github.com/argoproj/argo-cd/v3@v3.2.1/docs/snyk/v3.1.5/quay.io_argoproj_argocd_v3.1.5.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="23 known vulnerabilities found in 81 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #030328; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card__labels { 205 position: absolute; 206 top: 1.1em; 207 left: 0; 208 display: flex; 209 align-items: center; 210 gap: 8px; 211 } 212 213 .card .label { 214 background-color: #767676; 215 border: 2px solid #767676; 216 color: white; 217 padding: 0.25rem 0.75rem; 218 font-size: 0.875rem; 219 text-transform: uppercase; 220 display: inline-block; 221 margin: 0; 222 border-radius: 0.25rem; 223 } 224 225 .card .label__text { 226 vertical-align: text-top; 227 font-weight: bold; 228 } 229 230 .card .label--critical { 231 background-color: #AB1A1A; 232 border-color: #AB1A1A; 233 } 234 235 .card .label--high { 236 background-color: #CE5019; 237 border-color: #CE5019; 238 } 239 240 .card .label--medium { 241 background-color: #D68000; 242 border-color: #D68000; 243 } 244 245 .card .label--low { 246 background-color: #88879E; 247 border-color: #88879E; 248 } 249 250 .severity--low { 251 border-color: #88879E; 252 } 253 254 .severity--medium { 255 border-color: #D68000; 256 } 257 258 .severity--high { 259 border-color: #CE5019; 260 } 261 262 .severity--critical { 263 border-color: #AB1A1A; 264 } 265 266 .card--vuln { 267 padding-top: 4em; 268 } 269 270 .card--vuln .card__labels > .label:first-child { 271 padding-left: 1.9em; 272 padding-right: 1.9em; 273 border-radius: 0 0.25rem 0.25rem 0; 274 } 275 276 .card--vuln .card__section h2 { 277 font-size: 22px; 278 margin-bottom: 0.5em; 279 } 280 281 .card--vuln .card__section p { 282 margin: 0 0 0.5em 0; 283 } 284 285 .card--vuln .card__meta { 286 padding: 0 0 0 1em; 287 margin: 0; 288 font-size: 1.1em; 289 } 290 291 .card .card__meta__paths { 292 font-size: 0.9em; 293 } 294 295 .card--vuln .card__title { 296 font-size: 28px; 297 margin-top: 0; 298 margin-right: 100px; /* Ensure space for the risk score */ 299 } 300 301 .card--vuln .card__cta p { 302 margin: 0; 303 text-align: right; 304 } 305 306 .risk-score-display { 307 position: absolute; 308 top: 1.5em; 309 right: 1.5em; 310 text-align: right; 311 z-index: 10; 312 } 313 314 .risk-score-display__label { 315 font-size: 0.7em; 316 font-weight: bold; 317 color: #586069; 318 text-transform: uppercase; 319 line-height: 1; 320 margin-bottom: 3px; 321 } 322 323 .risk-score-display__value { 324 font-size: 1.9em; 325 font-weight: 600; 326 color: #24292e; 327 line-height: 1; 328 } 329 330 .source-panel { 331 clear: both; 332 display: flex; 333 justify-content: flex-start; 334 flex-direction: column; 335 align-items: flex-start; 336 padding: 0.5em 0; 337 width: fit-content; 338 } 339 340 341 342 </style> 343 <style type="text/css"> 344 .metatable { 345 text-size-adjust: 100%; 346 -webkit-font-smoothing: antialiased; 347 -webkit-box-direction: normal; 348 color: inherit; 349 font-feature-settings: "pnum"; 350 box-sizing: border-box; 351 background: transparent; 352 border: 0; 353 font: inherit; 354 font-size: 100%; 355 margin: 0; 356 outline: none; 357 padding: 0; 358 text-align: left; 359 text-decoration: none; 360 vertical-align: baseline; 361 z-index: auto; 362 margin-top: 12px; 363 border-collapse: collapse; 364 border-spacing: 0; 365 font-variant-numeric: tabular-nums; 366 max-width: 51.75em; 367 } 368 369 tbody { 370 text-size-adjust: 100%; 371 -webkit-font-smoothing: antialiased; 372 -webkit-box-direction: normal; 373 color: inherit; 374 font-feature-settings: "pnum"; 375 border-collapse: collapse; 376 border-spacing: 0; 377 box-sizing: border-box; 378 background: transparent; 379 border: 0; 380 font: inherit; 381 font-size: 100%; 382 margin: 0; 383 outline: none; 384 padding: 0; 385 text-align: left; 386 text-decoration: none; 387 vertical-align: baseline; 388 z-index: auto; 389 display: flex; 390 flex-wrap: wrap; 391 } 392 393 .meta-row { 394 text-size-adjust: 100%; 395 -webkit-font-smoothing: antialiased; 396 -webkit-box-direction: normal; 397 color: inherit; 398 font-feature-settings: "pnum"; 399 border-collapse: collapse; 400 border-spacing: 0; 401 box-sizing: border-box; 402 background: transparent; 403 border: 0; 404 font: inherit; 405 font-size: 100%; 406 outline: none; 407 text-align: left; 408 text-decoration: none; 409 vertical-align: baseline; 410 z-index: auto; 411 display: flex; 412 align-items: start; 413 border-top: 1px solid #d3d3d9; 414 padding: 8px 0 0 0; 415 border-bottom: none; 416 margin: 8px; 417 width: 47.75%; 418 } 419 420 .meta-row-label { 421 text-size-adjust: 100%; 422 -webkit-font-smoothing: antialiased; 423 -webkit-box-direction: normal; 424 font-feature-settings: "pnum"; 425 border-collapse: collapse; 426 border-spacing: 0; 427 color: #4c4a73; 428 box-sizing: border-box; 429 background: transparent; 430 border: 0; 431 font: inherit; 432 margin: 0; 433 outline: none; 434 text-decoration: none; 435 z-index: auto; 436 align-self: start; 437 flex: 1; 438 font-size: 1rem; 439 line-height: 1.5rem; 440 padding: 0; 441 text-align: left; 442 vertical-align: top; 443 text-transform: none; 444 letter-spacing: 0; 445 } 446 447 .meta-row-value { 448 text-size-adjust: 100%; 449 -webkit-font-smoothing: antialiased; 450 -webkit-box-direction: normal; 451 color: inherit; 452 font-feature-settings: "pnum"; 453 border-collapse: collapse; 454 border-spacing: 0; 455 word-break: break-word; 456 box-sizing: border-box; 457 background: transparent; 458 border: 0; 459 font: inherit; 460 font-size: 100%; 461 margin: 0; 462 outline: none; 463 padding: 0; 464 text-align: right; 465 text-decoration: none; 466 vertical-align: baseline; 467 z-index: auto; 468 } 469 </style> 470 </head> 471 472 <body class="section-projects"> 473 <main class="layout-stacked"> 474 <div class="layout-stacked__header header"> 475 <header class="project__header"> 476 <div class="layout-container"> 477 <a class="brand" href="https://snyk.io" title="Snyk"> 478 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 479 <title>Snyk - Open Source Security</title> 480 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 481 <g fill="#fff"> 482 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 483 </g> 484 </g> 485 </svg> 486 </a> 487 <div class="header-wrap"> 488 <h1 class="project__header__title">Snyk test report</h1> 489 490 <p class="timestamp">September 14th 2025, 12:24:48 am (UTC+00:00)</p> 491 </div> 492 <div class="source-panel"> 493 <span>Scanned the following paths:</span> 494 <ul> 495 <li class="paths">quay.io/argoproj/argocd:v3.1.5/argoproj/argocd/Dockerfile (deb)</li> 496 <li class="paths">quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)</li> 497 <li class="paths">quay.io/argoproj/argocd:v3.1.5//usr/local/bin/kustomize (gomodules)</li> 498 <li class="paths">quay.io/argoproj/argocd:v3.1.5/helm/v3//usr/local/bin/helm (gomodules)</li> 499 <li class="paths">quay.io/argoproj/argocd:v3.1.5/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)</li> 500 </ul> 501 </div> 502 503 <div class="meta-counts"> 504 <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div> 505 <div class="meta-count"><span>81 vulnerable dependency paths</span></div> 506 <div class="meta-count"><span>2319</span> <span>dependencies</span></div> 507 </div><!-- .meta-counts --> 508 </div><!-- .layout-container--short --> 509 </header><!-- .project__header --> 510 </div><!-- .layout-stacked__header --> 511 512 <div class="layout-container" style="padding-top: 35px;"> 513 <div class="cards--vuln filter--patch filter--ignore"> 514 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 515 <h2 class="card__title">Directory Traversal</h2> 516 <div class="card__section"> 517 518 <div class="card__labels"> 519 <div class="label label--medium"> 520 <span class="label__text">medium severity</span> 521 </div> 522 </div> 523 524 <hr/> 525 526 <ul class="card__meta"> 527 <li class="card__meta__item"> 528 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 529 </li> 530 <li class="card__meta__item"> 531 Package Manager: ubuntu:24.04 532 </li> 533 <li class="card__meta__item"> 534 Vulnerable module: 535 536 tar 537 </li> 538 539 <li class="card__meta__item">Introduced through: 540 541 docker-image|quay.io/argoproj/argocd@v3.1.5 and tar@1.35+dfsg-3build1 542 543 </li> 544 </ul> 545 546 <hr/> 547 548 549 <h3 class="card__section__title">Detailed paths</h3> 550 551 <ul class="card__meta__paths"> 552 <li> 553 <span class="list-paths__item__introduced"><em>Introduced through</em>: 554 docker-image|quay.io/argoproj/argocd@v3.1.5 555 <span class="list-paths__item__arrow">›</span> 556 tar@1.35+dfsg-3build1 557 558 </span> 559 560 </li> 561 <li> 562 <span class="list-paths__item__introduced"><em>Introduced through</em>: 563 docker-image|quay.io/argoproj/argocd@v3.1.5 564 <span class="list-paths__item__arrow">›</span> 565 dash@0.5.12-6ubuntu5 566 <span class="list-paths__item__arrow">›</span> 567 dpkg@1.22.6ubuntu6.1 568 <span class="list-paths__item__arrow">›</span> 569 tar@1.35+dfsg-3build1 570 571 </span> 572 573 </li> 574 </ul><!