item__arrow">›</span> 1762 pcre3/libpcre3@2:8.39-13ubuntu0.22.04.1 1763 1764 </span> 1765 1766 </li> 1767 </ul><!-- .list-paths --> 1768 1769 </div><!-- .card__section --> 1770 1771 <hr/> 1772 <!-- Overview --> 1773 <h2 id="nvd-description">NVD Description</h2> 1774 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pcre3</code> package and not the <code>pcre3</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1775 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1776 <p>In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.</p> 1777 <h2 id="remediation">Remediation</h2> 1778 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>pcre3</code>.</p> 1779 <h2 id="references">References</h2> 1780 <ul> 1781 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164">ADVISORY</a></li> 1782 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164">CVE Details</a></li> 1783 <li><a href="https://security-tracker.debian.org/tracker/CVE-2017-11164">Debian Security Tracker</a></li> 1784 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 1785 <li><a href="http://openwall.com/lists/oss-security/2017/07/11/3">OSS security Advisory</a></li> 1786 <li><a href="http://www.securityfocus.com/bid/99575">Security Focus</a></li> 1787 <li><a href="http://www.openwall.com/lists/oss-security/2023/04/11/1">cve@mitre.org</a></li> 1788 <li><a href="http://www.openwall.com/lists/oss-security/2023/04/12/1">cve@mitre.org</a></li> 1789 </ul> 1790 1791 <hr/> 1792 1793 <div class="cta card__cta"> 1794 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PCRE3-2799820">More about this vulnerability</a></p> 1795 </div> 1796 1797 </div><!-- .card --> 1798 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1799 <h2 class="card__title">Release of Invalid Pointer or Reference</h2> 1800 <div class="card__section"> 1801 1802 <div class="label label--low"> 1803 <span class="label__text">low severity</span> 1804 </div> 1805 1806 <hr/> 1807 1808 <ul class="card__meta"> 1809 <li class="card__meta__item"> 1810 Package Manager: ubuntu:22.04 1811 </li> 1812 <li class="card__meta__item"> 1813 Vulnerable module: 1814 1815 patch 1816 </li> 1817 1818 <li class="card__meta__item">Introduced through: 1819 1820 docker-image|quay.io/argoproj/argocd@latest and patch@2.7.6-7build2 1821 1822 </li> 1823 </ul> 1824 1825 <hr/> 1826 1827 1828 <h3 class="card__section__title">Detailed paths</h3> 1829 1830 <ul class="card__meta__paths"> 1831 <li> 1832 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1833 docker-image|quay.io/argoproj/argocd@latest 1834 <span class="list-paths__item__arrow">›</span> 1835 patch@2.7.6-7build2 1836 1837 </span> 1838 1839 </li> 1840 </ul><!-- .list-paths --> 1841 1842 </div><!-- .card__section --> 1843 1844 <hr/> 1845 <!-- Overview --> 1846 <h2 id="nvd-description">NVD Description</h2> 1847 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1848 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1849 <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p> 1850 <h2 id="remediation">Remediation</h2> 1851 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p> 1852 <h2 id="references">References</h2> 1853 <ul> 1854 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261">ADVISORY</a></li> 1855 <li><a href="https://savannah.gnu.org/bugs/?61685">MISC</a></li> 1856 </ul> 1857 1858 <hr/> 1859 1860 <div class="cta card__cta"> 1861 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PATCH-2780071">More about this vulnerability</a></p> 1862 </div> 1863 1864 </div><!-- .card --> 1865 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1866 <h2 class="card__title">Double Free</h2> 1867 <div class="card__section"> 1868 1869 <div class="label label--low"> 1870 <span class="label__text">low severity</span> 1871 </div> 1872 1873 <hr/> 1874 1875 <ul class="card__meta"> 1876 <li class="card__meta__item"> 1877 Package Manager: ubuntu:22.04 1878 </li> 1879 <li class="card__meta__item"> 1880 Vulnerable module: 1881 1882 patch 1883 </li> 1884 1885 <li class="card__meta__item">Introduced through: 1886 1887 docker-image|quay.io/argoproj/argocd@latest and patch@2.7.6-7build2 1888 1889 </li> 1890 </ul> 1891 1892 <hr/> 1893 1894 1895 <h3 class="card__section__title">Detailed paths</h3> 1896 1897 <ul class="card__meta__paths"> 1898 <li> 1899 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1900 docker-image|quay.io/argoproj/argocd@latest 1901 <span class="list-paths__item__arrow">›</span> 1902 patch@2.7.6-7build2 1903 1904 </span> 1905 1906 </li> 1907 </ul><!-- .list-paths --> 1908 1909 </div><!-- .card__section --> 1910 1911 <hr/> 1912 <!-- Overview --> 1913 <h2 id="nvd-description">NVD Description</h2> 1914 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1915 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1916 <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p> 1917 <h2 id="remediation">Remediation</h2> 1918 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p> 1919 <h2 id="references">References</h2> 1920 <ul> 1921 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952">ADVISORY</a></li> 1922 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952">CVE Details</a></li> 1923 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6952">Debian Security Tracker</a></li> 1924 <li><a href="https://security.gentoo.org/glsa/201904-17">Gentoo Security Advisory</a></li> 1925 <li><a href="https://savannah.gnu.org/bugs/index.php?53133">MISC</a></li> 1926 <li><a href="https://access.redhat.com/errata/RHSA-2019:2033">REDHAT</a></li> 1927 <li><a href="http://www.securityfocus.com/bid/103047">Security Focus</a></li> 1928 </ul> 1929 1930 <hr/> 1931 1932 <div class="cta card__cta"> 1933 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-PATCH-2784568">More about this vulnerability</a></p> 1934 </div> 1935 1936 </div><!-- .card --> 1937 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1938 <h2 class="card__title">CVE-2023-28531</h2> 1939 <div class="card__section"> 1940 1941 <div class="label label--low"> 1942 <span class="label__text">low severity</span> 1943 </div> 1944 1945 <hr/> 1946 1947 <ul class="card__meta"> 1948 <li class="card__meta__item"> 1949 Package Manager: ubuntu:22.04 1950 </li> 1951 <li class="card__meta__item"> 1952 Vulnerable module: 1953 1954 openssh/openssh-client 1955 </li> 1956 1957 <li class="card__meta__item">Introduced through: 1958 1959 docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.4 1960 1961 </li> 1962 </ul> 1963 1964 <hr/> 1965 1966 1967 <h3 class="card__section__title">Detailed paths</h3> 1968 1969 <ul class="card__meta__paths"> 1970 <li> 1971 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1972 docker-image|quay.io/argoproj/argocd@latest 1973 <span class="list-paths__item__arrow">›</span> 1974 openssh/openssh-client@1:8.9p1-3ubuntu0.4 1975 1976 </span> 1977 1978 </li> 1979 </ul><!-- .list-paths --> 1980 1981 </div><!-- .card__section --> 1982 1983 <hr/> 1984 <!-- Overview --> 1985 <h2 id="nvd-description">NVD Description</h2> 1986 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 1987 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 1988 <p>ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.</p> 1989 <h2 id="remediation">Remediation</h2> 1990 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p> 1991 <h2 id="references">References</h2> 1992 <ul> 1993 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-28531">ADVISORY</a></li> 1994 <li><a href="https://www.openwall.com/lists/oss-security/2023/03/15/8">cve@mitre.org</a></li> 1995 <li><a href="https://security.netapp.com/advisory/ntap-20230413-0008/">cve@mitre.org</a></li> 1996 <li><a href="https://security.gentoo.org/glsa/202307-01">cve@mitre.org</a></li> 1997 </ul> 1998 1999 <hr/> 2000 2001 <div class="cta card__cta"> 2002 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSH-3367022">More about this vulnerability</a></p> 2003 </div> 2004 2005 </div><!-- .card --> 2006 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2007 <h2 class="card__title">NULL Pointer Dereference</h2> 2008 <div class="card__section"> 2009 2010 <div class="label label--low"> 2011 <span class="label__text">low severity</span> 2012 </div> 2013 2014 <hr/> 2015 2016 <ul class="card__meta"> 2017 <li class="card__meta__item"> 2018 Package Manager: ubuntu:22.04 2019 </li> 2020 <li class="card__meta__item"> 2021 Vulnerable module: 2022 2023 openldap/libldap-2.5-0 2024 </li> 2025 2026 <li class="card__meta__item">Introduced through: 2027 2028 2029 docker-image|quay.io/argoproj/argocd@latest, gnupg2/dirmngr@2.2.27-3ubuntu2.1 and others 2030 </li> 2031 </ul> 2032 2033 <hr/> 2034 2035 2036 <h3 class="card__section__title">Detailed paths</h3> 2037 2038 <ul class="card__meta__paths"> 2039 <li> 2040 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2041 docker-image|quay.io/argoproj/argocd@latest 2042 <span class="list-paths__item__arrow">›</span> 2043 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2044 <span class="list-paths__item__arrow">›</span> 2045 openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 2046 2047 </span> 2048 2049 </li> 2050 <li> 2051 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2052 docker-image|quay.io/argoproj/argocd@latest 2053 <span class="list-paths__item__arrow">›</span> 2054 git@1:2.34.1-1ubuntu1.10 2055 <span class="list-paths__item__arrow">›</span> 2056 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2057 <span class="list-paths__item__arrow">›</span> 2058 openldap/libldap-2.5-0@2.5.16+dfsg-0ubuntu0.22.04.1 2059 2060 </span> 2061 2062 </li> 2063 <li> 2064 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2065 docker-image|quay.io/argoproj/argocd@latest 2066 <span class="list-paths__item__arrow">›</span> 2067 openldap/libldap-common@2.5.16+dfsg-0ubuntu0.22.04.1 2068 2069 </span> 2070 2071 </li> 2072 </ul><!-- .list-paths --> 2073 2074 </div><!-- .card__section --> 2075 2076 <hr/> 2077 <!-- Overview --> 2078 <h2 id="nvd-description">NVD Description</h2> 2079 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openldap</code> package and not the <code>openldap</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2080 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2081 <p>A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.</p> 2082 <h2 id="remediation">Remediation</h2> 2083 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openldap</code>.</p> 2084 <h2 id="references">References</h2> 2085 <ul> 2086 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2953">ADVISORY</a></li> 2087 <li><a href="https://access.redhat.com/security/cve/CVE-2023-2953">secalert@redhat.com</a></li> 2088 <li><a href="https://bugs.openldap.org/show_bug.cgi?id=9904">secalert@redhat.com</a></li> 2089 <li><a href="https://security.netapp.com/advisory/ntap-20230703-0005/">secalert@redhat.com</a></li> 2090 <li><a href="https://support.apple.com/kb/HT213843">secalert@redhat.com</a></li> 2091 <li><a href="https://support.apple.com/kb/HT213844">secalert@redhat.com</a></li> 2092 <li><a href="https://support.apple.com/kb/HT213845">secalert@redhat.com</a></li> 2093 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/47">secalert@redhat.com</a></li> 2094 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/48">secalert@redhat.com</a></li> 2095 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/52">secalert@redhat.com</a></li> 2096 </ul> 2097 2098 <hr/> 2099 2100 <div class="cta card__cta"> 2101 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-OPENLDAP-5661784">More about this vulnerability</a></p> 2102 </div> 2103 2104 </div><!