-- .list-paths --> 575 576 </div><!-- .card__section --> 577 578 <hr/> 579 <!-- Overview --> 580 <h2 id="nvd-description">NVD Description</h2> 581 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>tar</code> package and not the <code>tar</code> package as distributed by <code>Ubuntu</code>.</em> 582 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 583 <p>GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.</p> 584 <h2 id="remediation">Remediation</h2> 585 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>tar</code>.</p> 586 <h2 id="references">References</h2> 587 <ul> 588 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582</a></li> 589 <li><a href="https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md">https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md</a></li> 590 <li><a href="https://www.gnu.org/software/tar/">https://www.gnu.org/software/tar/</a></li> 591 <li><a href="https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html">https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html</a></li> 592 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Integrity.html">https://www.gnu.org/software/tar/manual/html_node/Integrity.html</a></li> 593 <li><a href="https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html">https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html</a></li> 594 </ul> 595 596 <hr/> 597 598 <div class="cta card__cta"> 599 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-TAR-10769052">More about this vulnerability</a></p> 600 </div> 601 602 </div><!-- .card --> 603 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 604 <h2 class="card__title">CVE-2025-7709</h2> 605 <div class="card__section"> 606 607 <div class="card__labels"> 608 <div class="label label--medium"> 609 <span class="label__text">medium severity</span> 610 </div> 611 </div> 612 613 <hr/> 614 615 <ul class="card__meta"> 616 <li class="card__meta__item"> 617 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 618 </li> 619 <li class="card__meta__item"> 620 Package Manager: ubuntu:24.04 621 </li> 622 <li class="card__meta__item"> 623 Vulnerable module: 624 625 sqlite3/libsqlite3-0 626 </li> 627 628 <li class="card__meta__item">Introduced through: 629 630 631 docker-image|quay.io/argoproj/argocd@v3.1.5, gnupg2/gpg@2.4.4-2ubuntu17.3 and others 632 </li> 633 </ul> 634 635 <hr/> 636 637 638 <h3 class="card__section__title">Detailed paths</h3> 639 640 <ul class="card__meta__paths"> 641 <li> 642 <span class="list-paths__item__introduced"><em>Introduced through</em>: 643 docker-image|quay.io/argoproj/argocd@v3.1.5 644 <span class="list-paths__item__arrow">›</span> 645 gnupg2/gpg@2.4.4-2ubuntu17.3 646 <span class="list-paths__item__arrow">›</span> 647 sqlite3/libsqlite3-0@3.45.1-1ubuntu2.4 648 649 </span> 650 651 </li> 652 </ul><!-- .list-paths --> 653 654 </div><!-- .card__section --> 655 656 <hr/> 657 <!-- Overview --> 658 <h2 id="nvd-description">NVD Description</h2> 659 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu</code>.</em> 660 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 661 <p>An integer overflow exists in the FTS5 <a href="https://sqlite.org/fts5.html">https://sqlite.org/fts5.html</a> extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.</p> 662 <h2 id="remediation">Remediation</h2> 663 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>sqlite3</code>.</p> 664 <h2 id="references">References</h2> 665 <ul> 666 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7709</a></li> 667 <li><a href="https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g">https://github.com/google/security-research/security/advisories/GHSA-v2c8-vqqp-hv3g</a></li> 668 </ul> 669 670 <hr/> 671 672 <div class="cta card__cta"> 673 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-SQLITE3-12554290">More about this vulnerability</a></p> 674 </div> 675 676 </div><!-- .card --> 677 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 678 <h2 class="card__title">Insecure Storage of Sensitive Information</h2> 679 <div class="card__section"> 680 681 <div class="card__labels"> 682 <div class="label label--medium"> 683 <span class="label__text">medium severity</span> 684 </div> 685 </div> 686 687 <hr/> 688 689 <ul class="card__meta"> 690 <li class="card__meta__item"> 691 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 692 </li> 693 <li class="card__meta__item"> 694 Package Manager: ubuntu:24.04 695 </li> 696 <li class="card__meta__item"> 697 Vulnerable module: 698 699 pam/libpam0g 700 </li> 701 702 <li class="card__meta__item">Introduced through: 703 704 docker-image|quay.io/argoproj/argocd@v3.1.5 and pam/libpam0g@1.5.3-5ubuntu5.4 705 706 </li> 707 </ul> 708 709 <hr/> 710 711 712 <h3 class="card__section__title">Detailed paths</h3> 713 714 <ul class="card__meta__paths"> 715 <li> 716 <span class="list-paths__item__introduced"><em>Introduced through</em>: 717 docker-image|quay.io/argoproj/argocd@v3.1.5 718 <span class="list-paths__item__arrow">›</span> 719 pam/libpam0g@1.5.3-5ubuntu5.4 720 721 </span> 722 723 </li> 724 <li> 725 <span class="list-paths__item__introduced"><em>Introduced through</em>: 726 docker-image|quay.io/argoproj/argocd@v3.1.5 727 <span class="list-paths__item__arrow">›</span> 728 shadow/login@1:4.13+dfsg1-4ubuntu3.2 729 <span class="list-paths__item__arrow">›</span> 730 pam/libpam0g@1.5.3-5ubuntu5.4 731 732 </span> 733 734 </li> 735 <li> 736 <span class="list-paths__item__introduced"><em>Introduced through</em>: 737 docker-image|quay.io/argoproj/argocd@v3.1.5 738 <span class="list-paths__item__arrow">›</span> 739 util-linux@2.39.3-9ubuntu6.3 740 <span class="list-paths__item__arrow">›</span> 741 pam/libpam0g@1.5.3-5ubuntu5.4 742 743 </span> 744 745 </li> 746 <li> 747 <span class="list-paths__item__introduced"><em>Introduced through</em>: 748 docker-image|quay.io/argoproj/argocd@v3.1.5 749 <span class="list-paths__item__arrow">›</span> 750 apt@2.8.3 751 <span class="list-paths__item__arrow">›</span> 752 adduser@3.137ubuntu1 753 <span class="list-paths__item__arrow">›</span> 754 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 755 <span class="list-paths__item__arrow">›</span> 756 pam/libpam0g@1.5.3-5ubuntu5.4 757 758 </span> 759 760 </li> 761 <li> 762 <span class="list-paths__item__introduced"><em>Introduced through</em>: 763 docker-image|quay.io/argoproj/argocd@v3.1.5 764 <span class="list-paths__item__arrow">›</span> 765 apt@2.8.3 766 <span class="list-paths__item__arrow">›</span> 767 adduser@3.137ubuntu1 768 <span class="list-paths__item__arrow">›</span> 769 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 770 <span class="list-paths__item__arrow">›</span> 771 pam/libpam-modules@1.5.3-5ubuntu5.4 772 <span class="list-paths__item__arrow">›</span> 773 pam/libpam0g@1.5.3-5ubuntu5.4 774 775 </span> 776 777 </li> 778 <li> 779 <span class="list-paths__item__introduced"><em>Introduced through</em>: 780 docker-image|quay.io/argoproj/argocd@v3.1.5 781 <span class="list-paths__item__arrow">›</span> 782 apt@2.8.3 783 <span class="list-paths__item__arrow">›</span> 784 adduser@3.137ubuntu1 785 <span class="list-paths__item__arrow">›</span> 786 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 787 <span class="list-paths__item__arrow">›</span> 788 pam/libpam-modules@1.5.3-5ubuntu5.4 789 <span class="list-paths__item__arrow">›</span> 790 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 791 <span class="list-paths__item__arrow">›</span> 792 pam/libpam0g@1.5.3-5ubuntu5.4 793 794 </span> 795 796 </li> 797 <li> 798 <span class="list-paths__item__introduced"><em>Introduced through</em>: 799 docker-image|quay.io/argoproj/argocd@v3.1.5 800 <span class="list-paths__item__arrow">›</span> 801 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 802 803 </span> 804 805 </li> 806 <li> 807 <span class="list-paths__item__introduced"><em>Introduced through</em>: 808 docker-image|quay.io/argoproj/argocd@v3.1.5 809 <span class="list-paths__item__arrow">›</span> 810 apt@2.8.3 811 <span class="list-paths__item__arrow">›</span> 812 adduser@3.137ubuntu1 813 <span class="list-paths__item__arrow">›</span> 814 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 815 <span class="list-paths__item__arrow">›</span> 816 pam/libpam-modules@1.5.3-5ubuntu5.4 817 <span class="list-paths__item__arrow">›</span> 818 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 819 820 </span> 821 822 </li> 823 <li> 824 <span class="list-paths__item__introduced"><em>Introduced through</em>: 825 docker-image|quay.io/argoproj/argocd@v3.1.5 826 <span class="list-paths__item__arrow">›</span> 827 pam/libpam-modules@1.5.3-5ubuntu5.4 828 829 </span> 830 831 </li> 832 <li> 833 <span