-- .card --> 2105 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2106 <h2 class="card__title">Resource Exhaustion</h2> 2107 <div class="card__section"> 2108 2109 <div class="label label--low"> 2110 <span class="label__text">low severity</span> 2111 </div> 2112 2113 <hr/> 2114 2115 <ul class="card__meta"> 2116 <li class="card__meta__item"> 2117 Package Manager: ubuntu:22.04 2118 </li> 2119 <li class="card__meta__item"> 2120 Vulnerable module: 2121 2122 libzstd/libzstd1 2123 </li> 2124 2125 <li class="card__meta__item">Introduced through: 2126 2127 docker-image|quay.io/argoproj/argocd@latest and libzstd/libzstd1@1.4.8+dfsg-3build1 2128 2129 </li> 2130 </ul> 2131 2132 <hr/> 2133 2134 2135 <h3 class="card__section__title">Detailed paths</h3> 2136 2137 <ul class="card__meta__paths"> 2138 <li> 2139 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2140 docker-image|quay.io/argoproj/argocd@latest 2141 <span class="list-paths__item__arrow">›</span> 2142 libzstd/libzstd1@1.4.8+dfsg-3build1 2143 2144 </span> 2145 2146 </li> 2147 </ul><!-- .list-paths --> 2148 2149 </div><!-- .card__section --> 2150 2151 <hr/> 2152 <!-- Overview --> 2153 <h2 id="nvd-description">NVD Description</h2> 2154 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libzstd</code> package and not the <code>libzstd</code> package as distributed by <code>Ubuntu</code>.</em> 2155 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2156 <p>A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.</p> 2157 <h2 id="remediation">Remediation</h2> 2158 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>libzstd</code>.</p> 2159 <h2 id="references">References</h2> 2160 <ul> 2161 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-4899">ADVISORY</a></li> 2162 <li><a href="https://github.com/facebook/zstd/issues/3200">secalert@redhat.com</a></li> 2163 <li><a href="https://security.netapp.com/advisory/ntap-20230725-0005/">secalert@redhat.com</a></li> 2164 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/">secalert@redhat.com</a></li> 2165 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/">secalert@redhat.com</a></li> 2166 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/">secalert@redhat.com</a></li> 2167 </ul> 2168 2169 <hr/> 2170 2171 <div class="cta card__cta"> 2172 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-LIBZSTD-3368800">More about this vulnerability</a></p> 2173 </div> 2174 2175 </div><!-- .card --> 2176 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2177 <h2 class="card__title">Integer Overflow or Wraparound</h2> 2178 <div class="card__section"> 2179 2180 <div class="label label--low"> 2181 <span class="label__text">low severity</span> 2182 </div> 2183 2184 <hr/> 2185 2186 <ul class="card__meta"> 2187 <li class="card__meta__item"> 2188 Package Manager: ubuntu:22.04 2189 </li> 2190 <li class="card__meta__item"> 2191 Vulnerable module: 2192 2193 krb5/libk5crypto3 2194 </li> 2195 2196 <li class="card__meta__item">Introduced through: 2197 2198 docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2ubuntu0.2 2199 2200 </li> 2201 </ul> 2202 2203 <hr/> 2204 2205 2206 <h3 class="card__section__title">Detailed paths</h3> 2207 2208 <ul class="card__meta__paths"> 2209 <li> 2210 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2211 docker-image|quay.io/argoproj/argocd@latest 2212 <span class="list-paths__item__arrow">›</span> 2213 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2214 2215 </span> 2216 2217 </li> 2218 <li> 2219 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2220 docker-image|quay.io/argoproj/argocd@latest 2221 <span class="list-paths__item__arrow">›</span> 2222 adduser@3.118ubuntu5 2223 <span class="list-paths__item__arrow">›</span> 2224 shadow/passwd@1:4.8.1-2ubuntu2.1 2225 <span class="list-paths__item__arrow">›</span> 2226 pam/libpam-modules@1.4.0-11ubuntu2.3 2227 <span class="list-paths__item__arrow">›</span> 2228 libnsl/libnsl2@1.3.0-2build2 2229 <span class="list-paths__item__arrow">›</span> 2230 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2231 <span class="list-paths__item__arrow">›</span> 2232 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2233 <span class="list-paths__item__arrow">›</span> 2234 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2235 2236 </span> 2237 2238 </li> 2239 <li> 2240 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2241 docker-image|quay.io/argoproj/argocd@latest 2242 <span class="list-paths__item__arrow">›</span> 2243 adduser@3.118ubuntu5 2244 <span class="list-paths__item__arrow">›</span> 2245 shadow/passwd@1:4.8.1-2ubuntu2.1 2246 <span class="list-paths__item__arrow">›</span> 2247 pam/libpam-modules@1.4.0-11ubuntu2.3 2248 <span class="list-paths__item__arrow">›</span> 2249 libnsl/libnsl2@1.3.0-2build2 2250 <span class="list-paths__item__arrow">›</span> 2251 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2252 <span class="list-paths__item__arrow">›</span> 2253 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2254 <span class="list-paths__item__arrow">›</span> 2255 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2256 <span class="list-paths__item__arrow">›</span> 2257 krb5/libk5crypto3@1.19.2-2ubuntu0.2 2258 2259 </span> 2260 2261 </li> 2262 <li> 2263 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2264 docker-image|quay.io/argoproj/argocd@latest 2265 <span class="list-paths__item__arrow">›</span> 2266 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2267 2268 </span> 2269 2270 </li> 2271 <li> 2272 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2273 docker-image|quay.io/argoproj/argocd@latest 2274 <span class="list-paths__item__arrow">›</span> 2275 adduser@3.118ubuntu5 2276 <span class="list-paths__item__arrow">›</span> 2277 shadow/passwd@1:4.8.1-2ubuntu2.1 2278 <span class="list-paths__item__arrow">›</span> 2279 pam/libpam-modules@1.4.0-11ubuntu2.3 2280 <span class="list-paths__item__arrow">›</span> 2281 libnsl/libnsl2@1.3.0-2build2 2282 <span class="list-paths__item__arrow">›</span> 2283 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2284 <span class="list-paths__item__arrow">›</span> 2285 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2286 <span class="list-paths__item__arrow">›</span> 2287 krb5/libkrb5-3@1.19.2-2ubuntu0.2 2288 2289 </span> 2290 2291 </li> 2292 <li> 2293 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2294 docker-image|quay.io/argoproj/argocd@latest 2295 <span class="list-paths__item__arrow">›</span> 2296 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2297 2298 </span> 2299 2300 </li> 2301 <li> 2302 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2303 docker-image|quay.io/argoproj/argocd@latest 2304 <span class="list-paths__item__arrow">›</span> 2305 openssh/openssh-client@1:8.9p1-3ubuntu0.4 2306 <span class="list-paths__item__arrow">›</span> 2307 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2308 2309 </span> 2310 2311 </li> 2312 <li> 2313 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2314 docker-image|quay.io/argoproj/argocd@latest 2315 <span class="list-paths__item__arrow">›</span> 2316 git@1:2.34.1-1ubuntu1.10 2317 <span class="list-paths__item__arrow">›</span> 2318 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2319 <span class="list-paths__item__arrow">›</span> 2320 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2321 2322 </span> 2323 2324 </li> 2325 <li> 2326 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2327 docker-image|quay.io/argoproj/argocd@latest 2328 <span class="list-paths__item__arrow">›</span> 2329 git@1:2.34.1-1ubuntu1.10 2330 <span class="list-paths__item__arrow">›</span> 2331 curl/libcurl3-gnutls@7.81.0-1ubuntu1.14 2332 <span class="list-paths__item__arrow">›</span> 2333 libssh/libssh-4@0.9.6-2ubuntu0.22.04.1 2334 <span class="list-paths__item__arrow">›</span> 2335 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2336 2337 </span> 2338 2339 </li> 2340 <li> 2341 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2342 docker-image|quay.io/argoproj/argocd@latest 2343 <span class="list-paths__item__arrow">›</span> 2344 adduser@3.118ubuntu5 2345 <span class="list-paths__item__arrow">›</span> 2346 shadow/passwd@1:4.8.1-2ubuntu2.1 2347 <span class="list-paths__item__arrow">›</span> 2348 pam/libpam-modules@1.4.0-11ubuntu2.3 2349 <span class="list-paths__item__arrow">›</span> 2350 libnsl/libnsl2@1.3.0-2build2 2351 <span class="list-paths__item__arrow">›</span> 2352 libtirpc/libtirpc3@1.3.2-2ubuntu0.1 2353 <span class="list-paths__item__arrow">›</span> 2354 krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.2 2355 2356 </span> 2357 2358 </li> 2359 <li> 2360 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2361 docker-image|quay.io/argoproj/argocd@latest 2362 <span class="list-paths__item__arrow">›</span> 2363 krb5/libkrb5support0@1.19.2-2ubuntu0.2 2364 2365 </span> 2366 2367 </li> 2368 </ul><!-- .list-paths --> 2369 2370 </div><!-- .card__section --> 2371 2372 <hr/> 2373 <!-- Overview --> 2374 <h2 id="nvd-description">NVD Description</h2> 2375 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2376 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2377 <p>An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.</p> 2378 <h2 id="remediation">Remediation</h2> 2379 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p> 2380 <h2 id="references">References</h2> 2381 <ul> 2382 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5709">CVE Details</a></li> 2383 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-5709">Debian Security Tracker</a></li> 2384 <li><a href="https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow">GitHub Additional Information</a></li> 2385 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 2386 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-5709">Ubuntu CVE Tracker</a></li> 2387 </ul> 2388 2389 <hr/> 2390 2391 <div class="cta card__cta"> 2392 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-KRB5-2797765">More about this vulnerability</a></p> 2393 </div> 2394 2395 </div><!-- .card --> 2396 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2397 <h2 class="card__title">Out-of-bounds Write</h2> 2398 <div class="card__section"> 2399 2400 <div class="label label--low"> 2401 <span class="label__text">low severity</span> 2402 </div> 2403 2404 <hr/> 2405 2406 <ul class="card__meta"> 2407 <li class="card__meta__item"> 2408 Package Manager: ubuntu:22.04 2409 </li> 2410 <li class="card__meta__item"> 2411 Vulnerable module: 2412 2413 gnupg2/gpgv 2414 </li> 2415 2416 <li class="card__meta__item">Introduced through: 2417 2418 docker-image|quay.io/argoproj/argocd@latest and gnupg2/gpgv@2.2.27-3ubuntu2.1 2419 2420 </li> 2421 </ul> 2422 2423 <hr/> 2424 2425 2426 <h3 class="card__section__title">Detailed paths</h3> 2427 2428 <ul class="card__meta__paths"> 2429 <li> 2430 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2431 docker-image|quay.io/argoproj/argocd@latest 2432 <span class="list-paths__item__arrow">›</span> 2433 gnupg2/gpgv@2.2.27-3ubuntu2.1 2434 2435 </span> 2436 2437 </li> 2438 <li> 2439 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2440 docker-image|quay.io/argoproj/argocd@latest 2441 <span class="list-paths__item__arrow">›</span> 2442 apt@2.4.10 2443 <span class="list-paths__item__arrow">›</span> 2444 gnupg2/gpgv@2.2.27-3ubuntu2.1 2445 2446 </span> 2447 2448 </li> 2449 <li> 2450 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2451 docker-image|quay.io/argoproj/argocd@latest 2452 <span class="list-paths__item__arrow">›</span> 2453 gnupg2/gnupg@2.2.27-3ubuntu2.1 2454 <span class="list-paths__item__arrow">›</span> 2455 gnupg2/gpgv@2.2.27-3ubuntu2.1 