class="list-paths__item__introduced"><em>Introduced through</em>: 834 docker-image|quay.io/argoproj/argocd@v3.1.5 835 <span class="list-paths__item__arrow">›</span> 836 pam/libpam-runtime@1.5.3-5ubuntu5.4 837 <span class="list-paths__item__arrow">›</span> 838 pam/libpam-modules@1.5.3-5ubuntu5.4 839 840 </span> 841 842 </li> 843 <li> 844 <span class="list-paths__item__introduced"><em>Introduced through</em>: 845 docker-image|quay.io/argoproj/argocd@v3.1.5 846 <span class="list-paths__item__arrow">›</span> 847 shadow/login@1:4.13+dfsg1-4ubuntu3.2 848 <span class="list-paths__item__arrow">›</span> 849 pam/libpam-modules@1.5.3-5ubuntu5.4 850 851 </span> 852 853 </li> 854 <li> 855 <span class="list-paths__item__introduced"><em>Introduced through</em>: 856 docker-image|quay.io/argoproj/argocd@v3.1.5 857 <span class="list-paths__item__arrow">›</span> 858 apt@2.8.3 859 <span class="list-paths__item__arrow">›</span> 860 adduser@3.137ubuntu1 861 <span class="list-paths__item__arrow">›</span> 862 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 863 <span class="list-paths__item__arrow">›</span> 864 pam/libpam-modules@1.5.3-5ubuntu5.4 865 866 </span> 867 868 </li> 869 <li> 870 <span class="list-paths__item__introduced"><em>Introduced through</em>: 871 docker-image|quay.io/argoproj/argocd@v3.1.5 872 <span class="list-paths__item__arrow">›</span> 873 pam/libpam-runtime@1.5.3-5ubuntu5.4 874 875 </span> 876 877 </li> 878 <li> 879 <span class="list-paths__item__introduced"><em>Introduced through</em>: 880 docker-image|quay.io/argoproj/argocd@v3.1.5 881 <span class="list-paths__item__arrow">›</span> 882 shadow/login@1:4.13+dfsg1-4ubuntu3.2 883 <span class="list-paths__item__arrow">›</span> 884 pam/libpam-runtime@1.5.3-5ubuntu5.4 885 886 </span> 887 888 </li> 889 </ul><!-- .list-paths --> 890 891 </div><!-- .card__section --> 892 893 <hr/> 894 <!-- Overview --> 895 <h2 id="nvd-description">NVD Description</h2> 896 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 897 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 898 <p>A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.</p> 899 <h2 id="remediation">Remediation</h2> 900 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>pam</code>.</p> 901 <h2 id="references">References</h2> 902 <ul> 903 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041</a></li> 904 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10041">https://access.redhat.com/security/cve/CVE-2024-10041</a></li> 905 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2319212">https://bugzilla.redhat.com/show_bug.cgi?id=2319212</a></li> 906 <li><a href="https://access.redhat.com/errata/RHSA-2024:9941">https://access.redhat.com/errata/RHSA-2024:9941</a></li> 907 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 908 <li><a href="https://access.redhat.com/errata/RHSA-2024:11250">https://access.redhat.com/errata/RHSA-2024:11250</a></li> 909 </ul> 910 911 <hr/> 912 913 <div class="cta card__cta"> 914 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-8303372">More about this vulnerability</a></p> 915 </div> 916 917 </div><!-- .card --> 918 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 919 <h2 class="card__title">Improper Authentication</h2> 920 <div class="card__section"> 921 922 <div class="card__labels"> 923 <div class="label label--medium"> 924 <span class="label__text">medium severity</span> 925 </div> 926 </div> 927 928 <hr/> 929 930 <ul class="card__meta"> 931 <li class="card__meta__item"> 932 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 933 </li> 934 <li class="card__meta__item"> 935 Package Manager: ubuntu:24.04 936 </li> 937 <li class="card__meta__item"> 938 Vulnerable module: 939 940 pam/libpam0g 941 </li> 942 943 <li class="card__meta__item">Introduced through: 944 945 docker-image|quay.io/argoproj/argocd@v3.1.5 and pam/libpam0g@1.5.3-5ubuntu5.4 946 947 </li> 948 </ul> 949 950 <hr/> 951 952 953 <h3 class="card__section__title">Detailed paths</h3> 954 955 <ul class="card__meta__paths"> 956 <li> 957 <span class="list-paths__item__introduced"><em>Introduced through</em>: 958 docker-image|quay.io/argoproj/argocd@v3.1.5 959 <span class="list-paths__item__arrow">›</span> 960 pam/libpam0g@1.5.3-5ubuntu5.4 961 962 </span> 963 964 </li> 965 <li> 966 <span class="list-paths__item__introduced"><em>Introduced through</em>: 967 docker-image|quay.io/argoproj/argocd@v3.1.5 968 <span class="list-paths__item__arrow">›</span> 969 shadow/login@1:4.13+dfsg1-4ubuntu3.2 970 <span class="list-paths__item__arrow">›</span> 971 pam/libpam0g@1.5.3-5ubuntu5.4 972 973 </span> 974 975 </li> 976 <li> 977 <span class="list-paths__item__introduced"><em>Introduced through</em>: 978 docker-image|quay.io/argoproj/argocd@v3.1.5 979 <span class="list-paths__item__arrow">›</span> 980 util-linux@2.39.3-9ubuntu6.3 981 <span class="list-paths__item__arrow">›</span> 982 pam/libpam0g@1.5.3-5ubuntu5.4 983 984 </span> 985 986 </li> 987 <li> 988 <span class="list-paths__item__introduced"><em>Introduced through</em>: 989 docker-image|quay.io/argoproj/argocd@v3.1.5 990 <span class="list-paths__item__arrow">›</span> 991 apt@2.8.3 992 <span class="list-paths__item__arrow">›</span> 993 adduser@3.137ubuntu1 994 <span class="list-paths__item__arrow">›</span> 995 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 996 <span class="list-paths__item__arrow">›</span> 997 pam/libpam0g@1.5.3-5ubuntu5.4 998 999 </span> 1000 1001 </li> 1002 <li> 1003 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1004 docker-image|quay.io/argoproj/argocd@v3.1.5 1005 <span class="list-paths__item__arrow">›</span> 1006 apt@2.8.3 1007 <span class="list-paths__item__arrow">›</span> 1008 adduser@3.137ubuntu1 1009 <span class="list-paths__item__arrow">›</span> 1010 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1011 <span class="list-paths__item__arrow">›</span> 1012 pam/libpam-modules@1.5.3-5ubuntu5.4 1013 <span class="list-paths__item__arrow">›</span> 1014 pam/libpam0g@1.5.3-5ubuntu5.4 1015 1016 </span> 1017 1018 </li> 1019 <li> 1020 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1021 docker-image|quay.io/argoproj/argocd@v3.1.5 1022 <span class="list-paths__item__arrow">›</span> 1023 apt@2.8.3 1024 <span class="list-paths__item__arrow">›</span> 1025 adduser@3.137ubuntu1 1026 <span class="list-paths__item__arrow">›</span> 1027 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1028 <span class="list-paths__item__arrow">›</span> 1029 pam/libpam-modules@1.5.3-5ubuntu5.4 1030 <span class="list-paths__item__arrow">›</span> 1031 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1032 <span class="list-paths__item__arrow">›</span> 1033 pam/libpam0g@1.5.3-5ubuntu5.4 1034 1035 </span> 1036 1037 </li> 1038 <li> 1039 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1040 docker-image|quay.io/argoproj/argocd@v3.1.5 1041 <span class="list-paths__item__arrow">›</span> 1042 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1043 1044 </span> 1045 1046 </li> 1047 <li> 1048 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1049 docker-image|quay.io/argoproj/argocd@v3.1.5 1050 <span class="list-paths__item__arrow">›</span> 1051 apt@2.8.3 1052 <span class="list-paths__item__arrow">›</span> 1053 adduser@3.137ubuntu1 1054 <span class="list-paths__item__arrow">›</span> 1055 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1056 <span class="list-paths__item__arrow">›</span> 1057 pam/libpam-modules@1.5.3-5ubuntu5.4 1058 <span class="list-paths__item__arrow">›</span> 1059 pam/libpam-modules-bin@1.5.3-5ubuntu5.4 1060 1061 </span> 1062 1063 </li> 1064 <li> 1065 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1066 docker-image|quay.io/argoproj/argocd@v3.1.5 1067 <span class="list-paths__item__arrow">›</span> 1068 pam/libpam-modules@1.5.3-5ubuntu5.4 1069 1070 </span> 1071 1072 </li> 1073 <li> 1074 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1075 docker-image|quay.io/argoproj/argocd@v3.1.5 1076 <span class="list-paths__item__arrow">›</span> 1077 pam/libpam-runtime@1.5.3-5ubuntu5.4 1078 <span class="list-paths__item__arrow">›</span> 1079 pam/libpam-modules@1.5.3-5ubuntu5.4 1080 1081 </span> 1082 1083 </li> 1084 <li> 1085 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1086 docker-image|quay.io/argoproj/argocd@v3.1.5 1087 <span class="list-paths__item__arrow">›</span> 1088 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1089 <span class="list-paths__item__arrow">›</span> 1090 pam/libpam-modules@1.5.3-5ubuntu5.4 1091 1092 </span> 1093 1094 </li> 1095 <li> 1096 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1097 docker-image|quay.io/argoproj/argocd@v3.1.5 1098 <span class="list-paths__item__arrow">›</span> 1099 apt@2.8.3 1100 <span class="list-paths__item__arrow">›</span> 1101 adduser@3.137ubuntu1 1102 <span class="list-paths__item__arrow">›</span> 1103 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1104 <span class="list-paths__item__arrow">›</span> 1105 pam/libpam-modules@1.5.3-5ubuntu5.4 1106 1107 </span> 1108 1109 </li> 1110 <li> 1111 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1112 docker-image|quay.io/argoproj/argocd@v3.1.5 1113 <span class="list-paths__item__arrow">›</span> 1114 pam/libpam-runtime@1.5.3-5ubuntu5.4 1115 1116 </span> 1117 1118 </li> 1119 <li> 1120 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1121 docker-image|quay.io/argoproj/argocd@v3.1.5 1122 <span class="list-paths__item__arrow">›</span> 1123 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1124 <span class="list-paths__item__arrow">›</span> 1125 pam/libpam-runtime@1.5.3-5ubuntu5.4 1126 1127 </span> 1128 1129 </li> 1130 </ul><!