2456 2457 </span> 2458 2459 </li> 2460 <li> 2461 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2462 docker-image|quay.io/argoproj/argocd@latest 2463 <span class="list-paths__item__arrow">›</span> 2464 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2465 <span class="list-paths__item__arrow">›</span> 2466 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2467 2468 </span> 2469 2470 </li> 2471 <li> 2472 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2473 docker-image|quay.io/argoproj/argocd@latest 2474 <span class="list-paths__item__arrow">›</span> 2475 gnupg2/gpg@2.2.27-3ubuntu2.1 2476 <span class="list-paths__item__arrow">›</span> 2477 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2478 2479 </span> 2480 2481 </li> 2482 <li> 2483 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2484 docker-image|quay.io/argoproj/argocd@latest 2485 <span class="list-paths__item__arrow">›</span> 2486 gnupg2/gnupg@2.2.27-3ubuntu2.1 2487 <span class="list-paths__item__arrow">›</span> 2488 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2489 <span class="list-paths__item__arrow">›</span> 2490 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2491 2492 </span> 2493 2494 </li> 2495 <li> 2496 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2497 docker-image|quay.io/argoproj/argocd@latest 2498 <span class="list-paths__item__arrow">›</span> 2499 gnupg2/gnupg@2.2.27-3ubuntu2.1 2500 <span class="list-paths__item__arrow">›</span> 2501 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2502 <span class="list-paths__item__arrow">›</span> 2503 gnupg2/gpgconf@2.2.27-3ubuntu2.1 2504 2505 </span> 2506 2507 </li> 2508 <li> 2509 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2510 docker-image|quay.io/argoproj/argocd@latest 2511 <span class="list-paths__item__arrow">›</span> 2512 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2513 2514 </span> 2515 2516 </li> 2517 <li> 2518 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2519 docker-image|quay.io/argoproj/argocd@latest 2520 <span class="list-paths__item__arrow">›</span> 2521 gnupg2/gnupg@2.2.27-3ubuntu2.1 2522 <span class="list-paths__item__arrow">›</span> 2523 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2524 2525 </span> 2526 2527 </li> 2528 <li> 2529 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2530 docker-image|quay.io/argoproj/argocd@latest 2531 <span class="list-paths__item__arrow">›</span> 2532 gnupg2/gnupg@2.2.27-3ubuntu2.1 2533 <span class="list-paths__item__arrow">›</span> 2534 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2535 <span class="list-paths__item__arrow">›</span> 2536 gnupg2/dirmngr@2.2.27-3ubuntu2.1 2537 2538 </span> 2539 2540 </li> 2541 <li> 2542 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2543 docker-image|quay.io/argoproj/argocd@latest 2544 <span class="list-paths__item__arrow">›</span> 2545 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 2546 2547 </span> 2548 2549 </li> 2550 <li> 2551 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2552 docker-image|quay.io/argoproj/argocd@latest 2553 <span class="list-paths__item__arrow">›</span> 2554 gnupg2/gnupg@2.2.27-3ubuntu2.1 2555 <span class="list-paths__item__arrow">›</span> 2556 gnupg2/gnupg-l10n@2.2.27-3ubuntu2.1 2557 2558 </span> 2559 2560 </li> 2561 <li> 2562 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2563 docker-image|quay.io/argoproj/argocd@latest 2564 <span class="list-paths__item__arrow">›</span> 2565 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 2566 2567 </span> 2568 2569 </li> 2570 <li> 2571 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2572 docker-image|quay.io/argoproj/argocd@latest 2573 <span class="list-paths__item__arrow">›</span> 2574 gnupg2/gnupg@2.2.27-3ubuntu2.1 2575 <span class="list-paths__item__arrow">›</span> 2576 gnupg2/gnupg-utils@2.2.27-3ubuntu2.1 2577 2578 </span> 2579 2580 </li> 2581 <li> 2582 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2583 docker-image|quay.io/argoproj/argocd@latest 2584 <span class="list-paths__item__arrow">›</span> 2585 gnupg2/gpg@2.2.27-3ubuntu2.1 2586 2587 </span> 2588 2589 </li> 2590 <li> 2591 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2592 docker-image|quay.io/argoproj/argocd@latest 2593 <span class="list-paths__item__arrow">›</span> 2594 gnupg2/gnupg@2.2.27-3ubuntu2.1 2595 <span class="list-paths__item__arrow">›</span> 2596 gnupg2/gpg@2.2.27-3ubuntu2.1 2597 2598 </span> 2599 2600 </li> 2601 <li> 2602 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2603 docker-image|quay.io/argoproj/argocd@latest 2604 <span class="list-paths__item__arrow">›</span> 2605 gnupg2/gnupg@2.2.27-3ubuntu2.1 2606 <span class="list-paths__item__arrow">›</span> 2607 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2608 <span class="list-paths__item__arrow">›</span> 2609 gnupg2/gpg@2.2.27-3ubuntu2.1 2610 2611 </span> 2612 2613 </li> 2614 <li> 2615 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2616 docker-image|quay.io/argoproj/argocd@latest 2617 <span class="list-paths__item__arrow">›</span> 2618 gnupg2/gnupg@2.2.27-3ubuntu2.1 2619 <span class="list-paths__item__arrow">›</span> 2620 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2621 <span class="list-paths__item__arrow">›</span> 2622 gnupg2/gpg@2.2.27-3ubuntu2.1 2623 2624 </span> 2625 2626 </li> 2627 <li> 2628 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2629 docker-image|quay.io/argoproj/argocd@latest 2630 <span class="list-paths__item__arrow">›</span> 2631 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2632 2633 </span> 2634 2635 </li> 2636 <li> 2637 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2638 docker-image|quay.io/argoproj/argocd@latest 2639 <span class="list-paths__item__arrow">›</span> 2640 gnupg2/gnupg@2.2.27-3ubuntu2.1 2641 <span class="list-paths__item__arrow">›</span> 2642 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2643 2644 </span> 2645 2646 </li> 2647 <li> 2648 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2649 docker-image|quay.io/argoproj/argocd@latest 2650 <span class="list-paths__item__arrow">›</span> 2651 gnupg2/gnupg@2.2.27-3ubuntu2.1 2652 <span class="list-paths__item__arrow">›</span> 2653 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2654 <span class="list-paths__item__arrow">›</span> 2655 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2656 2657 </span> 2658 2659 </li> 2660 <li> 2661 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2662 docker-image|quay.io/argoproj/argocd@latest 2663 <span class="list-paths__item__arrow">›</span> 2664 gnupg2/gnupg@2.2.27-3ubuntu2.1 2665 <span class="list-paths__item__arrow">›</span> 2666 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2667 <span class="list-paths__item__arrow">›</span> 2668 gnupg2/gpg-agent@2.2.27-3ubuntu2.1 2669 2670 </span> 2671 2672 </li> 2673 <li> 2674 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2675 docker-image|quay.io/argoproj/argocd@latest 2676 <span class="list-paths__item__arrow">›</span> 2677 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2678 2679 </span> 2680 2681 </li> 2682 <li> 2683 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2684 docker-image|quay.io/argoproj/argocd@latest 2685 <span class="list-paths__item__arrow">›</span> 2686 gnupg2/gnupg@2.2.27-3ubuntu2.1 2687 <span class="list-paths__item__arrow">›</span> 2688 gnupg2/gpg-wks-client@2.2.27-3ubuntu2.1 2689 2690 </span> 2691 2692 </li> 2693 <li> 2694 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2695 docker-image|quay.io/argoproj/argocd@latest 2696 <span class="list-paths__item__arrow">›</span> 2697 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2698 2699 </span> 2700 2701 </li> 2702 <li> 2703 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2704 docker-image|quay.io/argoproj/argocd@latest 2705 <span class="list-paths__item__arrow">›</span> 2706 gnupg2/gnupg@2.2.27-3ubuntu2.1 2707 <span class="list-paths__item__arrow">›</span> 2708 gnupg2/gpg-wks-server@2.2.27-3ubuntu2.1 2709 2710 </span> 2711 2712 </li> 2713 <li> 2714 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2715 docker-image|quay.io/argoproj/argocd@latest 2716 <span class="list-paths__item__arrow">›</span> 2717 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2718 2719 </span> 2720 2721 </li> 2722 <li> 2723 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2724 docker-image|quay.io/argoproj/argocd@latest 2725 <span class="list-paths__item__arrow">›</span> 2726 gnupg2/gnupg@2.2.27-3ubuntu2.1 2727 <span class="list-paths__item__arrow">›</span> 2728 gnupg2/gpgsm@2.2.27-3ubuntu2.1 2729 2730 </span> 2731 2732 </li> 2733 <li> 2734 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2735 docker-image|quay.io/argoproj/argocd@latest 2736 <span class="list-paths__item__arrow">›</span> 2737 gnupg2/gnupg@2.2.27-3ubuntu2.1 2738 2739 </span> 2740 2741 </li> 2742 </ul><!-- .list-paths --> 2743 2744 </div><!-- .card__section --> 2745 2746 <hr/> 2747 <!-- Overview --> 2748 <h2 id="nvd-description">NVD Description</h2> 2749 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gnupg2</code> package and not the <code>gnupg2</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2750 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2751 <p>GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.</p> 2752 <h2 id="remediation">Remediation</h2> 2753 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>gnupg2</code>.</p> 2754 <h2 id="references">References</h2> 2755 <ul> 2756 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219">ADVISORY</a></li> 2757 <li><a href="https://access.redhat.com/security/cve/CVE-2022-3219">secalert@redhat.com</a></li> 2758 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2127010">secalert@redhat.com</a></li> 2759 <li><a href="https://dev.gnupg.org/D556">secalert@redhat.com</a></li> 2760 <li><a href="https://dev.gnupg.org/T5993">secalert@redhat.com</a></li> 2761 <li><a href="https://marc.info/?l=oss-security&m=165696590211434&w=4">secalert@redhat.com</a></li> 2762 <li><a href="https://security.netapp.com/advisory/ntap-20230324-0001/">secalert@redhat.com</a></li> 2763 </ul> 2764 2765 <hr/> 2766 2767 <div class="cta card__cta"> 2768 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GNUPG2-3035409">More about this vulnerability</a></p> 2769 </div> 2770 2771 </div><!-- .card --> 2772 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2773 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2774 <div class="card__section"> 2775 2776 <div class="label label--low"> 2777 <span class="label__text">low severity</span> 2778 </div> 2779 2780 <hr/> 2781 2782 <ul class="card__meta"> 2783 <li class="card__meta__item"> 2784 Package Manager: ubuntu:22.04 2785 </li> 2786 <li class="card__meta__item"> 2787 Vulnerable module: 2788 2789 glibc/libc-bin 2790 </li> 2791 2792 <li class="card__meta__item">Introduced through: 2793 2794 docker-image|quay.io/argoproj/argocd@latest and glibc/libc-bin@2.35-0ubuntu3.4 2795 2796 </li> 2797 </ul> 2798 2799 <hr/> 2800 2801 2802 <h3 class="card__section__title">Detailed paths</h3> 2803 2804 <ul class="card__meta__paths"> 2805 <li> 2806 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2807 docker-image|quay.io/argoproj/argocd@latest 2808 <span class="list-paths__item__arrow">›</span> 2809 glibc/libc-bin@2.35-0ubuntu3.4 2810 2811 </span> 2812 2813 </li> 2814 <li> 2815 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2816 docker-image|quay.io/argoproj/argocd@latest 2817 <span class="list-paths__item__arrow">›</span> 2818 glibc/libc6@2.35-0ubuntu3.4 2819 2820 </span> 2821 2822 </li> 2823 </ul><!