-- .list-paths --> 1131 1132 </div><!-- .card__section --> 1133 1134 <hr/> 1135 <!-- Overview --> 1136 <h2 id="nvd-description">NVD Description</h2> 1137 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pam</code> package and not the <code>pam</code> package as distributed by <code>Ubuntu</code>.</em> 1138 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1139 <p>A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.</p> 1140 <h2 id="remediation">Remediation</h2> 1141 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>pam</code>.</p> 1142 <h2 id="references">References</h2> 1143 <ul> 1144 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963</a></li> 1145 <li><a href="https://access.redhat.com/security/cve/CVE-2024-10963">https://access.redhat.com/security/cve/CVE-2024-10963</a></li> 1146 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2324291">https://bugzilla.redhat.com/show_bug.cgi?id=2324291</a></li> 1147 <li><a href="https://access.redhat.com/errata/RHSA-2024:10232">https://access.redhat.com/errata/RHSA-2024:10232</a></li> 1148 <li><a href="https://access.redhat.com/errata/RHSA-2024:10244">https://access.redhat.com/errata/RHSA-2024:10244</a></li> 1149 <li><a href="https://access.redhat.com/errata/RHSA-2024:10379">https://access.redhat.com/errata/RHSA-2024:10379</a></li> 1150 <li><a href="https://access.redhat.com/errata/RHSA-2024:10518">https://access.redhat.com/errata/RHSA-2024:10518</a></li> 1151 <li><a href="https://access.redhat.com/errata/RHSA-2024:10528">https://access.redhat.com/errata/RHSA-2024:10528</a></li> 1152 <li><a href="https://access.redhat.com/errata/RHSA-2024:10852">https://access.redhat.com/errata/RHSA-2024:10852</a></li> 1153 </ul> 1154 1155 <hr/> 1156 1157 <div class="cta card__cta"> 1158 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-8352843">More about this vulnerability</a></p> 1159 </div> 1160 1161 </div><!-- .card --> 1162 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1163 <h2 class="card__title">CVE-2025-8058</h2> 1164 <div class="card__section"> 1165 1166 <div class="card__labels"> 1167 <div class="label label--medium"> 1168 <span class="label__text">medium severity</span> 1169 </div> 1170 </div> 1171 1172 <hr/> 1173 1174 <ul class="card__meta"> 1175 <li class="card__meta__item"> 1176 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1177 </li> 1178 <li class="card__meta__item"> 1179 Package Manager: ubuntu:24.04 1180 </li> 1181 <li class="card__meta__item"> 1182 Vulnerable module: 1183 1184 glibc/libc-bin 1185 </li> 1186 1187 <li class="card__meta__item">Introduced through: 1188 1189 docker-image|quay.io/argoproj/argocd@v3.1.5 and glibc/libc-bin@2.39-0ubuntu8.5 1190 1191 </li> 1192 </ul> 1193 1194 <hr/> 1195 1196 1197 <h3 class="card__section__title">Detailed paths</h3> 1198 1199 <ul class="card__meta__paths"> 1200 <li> 1201 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1202 docker-image|quay.io/argoproj/argocd@v3.1.5 1203 <span class="list-paths__item__arrow">›</span> 1204 glibc/libc-bin@2.39-0ubuntu8.5 1205 1206 </span> 1207 1208 </li> 1209 <li> 1210 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1211 docker-image|quay.io/argoproj/argocd@v3.1.5 1212 <span class="list-paths__item__arrow">›</span> 1213 glibc/libc6@2.39-0ubuntu8.5 1214 1215 </span> 1216 1217 </li> 1218 </ul><!-- .list-paths --> 1219 1220 </div><!-- .card__section --> 1221 1222 <hr/> 1223 <!-- Overview --> 1224 <h2 id="nvd-description">NVD Description</h2> 1225 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 1226 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1227 <p>The regcomp function in the GNU C library version from 2.4 to 2.41 is 1228 subject to a double free if some previous allocation fails. It can be 1229 accomplished either by a malloc failure or by using an interposed malloc 1230 that injects random malloc failures. The double free can allow buffer 1231 manipulation depending of how the regex is constructed. This issue 1232 affects all architectures and ABIs supported by the GNU C library.</p> 1233 <h2 id="remediation">Remediation</h2> 1234 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>glibc</code>.</p> 1235 <h2 id="references">References</h2> 1236 <ul> 1237 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058</a></li> 1238 <li><a href="https://sourceware.org/bugzilla/show_bug.cgi?id=33185">https://sourceware.org/bugzilla/show_bug.cgi?id=33185</a></li> 1239 <li><a href="https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f">https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f</a></li> 1240 </ul> 1241 1242 <hr/> 1243 1244 <div class="cta card__cta"> 1245 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-11031045">More about this vulnerability</a></p> 1246 </div> 1247 1248 </div><!-- .card --> 1249 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1250 <h2 class="card__title">MPL-2.0 license</h2> 1251 <div class="card__section"> 1252 1253 <div class="card__labels"> 1254 <div class="label label--medium"> 1255 <span class="label__text">medium severity</span> 1256 </div> 1257 </div> 1258 1259 <hr/> 1260 1261 <ul class="card__meta"> 1262 <li class="card__meta__item"> 1263 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1264 </li> 1265 <li class="card__meta__item"> 1266 Package Manager: golang 1267 </li> 1268 <li class="card__meta__item"> 1269 Module: 1270 1271 github.com/r3labs/diff/v3 1272 </li> 1273 1274 <li class="card__meta__item">Introduced through: 1275 1276 github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.1 1277 1278 </li> 1279 </ul> 1280 1281 <hr/> 1282 1283 1284 <h3 class="card__section__title">Detailed paths</h3> 1285 1286 <ul class="card__meta__paths"> 1287 <li> 1288 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1289 github.com/argoproj/argo-cd/v3@* 1290 <span class="list-paths__item__arrow">›</span> 1291 github.com/r3labs/diff/v3@v3.0.1 1292 1293 </span> 1294 1295 </li> 1296 </ul><!-- .list-paths --> 1297 1298 </div><!-- .card__section --> 1299 1300 <hr/> 1301 <!-- Overview --> 1302 <p>MPL-2.0 license</p> 1303 1304 <hr/> 1305 1306 <div class="cta card__cta"> 1307 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:r3labs:diff:v3:MPL-2.0">More about this vulnerability</a></p> 1308 </div> 1309 1310 </div><!-- .card --> 1311 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1312 <h2 class="card__title">MPL-2.0 license</h2> 1313 <div class="card__section"> 1314 1315 <div class="card__labels"> 1316 <div class="label label--medium"> 1317 <span class="label__text">medium severity</span> 1318 </div> 1319 </div> 1320 1321 <hr/> 1322 1323 <ul class="card__meta"> 1324 <li class="card__meta__item"> 1325 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1326 </li> 1327 <li class="card__meta__item"> 1328 Package Manager: golang 1329 </li> 1330 <li class="card__meta__item"> 1331 Module: 1332 1333 github.com/hashicorp/go-version 1334 </li> 1335 1336 <li class="card__meta__item">Introduced through: 1337 1338 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 1339 1340 </li> 1341 </ul> 1342 1343 <hr/> 1344 1345 1346 <h3 class="card__section__title">Detailed paths</h3> 1347 1348 <ul class="card__meta__paths"> 1349 <li> 1350 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1351 github.com/argoproj/argo-cd/v3@* 1352 <span class="list-paths__item__arrow">›</span> 1353 github.com/hashicorp/go-version@v1.7.0 1354 1355 </span> 1356 1357 </li> 1358 </ul><!-- .list-paths --> 1359 1360 </div><!-- .card__section --> 1361 1362 <hr/> 1363 <!-- Overview --> 1364 <p>MPL-2.0 license</p> 1365 1366 <hr/> 1367 1368 <div class="cta card__cta"> 1369 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-version:MPL-2.0">More about this vulnerability</a></p> 1370 </div> 1371 1372 </div><!-- .card --> 1373 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1374 <h2 class="card__title">MPL-2.0 license</h2> 1375 <div class="card__section"> 1376 1377 <div class="card__labels"> 1378 <div class="label label--medium"> 1379 <span class="label__text">medium severity</span> 1380 </div> 1381 </div> 1382 1383 <hr/> 1384 1385 <ul class="card__meta"> 1386 <li class="card__meta__item"> 1387 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1388 </li> 1389 <li class="card__meta__item"> 1390 Package Manager: golang 1391 </li> 1392 <li class="card__meta__item"> 1393 Module: 1394 1395 github.com/hashicorp/go-retryablehttp 1396 </li> 1397 1398 <li class="card__meta__item">Introduced through: 1399 1400 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.7 1401 1402 </li> 1403 </ul> 1404 1405 <hr/> 1406 1407 1408 <h3 class="card__section__title">Detailed paths</h3> 1409 1410 <ul class="card__meta__paths"> 1411 <li> 1412 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1413 github.com/argoproj/argo-cd/v3@* 1414 <span class="list-paths__item__arrow">›</span> 1415 github.com/hashicorp/go-retryablehttp@v0.7.7 1416 1417 </span> 1418 1419 </li> 1420 </ul><!-- .list-paths --> 1421 1422 </div><!-- .card__section --> 1423 1424 <hr/> 1425 <!-- Overview --> 1426 <p>MPL-2.0 license</p> 1427 1428 <hr/> 1429 1430 <div class="cta card__cta"> 1431 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0">More about this vulnerability</a></p> 1432 </div> 1433 1434 </div><!-- .card --> 1435 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1436 <h2 class="card__title">MPL-2.0 license</h2> 1437 <div class="card__section"> 1438 1439 <div class="card__labels"> 1440 <div class="label label--medium"> 1441 <span class="label__text">medium severity</span> 1442 </div> 1443 </div> 1444 1445 <hr/> 1446 1447 <ul class="card__meta"> 1448 <li class="card__meta__item"> 1449 Manifest file: quay.io/argoproj/argocd:v3.1.5/helm/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/helm 1450 </li> 1451 <li class="card__meta__item"> 1452 Package Manager: golang 1453 </li> 1454 <li class="card__meta__item"> 1455 Module: 1456 1457 github.com/hashicorp/go-multierror 1458 </li> 1459 1460 <li class="card__meta__item">Introduced through: 1461 1462 helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 1463 1464 </li> 1465 </ul> 1466 1467 <hr/> 1468 1469 1470 <h3 class="card__section__title">Detailed paths</h3> 1471 1472 <ul class="card__meta__paths"> 1473 <li> 1474 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1475 helm.sh/helm/v3@* 1476 <span class="list-paths__item__arrow">›</span> 1477 github.com/hashicorp/go-multierror@v1.1.1 1478 1479 </span> 1480 1481 </li> 1482 </ul><!-- .list-paths --> 1483 1484 </div><!-- .card__section --> 1485 1486 <hr/> 1487 <!-- Overview --> 1488 <p>MPL-2.0 license</p> 1489 1490 <hr/> 1491 1492 <div class="cta card__cta"> 1493 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0">More about this vulnerability</a></p> 1494 </div> 1495 1496 </div><!-- .card --> 1497 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1498 <h2 class="card__title">MPL-2.0 license</h2> 1499 <div class="card__section"> 1500 1501 <div class="card__labels"> 1502 <div class="label label--medium"> 1503 <span class="label__text">medium severity</span> 1504 </div> 1505 </div> 1506 1507 <hr/> 1508 1509 <ul class="card__meta"> 1510 <li class="card__meta__item"> 1511 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1512 </li> 1513 <li class="card__meta__item"> 1514 Package Manager: golang 1515 </li> 1516 <li class="card__meta__item"> 1517 Module: 1518 1519 github.com/hashicorp/go-cleanhttp 1520 </li> 1521 1522 <li class="card__meta__item">Introduced through: 1523 1524 github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 1525 1526 </li> 1527 </ul> 1528 1529 <hr/> 1530 1531 1532 <h3 class="card__section__title">Detailed paths</h3> 1533 1534 <ul class="card__meta__paths"> 1535 <li> 1536 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1537 github.com/argoproj/argo-cd/v3@* 1538 <span class="list-paths__item__arrow">›</span> 1539 github.com/hashicorp/go-cleanhttp@v0.5.2 1540 1541 </span> 1542 1543 </li> 1544 </ul><!-- .list-paths --> 1545 1546 </div><!-- .card__section --> 1547 1548 <hr/> 1549 <!-- Overview --> 1550 <p>MPL-2.0 license</p> 1551 1552 <hr/> 1553 1554 <div class="cta card__cta"> 1555 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0">More about this vulnerability</a></p> 1556 </div> 1557 1558 </div><!-- .card --> 1559 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1560 <h2 class="card__title">MPL-2.0 license</h2> 1561 <div class="card__section"> 1562 1563 <div class="card__labels"> 1564 <div class="label label--medium"> 1565 <span class="label__text">medium severity</span> 1566 </div> 1567 </div> 1568 1569 <hr/> 1570 1571 <ul class="card__meta"> 1572 <li class="card__meta__item"> 1573 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argo-cd/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd 1574 </li> 1575 <li class="card__meta__item"> 1576 Package Manager: golang 1577 </li> 1578 <li class="card__meta__item"> 1579 Module: 1580 1581 github.com/gosimple/slug 1582 </li> 1583 1584 <li class="card__meta__item">Introduced through: 1585 1586 github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 1587 1588 </li> 1589 </ul> 1590 1591 <hr/> 1592 1593 1594 <h3 class="card__section__title">Detailed paths</h3> 1595 1596 <ul class="card__meta__paths"> 1597 <li> 1598 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1599 github.com/argoproj/argo-cd/v3@* 1600 <span class="list-paths__item__arrow">›</span> 1601 github.com/gosimple/slug@v1.15.0 1602 1603 </span> 1604 1605 </li> 1606 </ul><!-- .list-paths --> 1607 1608 </div><!-- .card__section --> 1609 1610 <hr/> 1611 <!-- Overview --> 1612 <p>MPL-2.0 license</p> 1613 1614 <hr/> 1615 1616 <div class="cta card__cta"> 1617 <p><a href="https://snyk.io/vuln/snyk:lic:golang:github.com:gosimple:slug:MPL-2.0">More about this vulnerability</a></p> 1618 </div> 1619 1620 </div><!-- .card --> 1621 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 1622 <h2 class="card__title">Improper Encoding or Escaping of Output</h2> 1623 <div class="card__section"> 1624 1625 <div class="card__labels"> 1626 <div class="label label--medium"> 1627 <span class="label__text">medium severity</span> 1628 </div> 1629 </div> 1630 1631 <hr/> 1632 1633 <ul class="card__meta"> 1634 <li class="card__meta__item"> 1635 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1636 </li> 1637 <li class="card__meta__item"> 1638 Package Manager: ubuntu:24.04 1639 </li> 1640 <li class="card__meta__item"> 1641 Vulnerable module: 1642 1643 git/git-man 1644 </li> 1645 1646 <li class="card__meta__item">Introduced through: 1647 1648 1649 docker-image|quay.io/argoproj/argocd@v3.1.5, git@1:2.43.0-1ubuntu7.3 and others 1650 </li> 1651 </ul> 1652 1653 <hr/> 1654 1655 1656 <h3 class="card__section__title">Detailed paths</h3> 1657 1658 <ul class="card__meta__paths"> 1659 <li> 1660 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1661 docker-image|quay.io/argoproj/argocd@v3.1.5 1662 <span class="list-paths__item__arrow">›</span> 1663 git@1:2.43.0-1ubuntu7.3 1664 <span class="list-paths__item__arrow">›</span> 1665 git/git-man@1:2.43.0-1ubuntu7.3 1666 1667 </span> 1668 1669 </li> 1670 <li> 1671 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1672 docker-image|quay.io/argoproj/argocd@v3.1.5 1673 <span class="list-paths__item__arrow">›</span> 1674 git@1:2.43.0-1ubuntu7.3 1675 1676 </span> 1677 1678 </li> 1679 <li> 1680 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1681 docker-image|quay.io/argoproj/argocd@v3.1.5 1682 <span class="list-paths__item__arrow">›</span> 1683 git-lfs@3.4.1-1ubuntu0.3 1684 <span class="list-paths__item__arrow">›</span> 1685 git@1:2.43.0-1ubuntu7.3 1686 1687 </span> 1688 1689 </li> 1690 </ul><!-- .list-paths --> 1691 1692 </div><!-- .card__section --> 1693 1694 <hr/> 1695 <!-- Overview --> 1696 <h2 id="nvd-description">NVD Description</h2> 1697 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu</code>.</em> 1698 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1699 <p>Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.</p> 1700 <h2 id="remediation">Remediation</h2> 1701 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>git</code>.</p> 1702 <h2 id="references">References</h2> 1703 <ul> 1704 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005</a></li> 1705 <li><a href="https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329">https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329</a></li> 1706 <li><a href="https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net">https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net</a></li> 1707 </ul> 1708 1709 <hr/> 1710 1711 <div class="cta card__cta"> 1712 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GIT-8637112">More about this vulnerability</a></p> 1713 </div> 1714 1715 </div><!