-- .list-paths --> 2824 2825 </div><!-- .card__section --> 2826 2827 <hr/> 2828 <!-- Overview --> 2829 <h2 id="nvd-description">NVD Description</h2> 2830 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2831 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2832 <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.</p> 2833 <h2 id="remediation">Remediation</h2> 2834 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p> 2835 <h2 id="references">References</h2> 2836 <ul> 2837 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013">ADVISORY</a></li> 2838 <li><a href="https://twitter.com/solardiz/status/795601240151457793">cve@mitre.org</a></li> 2839 <li><a href="https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/">cve@mitre.org</a></li> 2840 <li><a href="https://akkadia.org/drepper/SHA-crypt.txt">cve@mitre.org</a></li> 2841 </ul> 2842 2843 <hr/> 2844 2845 <div class="cta card__cta"> 2846 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-2801292">More about this vulnerability</a></p> 2847 </div> 2848 2849 </div><!-- .card --> 2850 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2851 <h2 class="card__title">Improper Input Validation</h2> 2852 <div class="card__section"> 2853 2854 <div class="label label--low"> 2855 <span class="label__text">low severity</span> 2856 </div> 2857 2858 <hr/> 2859 2860 <ul class="card__meta"> 2861 <li class="card__meta__item"> 2862 Package Manager: ubuntu:22.04 2863 </li> 2864 <li class="card__meta__item"> 2865 Vulnerable module: 2866 2867 git/git-man 2868 </li> 2869 2870 <li class="card__meta__item">Introduced through: 2871 2872 2873 docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.10 and others 2874 </li> 2875 </ul> 2876 2877 <hr/> 2878 2879 2880 <h3 class="card__section__title">Detailed paths</h3> 2881 2882 <ul class="card__meta__paths"> 2883 <li> 2884 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2885 docker-image|quay.io/argoproj/argocd@latest 2886 <span class="list-paths__item__arrow">›</span> 2887 git@1:2.34.1-1ubuntu1.10 2888 <span class="list-paths__item__arrow">›</span> 2889 git/git-man@1:2.34.1-1ubuntu1.10 2890 2891 </span> 2892 2893 </li> 2894 <li> 2895 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2896 docker-image|quay.io/argoproj/argocd@latest 2897 <span class="list-paths__item__arrow">›</span> 2898 git@1:2.34.1-1ubuntu1.10 2899 2900 </span> 2901 2902 </li> 2903 <li> 2904 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2905 docker-image|quay.io/argoproj/argocd@latest 2906 <span class="list-paths__item__arrow">›</span> 2907 git-lfs@3.0.2-1ubuntu0.2 2908 <span class="list-paths__item__arrow">›</span> 2909 git@1:2.34.1-1ubuntu1.10 2910 2911 </span> 2912 2913 </li> 2914 </ul><!-- .list-paths --> 2915 2916 </div><!-- .card__section --> 2917 2918 <hr/> 2919 <!-- Overview --> 2920 <h2 id="nvd-description">NVD Description</h2> 2921 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 2922 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 2923 <p>GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).</p> 2924 <h2 id="remediation">Remediation</h2> 2925 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>git</code>.</p> 2926 <h2 id="references">References</h2> 2927 <ul> 2928 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000021">ADVISORY</a></li> 2929 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-1000021">Debian Security Tracker</a></li> 2930 <li><a href="http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html">http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html</a></li> 2931 </ul> 2932 2933 <hr/> 2934 2935 <div class="cta card__cta"> 2936 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GIT-2798113">More about this vulnerability</a></p> 2937 </div> 2938 2939 </div><!-- .card --> 2940 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2941 <h2 class="card__title">Uncontrolled Recursion</h2> 2942 <div class="card__section"> 2943 2944 <div class="label label--low"> 2945 <span class="label__text">low severity</span> 2946 </div> 2947 2948 <hr/> 2949 2950 <ul class="card__meta"> 2951 <li class="card__meta__item"> 2952 Package Manager: ubuntu:22.04 2953 </li> 2954 <li class="card__meta__item"> 2955 Vulnerable module: 2956 2957 gcc-12/libstdc++6 2958 </li> 2959 2960 <li class="card__meta__item">Introduced through: 2961 2962 docker-image|quay.io/argoproj/argocd@latest and gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 2963 2964 </li> 2965 </ul> 2966 2967 <hr/> 2968 2969 2970 <h3 class="card__section__title">Detailed paths</h3> 2971 2972 <ul class="card__meta__paths"> 2973 <li> 2974 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2975 docker-image|quay.io/argoproj/argocd@latest 2976 <span class="list-paths__item__arrow">›</span> 2977 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 2978 2979 </span> 2980 2981 </li> 2982 <li> 2983 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2984 docker-image|quay.io/argoproj/argocd@latest 2985 <span class="list-paths__item__arrow">›</span> 2986 apt@2.4.10 2987 <span class="list-paths__item__arrow">›</span> 2988 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 2989 2990 </span> 2991 2992 </li> 2993 <li> 2994 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2995 docker-image|quay.io/argoproj/argocd@latest 2996 <span class="list-paths__item__arrow">›</span> 2997 apt@2.4.10 2998 <span class="list-paths__item__arrow">›</span> 2999 apt/libapt-pkg6.0@2.4.10 3000 <span class="list-paths__item__arrow">›</span> 3001 gcc-12/libstdc++6@12.3.0-1ubuntu1~22.04 3002 3003 </span> 3004 3005 </li> 3006 <li> 3007 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3008 docker-image|quay.io/argoproj/argocd@latest 3009 <span class="list-paths__item__arrow">›</span> 3010 gcc-12/gcc-12-base@12.3.0-1ubuntu1~22.04 3011 3012 </span> 3013 3014 </li> 3015 <li> 3016 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3017 docker-image|quay.io/argoproj/argocd@latest 3018 <span class="list-paths__item__arrow">›</span> 3019 gcc-12/libgcc-s1@12.3.0-1ubuntu1~22.04 3020 3021 </span> 3022 3023 </li> 3024 </ul><!