-- .card --> 1716 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1717 <h2 class="card__title">CVE-2024-56433</h2> 1718 <div class="card__section"> 1719 1720 <div class="card__labels"> 1721 <div class="label label--low"> 1722 <span class="label__text">low severity</span> 1723 </div> 1724 </div> 1725 1726 <hr/> 1727 1728 <ul class="card__meta"> 1729 <li class="card__meta__item"> 1730 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1731 </li> 1732 <li class="card__meta__item"> 1733 Package Manager: ubuntu:24.04 1734 </li> 1735 <li class="card__meta__item"> 1736 Vulnerable module: 1737 1738 shadow/passwd 1739 </li> 1740 1741 <li class="card__meta__item">Introduced through: 1742 1743 docker-image|quay.io/argoproj/argocd@v3.1.5 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1744 1745 </li> 1746 </ul> 1747 1748 <hr/> 1749 1750 1751 <h3 class="card__section__title">Detailed paths</h3> 1752 1753 <ul class="card__meta__paths"> 1754 <li> 1755 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1756 docker-image|quay.io/argoproj/argocd@v3.1.5 1757 <span class="list-paths__item__arrow">›</span> 1758 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1759 1760 </span> 1761 1762 </li> 1763 <li> 1764 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1765 docker-image|quay.io/argoproj/argocd@v3.1.5 1766 <span class="list-paths__item__arrow">›</span> 1767 openssh/openssh-client@1:9.6p1-3ubuntu13.14 1768 <span class="list-paths__item__arrow">›</span> 1769 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1770 1771 </span> 1772 1773 </li> 1774 <li> 1775 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1776 docker-image|quay.io/argoproj/argocd@v3.1.5 1777 <span class="list-paths__item__arrow">›</span> 1778 apt@2.8.3 1779 <span class="list-paths__item__arrow">›</span> 1780 adduser@3.137ubuntu1 1781 <span class="list-paths__item__arrow">›</span> 1782 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 1783 1784 </span> 1785 1786 </li> 1787 <li> 1788 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1789 docker-image|quay.io/argoproj/argocd@v3.1.5 1790 <span class="list-paths__item__arrow">›</span> 1791 shadow/login@1:4.13+dfsg1-4ubuntu3.2 1792 1793 </span> 1794 1795 </li> 1796 </ul><!-- .list-paths --> 1797 1798 </div><!-- .card__section --> 1799 1800 <hr/> 1801 <!-- Overview --> 1802 <h2 id="nvd-description">NVD Description</h2> 1803 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>shadow</code> package and not the <code>shadow</code> package as distributed by <code>Ubuntu</code>.</em> 1804 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1805 <p>shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.</p> 1806 <h2 id="remediation">Remediation</h2> 1807 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>shadow</code>.</p> 1808 <h2 id="references">References</h2> 1809 <ul> 1810 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433</a></li> 1811 <li><a href="https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241">https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241</a></li> 1812 <li><a href="https://github.com/shadow-maint/shadow/issues/1157">https://github.com/shadow-maint/shadow/issues/1157</a></li> 1813 <li><a href="https://github.com/shadow-maint/shadow/releases/tag/4.4">https://github.com/shadow-maint/shadow/releases/tag/4.4</a></li> 1814 </ul> 1815 1816 <hr/> 1817 1818 <div class="cta card__cta"> 1819 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-SHADOW-8600509">More about this vulnerability</a></p> 1820 </div> 1821 1822 </div><!-- .card --> 1823 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1824 <h2 class="card__title">Release of Invalid Pointer or Reference</h2> 1825 <div class="card__section"> 1826 1827 <div class="card__labels"> 1828 <div class="label label--low"> 1829 <span class="label__text">low severity</span> 1830 </div> 1831 </div> 1832 1833 <hr/> 1834 1835 <ul class="card__meta"> 1836 <li class="card__meta__item"> 1837 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1838 </li> 1839 <li class="card__meta__item"> 1840 Package Manager: ubuntu:24.04 1841 </li> 1842 <li class="card__meta__item"> 1843 Vulnerable module: 1844 1845 patch 1846 </li> 1847 1848 <li class="card__meta__item">Introduced through: 1849 1850 docker-image|quay.io/argoproj/argocd@v3.1.5 and patch@2.7.6-7build3 1851 1852 </li> 1853 </ul> 1854 1855 <hr/> 1856 1857 1858 <h3 class="card__section__title">Detailed paths</h3> 1859 1860 <ul class="card__meta__paths"> 1861 <li> 1862 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1863 docker-image|quay.io/argoproj/argocd@v3.1.5 1864 <span class="list-paths__item__arrow">›</span> 1865 patch@2.7.6-7build3 1866 1867 </span> 1868 1869 </li> 1870 </ul><!-- .list-paths --> 1871 1872 </div><!-- .card__section --> 1873 1874 <hr/> 1875 <!-- Overview --> 1876 <h2 id="nvd-description">NVD Description</h2> 1877 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 1878 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1879 <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p> 1880 <h2 id="remediation">Remediation</h2> 1881 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>patch</code>.</p> 1882 <h2 id="references">References</h2> 1883 <ul> 1884 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261</a></li> 1885 <li><a href="https://savannah.gnu.org/bugs/?61685">https://savannah.gnu.org/bugs/?61685</a></li> 1886 </ul> 1887 1888 <hr/> 1889 1890 <div class="cta card__cta"> 1891 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PATCH-6707039">More about this vulnerability</a></p> 1892 </div> 1893 1894 </div><!-- .card --> 1895 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1896 <h2 class="card__title">Double Free</h2> 1897 <div class="card__section"> 1898 1899 <div class="card__labels"> 1900 <div class="label label--low"> 1901 <span class="label__text">low severity</span> 1902 </div> 1903 </div> 1904 1905 <hr/> 1906 1907 <ul class="card__meta"> 1908 <li class="card__meta__item"> 1909 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1910 </li> 1911 <li class="card__meta__item"> 1912 Package Manager: ubuntu:24.04 1913 </li> 1914 <li class="card__meta__item"> 1915 Vulnerable module: 1916 1917 patch 1918 </li> 1919 1920 <li class="card__meta__item">Introduced through: 1921 1922 docker-image|quay.io/argoproj/argocd@v3.1.5 and patch@2.7.6-7build3 1923 1924 </li> 1925 </ul> 1926 1927 <hr/> 1928 1929 1930 <h3 class="card__section__title">Detailed paths</h3> 1931 1932 <ul class="card__meta__paths"> 1933 <li> 1934 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1935 docker-image|quay.io/argoproj/argocd@v3.1.5 1936 <span class="list-paths__item__arrow">›</span> 1937 patch@2.7.6-7build3 1938 1939 </span> 1940 1941 </li> 1942 </ul><!-- .list-paths --> 1943 1944 </div><!-- .card__section --> 1945 1946 <hr/> 1947 <!-- Overview --> 1948 <h2 id="nvd-description">NVD Description</h2> 1949 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu</code>.</em> 1950 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 1951 <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p> 1952 <h2 id="remediation">Remediation</h2> 1953 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>patch</code>.</p> 1954 <h2 id="references">References</h2> 1955 <ul> 1956 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952</a></li> 1957 <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952</a></li> 1958 <li><a href="https://security-tracker.debian.org/tracker/CVE-2018-6952">https://security-tracker.debian.org/tracker/CVE-2018-6952</a></li> 1959 <li><a href="https://security.gentoo.org/glsa/201904-17">https://security.gentoo.org/glsa/201904-17</a></li> 1960 <li><a href="https://savannah.gnu.org/bugs/index.php?53133">https://savannah.gnu.org/bugs/index.php?53133</a></li> 1961 <li><a href="https://access.redhat.com/errata/RHSA-2019:2033">https://access.redhat.com/errata/RHSA-2019:2033</a></li> 1962 <li><a href="http://www.securityfocus.com/bid/103047">http://www.securityfocus.com/bid/103047</a></li> 1963 </ul> 1964 1965 <hr/> 1966 1967 <div class="cta card__cta"> 1968 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-PATCH-6720551">More about this vulnerability</a></p> 1969 </div> 1970 1971 </div><!-- .card --> 1972 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1973 <h2 class="card__title">CVE-2024-41996</h2> 1974 <div class="card__section"> 1975 1976 <div class="card__labels"> 1977 <div class="label label--low"> 1978 <span class="label__text">low severity</span> 1979 </div> 1980 </div> 1981 1982 <hr/> 1983 1984 <ul class="card__meta"> 1985 <li class="card__meta__item"> 1986 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 1987 </li> 1988 <li class="card__meta__item"> 1989 Package Manager: ubuntu:24.04 1990 </li> 1991 <li class="card__meta__item"> 1992 Vulnerable module: 1993 1994 openssl/libssl3t64 1995 </li> 1996 1997 <li class="card__meta__item">Introduced through: 1998 1999 docker-image|quay.io/argoproj/argocd@v3.1.5 and openssl/libssl3t64@3.0.13-0ubuntu3.5 2000 2001 </li> 2002 </ul> 2003 2004 <hr/> 2005 2006 2007 <h3 class="card__section__title">Detailed paths</h3> 2008 2009 <ul class="card__meta__paths"> 2010 <li> 2011 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2012 docker-image|quay.io/argoproj/argocd@v3.1.5 2013 <span class="list-paths__item__arrow">›</span> 2014 openssl/libssl3t64@3.0.13-0ubuntu3.5 2015 2016 </span> 2017 2018 </li> 2019 <li> 2020 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2021 docker-image|quay.io/argoproj/argocd@v3.1.5 2022 <span class="list-paths__item__arrow">›</span> 2023 coreutils@9.4-3ubuntu6.1 2024 <span class="list-paths__item__arrow">›</span> 2025 openssl/libssl3t64@3.0.13-0ubuntu3.5 2026 2027 </span> 2028 2029 </li> 2030 <li> 2031 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2032 docker-image|quay.io/argoproj/argocd@v3.1.5 2033 <span class="list-paths__item__arrow">›</span> 2034 cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 2035 <span class="list-paths__item__arrow">›</span> 2036 openssl/libssl3t64@3.0.13-0ubuntu3.5 2037 2038 </span> 2039 2040 </li> 2041 <li> 2042 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2043 docker-image|quay.io/argoproj/argocd@v3.1.5 2044 <span class="list-paths__item__arrow">›</span> 2045 libfido2/libfido2-1@1.14.0-1build3 2046 <span class="list-paths__item__arrow">›</span> 2047 openssl/libssl3t64@3.0.13-0ubuntu3.5 2048 2049 </span> 2050 2051 </li> 2052 <li> 2053 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2054 docker-image|quay.io/argoproj/argocd@v3.1.5 2055 <span class="list-paths__item__arrow">›</span> 2056 openssh/openssh-client@1:9.6p1-3ubuntu13.14 2057 <span class="list-paths__item__arrow">›</span> 2058 openssl/libssl3t64@3.0.13-0ubuntu3.5 2059 2060 </span> 2061 2062 </li> 2063 <li> 2064 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2065 docker-image|quay.io/argoproj/argocd@v3.1.5 2066 <span class="list-paths__item__arrow">›</span> 2067 ca-certificates@20240203 2068 <span class="list-paths__item__arrow">›</span> 2069 openssl@3.0.13-0ubuntu3.5 2070 <span class="list-paths__item__arrow">›</span> 2071 openssl/libssl3t64@3.0.13-0ubuntu3.5 2072 2073 </span> 2074 2075 </li> 2076 <li> 2077 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2078 docker-image|quay.io/argoproj/argocd@v3.1.5 2079 <span class="list-paths__item__arrow">›</span> 2080 git@1:2.43.0-1ubuntu7.3 2081 <span class="list-paths__item__arrow">›</span> 2082 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2083 <span class="list-paths__item__arrow">›</span> 2084 libssh/libssh-4@0.10.6-2ubuntu0.1 2085 <span class="list-paths__item__arrow">›</span> 2086 openssl/libssl3t64@3.0.13-0ubuntu3.5 2087 2088 </span> 2089 2090 </li> 2091 <li> 2092 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2093 docker-image|quay.io/argoproj/argocd@v3.1.5 2094 <span class="list-paths__item__arrow">›</span> 2095 git@1:2.43.0-1ubuntu7.3 2096 <span class="list-paths__item__arrow">›</span> 2097 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2098 <span class="list-paths__item__arrow">›</span> 2099 krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 2100 <span class="list-paths__item__arrow">›</span> 2101 krb5/libkrb5-3@1.20.1-6ubuntu2.6 2102 <span class="list-paths__item__arrow">›</span> 2103 openssl/libssl3t64@3.0.13-0ubuntu3.5 2104 2105 </span> 2106 2107 </li> 2108 <li> 2109 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2110 docker-image|quay.io/argoproj/argocd@v3.1.5 2111 <span class="list-paths__item__arrow">›</span> 2112 git@1:2.43.0-1ubuntu7.3 2113 <span class="list-paths__item__arrow">›</span> 2114 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2115 <span class="list-paths__item__arrow">›</span> 2116 openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 2117 <span class="list-paths__item__arrow">›</span> 2118 cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 2119 <span class="list-paths__item__arrow">›</span> 2120 openssl/libssl3t64@3.0.13-0ubuntu3.5 2121 2122 </span> 2123 2124 </li> 2125 <li> 2126 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2127 docker-image|quay.io/argoproj/argocd@v3.1.5 2128 <span class="list-paths__item__arrow">›</span> 2129 openssl@3.0.13-0ubuntu3.5 2130 2131 </span> 2132 2133 </li> 2134 <li> 2135 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2136 docker-image|quay.io/argoproj/argocd@v3.1.5 2137 <span class="list-paths__item__arrow">›</span> 2138 ca-certificates@20240203 2139 <span class="list-paths__item__arrow">›</span> 2140 openssl@3.0.13-0ubuntu3.5 2141 2142 </span> 2143 2144 </li> 2145 </ul><!-- .list-paths --> 2146 2147 </div><!-- .card__section --> 2148 2149 <hr/> 2150 <!-- Overview --> 2151 <h2 id="nvd-description">NVD Description</h2> 2152 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Ubuntu</code>.</em> 2153 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2154 <p>Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.</p> 2155 <h2 id="remediation">Remediation</h2> 2156 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>openssl</code>.</p> 2157 <h2 id="references">References</h2> 2158 <ul> 2159 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996</a></li> 2160 <li><a href="https://dheatattack.gitlab.io/details/">https://dheatattack.gitlab.io/details/</a></li> 2161 <li><a href="https://dheatattack.gitlab.io/faq/">https://dheatattack.gitlab.io/faq/</a></li> 2162 <li><a href="https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1">https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1</a></li> 2163 </ul> 2164 2165 <hr/> 2166 2167 <div class="cta card__cta"> 2168 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-OPENSSL-7838291">More about this vulnerability</a></p> 2169 </div> 2170 2171 </div><!-- .card --> 2172 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2173 <h2 class="card__title">Information Exposure</h2> 2174 <div class="card__section"> 2175 2176 <div class="card__labels"> 2177 <div class="label label--low"> 2178 <span class="label__text">low severity</span> 2179 </div> 2180 </div> 2181 2182 <hr/> 2183 2184 <ul class="card__meta"> 2185 <li class="card__meta__item"> 2186 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2187 </li> 2188 <li class="card__meta__item"> 2189 Package Manager: ubuntu:24.04 2190 </li> 2191 <li class="card__meta__item"> 2192 Vulnerable module: 2193 2194 libgcrypt20 2195 </li> 2196 2197 <li class="card__meta__item">Introduced through: 2198 2199 docker-image|quay.io/argoproj/argocd@v3.1.5 and libgcrypt20@1.10.3-2build1 2200 2201 </li> 2202 </ul> 2203 2204 <hr/> 2205 2206 2207 <h3 class="card__section__title">Detailed paths</h3> 2208 2209 <ul class="card__meta__paths"> 2210 <li> 2211 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2212 docker-image|quay.io/argoproj/argocd@v3.1.5 2213 <span class="list-paths__item__arrow">›</span> 2214 libgcrypt20@1.10.3-2build1 2215 2216 </span> 2217 2218 </li> 2219 <li> 2220 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2221 docker-image|quay.io/argoproj/argocd@v3.1.5 2222 <span class="list-paths__item__arrow">›</span> 2223 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2224 <span class="list-paths__item__arrow">›</span> 2225 libgcrypt20@1.10.3-2build1 2226 2227 </span> 2228 2229 </li> 2230 <li> 2231 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2232 docker-image|quay.io/argoproj/argocd@v3.1.5 2233 <span class="list-paths__item__arrow">›</span> 2234 gnupg2/gpg@2.4.4-2ubuntu17.3 2235 <span class="list-paths__item__arrow">›</span> 2236 libgcrypt20@1.10.3-2build1 2237 2238 </span> 2239 2240 </li> 2241 <li> 2242 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2243 docker-image|quay.io/argoproj/argocd@v3.1.5 2244 <span class="list-paths__item__arrow">›</span> 2245 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2246 <span class="list-paths__item__arrow">›</span> 2247 libgcrypt20@1.10.3-2build1 2248 2249 </span> 2250 2251 </li> 2252 <li> 2253 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2254 docker-image|quay.io/argoproj/argocd@v3.1.5 2255 <span class="list-paths__item__arrow">›</span> 2256 apt@2.8.3 2257 <span class="list-paths__item__arrow">›</span> 2258 apt/libapt-pkg6.0t64@2.8.3 2259 <span class="list-paths__item__arrow">›</span> 2260 libgcrypt20@1.10.3-2build1 2261 2262 </span> 2263 2264 </li> 2265 <li> 2266 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2267 docker-image|quay.io/argoproj/argocd@v3.1.5 2268 <span class="list-paths__item__arrow">›</span> 2269 apt@2.8.3 2270 <span class="list-paths__item__arrow">›</span> 2271 gnupg2/gpgv@2.4.4-2ubuntu17.3 2272 <span class="list-paths__item__arrow">›</span> 2273 libgcrypt20@1.10.3-2build1 2274 2275 </span> 2276 2277 </li> 2278 <li> 2279 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2280 docker-image|quay.io/argoproj/argocd@v3.1.5 2281 <span class="list-paths__item__arrow">›</span> 2282 gnupg2/gpg@2.4.4-2ubuntu17.3 2283 <span class="list-paths__item__arrow">›</span> 2284 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2285 <span class="list-paths__item__arrow">›</span> 2286 libgcrypt20@1.10.3-2build1 2287 2288 </span> 2289 2290 </li> 2291 <li> 2292 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2293 docker-image|quay.io/argoproj/argocd@v3.1.5 2294 <span class="list-paths__item__arrow">›</span> 2295 apt@2.8.3 2296 <span class="list-paths__item__arrow">›</span> 2297 adduser@3.137ubuntu1 2298 <span class="list-paths__item__arrow">›</span> 2299 shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 2300 <span class="list-paths__item__arrow">›</span> 2301 pam/libpam-modules@1.5.3-5ubuntu5.4 2302 <span class="list-paths__item__arrow">›</span> 2303 systemd/libsystemd0@255.4-1ubuntu8.10 2304 <span class="list-paths__item__arrow">›</span> 2305 libgcrypt20@1.10.3-2build1 2306 2307 </span> 2308 2309 </li> 2310 </ul><!