-- .list-paths --> 3025 3026 </div><!-- .card__section --> 3027 3028 <hr/> 3029 <!-- Overview --> 3030 <h2 id="nvd-description">NVD Description</h2> 3031 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gcc-12</code> package and not the <code>gcc-12</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3032 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3033 <p>libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.</p> 3034 <h2 id="remediation">Remediation</h2> 3035 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>gcc-12</code>.</p> 3036 <h2 id="references">References</h2> 3037 <ul> 3038 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-27943">ADVISORY</a></li> 3039 <li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039">cve@mitre.org</a></li> 3040 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=28995">cve@mitre.org</a></li> 3041 <li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/">cve@mitre.org</a></li> 3042 </ul> 3043 3044 <hr/> 3045 3046 <div class="cta card__cta"> 3047 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-GCC12-5861847">More about this vulnerability</a></p> 3048 </div> 3049 3050 </div><!-- .card --> 3051 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3052 <h2 class="card__title">Improper Input Validation</h2> 3053 <div class="card__section"> 3054 3055 <div class="label label--low"> 3056 <span class="label__text">low severity</span> 3057 </div> 3058 3059 <hr/> 3060 3061 <ul class="card__meta"> 3062 <li class="card__meta__item"> 3063 Package Manager: ubuntu:22.04 3064 </li> 3065 <li class="card__meta__item"> 3066 Vulnerable module: 3067 3068 coreutils 3069 </li> 3070 3071 <li class="card__meta__item">Introduced through: 3072 3073 docker-image|quay.io/argoproj/argocd@latest and coreutils@8.32-4.1ubuntu1 3074 3075 </li> 3076 </ul> 3077 3078 <hr/> 3079 3080 3081 <h3 class="card__section__title">Detailed paths</h3> 3082 3083 <ul class="card__meta__paths"> 3084 <li> 3085 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3086 docker-image|quay.io/argoproj/argocd@latest 3087 <span class="list-paths__item__arrow">›</span> 3088 coreutils@8.32-4.1ubuntu1 3089 3090 </span> 3091 3092 </li> 3093 </ul><!-- .list-paths --> 3094 3095 </div><!-- .card__section --> 3096 3097 <hr/> 3098 <!-- Overview --> 3099 <h2 id="nvd-description">NVD Description</h2> 3100 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3101 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3102 <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.</p> 3103 <h2 id="remediation">Remediation</h2> 3104 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>coreutils</code>.</p> 3105 <h2 id="references">References</h2> 3106 <ul> 3107 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781">ADVISORY</a></li> 3108 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2781">Debian Security Tracker</a></li> 3109 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">MLIST</a></li> 3110 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/2">OSS security Advisory</a></li> 3111 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/3">OSS security Advisory</a></li> 3112 </ul> 3113 3114 <hr/> 3115 3116 <div class="cta card__cta"> 3117 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-COREUTILS-2801226">More about this vulnerability</a></p> 3118 </div> 3119 3120 </div><!-- .card --> 3121 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 3122 <h2 class="card__title">Out-of-bounds Write</h2> 3123 <div class="card__section"> 3124 3125 <div class="label label--low"> 3126 <span class="label__text">low severity</span> 3127 </div> 3128 3129 <hr/> 3130 3131 <ul class="card__meta"> 3132 <li class="card__meta__item"> 3133 Package Manager: ubuntu:22.04 3134 </li> 3135 <li class="card__meta__item"> 3136 Vulnerable module: 3137 3138 bash 3139 </li> 3140 3141 <li class="card__meta__item">Introduced through: 3142 3143 docker-image|quay.io/argoproj/argocd@latest and bash@5.1-6ubuntu1 3144 3145 </li> 3146 </ul> 3147 3148 <hr/> 3149 3150 3151 <h3 class="card__section__title">Detailed paths</h3> 3152 3153 <ul class="card__meta__paths"> 3154 <li> 3155 <span class="list-paths__item__introduced"><em>Introduced through</em>: 3156 docker-image|quay.io/argoproj/argocd@latest 3157 <span class="list-paths__item__arrow">›</span> 3158 bash@5.1-6ubuntu1 3159 3160 </span> 3161 3162 </li> 3163 </ul><!-- .list-paths --> 3164 3165 </div><!-- .card__section --> 3166 3167 <hr/> 3168 <!-- Overview --> 3169 <h2 id="nvd-description">NVD Description</h2> 3170 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>bash</code> package and not the <code>bash</code> package as distributed by <code>Ubuntu:22.04</code>.</em> 3171 <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p> 3172 <p>A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.</p> 3173 <h2 id="remediation">Remediation</h2> 3174 <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>bash</code>.</p> 3175 <h2 id="references">References</h2> 3176 <ul> 3177 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3715">ADVISORY</a></li> 3178 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2126720">secalert@redhat.com</a></li> 3179 </ul> 3180 3181 <hr/> 3182 3183 <div class="cta card__cta"> 3184 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2204-BASH-3098342">More about this vulnerability</a></p> 3185 </div> 3186 3187 </div><!-- .card --> 3188 </div><!-- cards --> 3189 </div> 3190 </main><!-- .layout-stacked__content --> 3191 </body> 3192 3193 </html>