-- .list-paths --> 2311 2312 </div><!-- .card__section --> 2313 2314 <hr/> 2315 <!-- Overview --> 2316 <h2 id="nvd-description">NVD Description</h2> 2317 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>libgcrypt20</code> package and not the <code>libgcrypt20</code> package as distributed by <code>Ubuntu</code>.</em> 2318 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2319 <p>A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.</p> 2320 <h2 id="remediation">Remediation</h2> 2321 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>libgcrypt20</code>.</p> 2322 <h2 id="references">References</h2> 2323 <ul> 2324 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236</a></li> 2325 <li><a href="https://access.redhat.com/errata/RHSA-2024:9404">https://access.redhat.com/errata/RHSA-2024:9404</a></li> 2326 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2268268">https://bugzilla.redhat.com/show_bug.cgi?id=2268268</a></li> 2327 <li><a href="https://access.redhat.com/errata/RHSA-2025:3534">https://access.redhat.com/errata/RHSA-2025:3534</a></li> 2328 <li><a href="https://access.redhat.com/errata/RHSA-2025:3530">https://access.redhat.com/errata/RHSA-2025:3530</a></li> 2329 <li><a href="https://access.redhat.com/security/cve/CVE-2024-2236">https://access.redhat.com/security/cve/CVE-2024-2236</a></li> 2330 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2245218">https://bugzilla.redhat.com/show_bug.cgi?id=2245218</a></li> 2331 </ul> 2332 2333 <hr/> 2334 2335 <div class="cta card__cta"> 2336 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-LIBGCRYPT20-6693674">More about this vulnerability</a></p> 2337 </div> 2338 2339 </div><!-- .card --> 2340 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2341 <h2 class="card__title">Out-of-bounds Write</h2> 2342 <div class="card__section"> 2343 2344 <div class="card__labels"> 2345 <div class="label label--low"> 2346 <span class="label__text">low severity</span> 2347 </div> 2348 </div> 2349 2350 <hr/> 2351 2352 <ul class="card__meta"> 2353 <li class="card__meta__item"> 2354 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2355 </li> 2356 <li class="card__meta__item"> 2357 Package Manager: ubuntu:24.04 2358 </li> 2359 <li class="card__meta__item"> 2360 Vulnerable module: 2361 2362 gnupg2/gpgv 2363 </li> 2364 2365 <li class="card__meta__item">Introduced through: 2366 2367 docker-image|quay.io/argoproj/argocd@v3.1.5 and gnupg2/gpgv@2.4.4-2ubuntu17.3 2368 2369 </li> 2370 </ul> 2371 2372 <hr/> 2373 2374 2375 <h3 class="card__section__title">Detailed paths</h3> 2376 2377 <ul class="card__meta__paths"> 2378 <li> 2379 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2380 docker-image|quay.io/argoproj/argocd@v3.1.5 2381 <span class="list-paths__item__arrow">›</span> 2382 gnupg2/gpgv@2.4.4-2ubuntu17.3 2383 2384 </span> 2385 2386 </li> 2387 <li> 2388 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2389 docker-image|quay.io/argoproj/argocd@v3.1.5 2390 <span class="list-paths__item__arrow">›</span> 2391 apt@2.8.3 2392 <span class="list-paths__item__arrow">›</span> 2393 gnupg2/gpgv@2.4.4-2ubuntu17.3 2394 2395 </span> 2396 2397 </li> 2398 <li> 2399 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2400 docker-image|quay.io/argoproj/argocd@v3.1.5 2401 <span class="list-paths__item__arrow">›</span> 2402 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2403 <span class="list-paths__item__arrow">›</span> 2404 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2405 2406 </span> 2407 2408 </li> 2409 <li> 2410 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2411 docker-image|quay.io/argoproj/argocd@v3.1.5 2412 <span class="list-paths__item__arrow">›</span> 2413 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2414 <span class="list-paths__item__arrow">›</span> 2415 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2416 2417 </span> 2418 2419 </li> 2420 <li> 2421 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2422 docker-image|quay.io/argoproj/argocd@v3.1.5 2423 <span class="list-paths__item__arrow">›</span> 2424 gnupg2/gpg@2.4.4-2ubuntu17.3 2425 <span class="list-paths__item__arrow">›</span> 2426 gnupg2/gpgconf@2.4.4-2ubuntu17.3 2427 2428 </span> 2429 2430 </li> 2431 <li> 2432 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2433 docker-image|quay.io/argoproj/argocd@v3.1.5 2434 <span class="list-paths__item__arrow">›</span> 2435 gnupg2/dirmngr@2.4.4-2ubuntu17.3 2436 2437 </span> 2438 2439 </li> 2440 <li> 2441 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2442 docker-image|quay.io/argoproj/argocd@v3.1.5 2443 <span class="list-paths__item__arrow">›</span> 2444 gnupg2/gpg@2.4.4-2ubuntu17.3 2445 2446 </span> 2447 2448 </li> 2449 <li> 2450 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2451 docker-image|quay.io/argoproj/argocd@v3.1.5 2452 <span class="list-paths__item__arrow">›</span> 2453 gnupg2/gpg-agent@2.4.4-2ubuntu17.3 2454 2455 </span> 2456 2457 </li> 2458 </ul><!-- .list-paths --> 2459 2460 </div><!-- .card__section --> 2461 2462 <hr/> 2463 <!-- Overview --> 2464 <h2 id="nvd-description">NVD Description</h2> 2465 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>gnupg2</code> package and not the <code>gnupg2</code> package as distributed by <code>Ubuntu</code>.</em> 2466 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2467 <p>GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.</p> 2468 <h2 id="remediation">Remediation</h2> 2469 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>gnupg2</code>.</p> 2470 <h2 id="references">References</h2> 2471 <ul> 2472 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219</a></li> 2473 <li><a href="https://access.redhat.com/security/cve/CVE-2022-3219">https://access.redhat.com/security/cve/CVE-2022-3219</a></li> 2474 <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2127010">https://bugzilla.redhat.com/show_bug.cgi?id=2127010</a></li> 2475 <li><a href="https://dev.gnupg.org/D556">https://dev.gnupg.org/D556</a></li> 2476 <li><a href="https://dev.gnupg.org/T5993">https://dev.gnupg.org/T5993</a></li> 2477 <li><a href="https://marc.info/?l=oss-security&m=165696590211434&w=4">https://marc.info/?l=oss-security&m=165696590211434&w=4</a></li> 2478 <li><a href="https://security.netapp.com/advisory/ntap-20230324-0001/">https://security.netapp.com/advisory/ntap-20230324-0001/</a></li> 2479 </ul> 2480 2481 <hr/> 2482 2483 <div class="cta card__cta"> 2484 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GNUPG2-6702792">More about this vulnerability</a></p> 2485 </div> 2486 2487 </div><!-- .card --> 2488 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2489 <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2> 2490 <div class="card__section"> 2491 2492 <div class="card__labels"> 2493 <div class="label label--low"> 2494 <span class="label__text">low severity</span> 2495 </div> 2496 </div> 2497 2498 <hr/> 2499 2500 <ul class="card__meta"> 2501 <li class="card__meta__item"> 2502 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2503 </li> 2504 <li class="card__meta__item"> 2505 Package Manager: ubuntu:24.04 2506 </li> 2507 <li class="card__meta__item"> 2508 Vulnerable module: 2509 2510 glibc/libc-bin 2511 </li> 2512 2513 <li class="card__meta__item">Introduced through: 2514 2515 docker-image|quay.io/argoproj/argocd@v3.1.5 and glibc/libc-bin@2.39-0ubuntu8.5 2516 2517 </li> 2518 </ul> 2519 2520 <hr/> 2521 2522 2523 <h3 class="card__section__title">Detailed paths</h3> 2524 2525 <ul class="card__meta__paths"> 2526 <li> 2527 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2528 docker-image|quay.io/argoproj/argocd@v3.1.5 2529 <span class="list-paths__item__arrow">›</span> 2530 glibc/libc-bin@2.39-0ubuntu8.5 2531 2532 </span> 2533 2534 </li> 2535 <li> 2536 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2537 docker-image|quay.io/argoproj/argocd@v3.1.5 2538 <span class="list-paths__item__arrow">›</span> 2539 glibc/libc6@2.39-0ubuntu8.5 2540 2541 </span> 2542 2543 </li> 2544 </ul><!-- .list-paths --> 2545 2546 </div><!-- .card__section --> 2547 2548 <hr/> 2549 <!-- Overview --> 2550 <h2 id="nvd-description">NVD Description</h2> 2551 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu</code>.</em> 2552 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2553 <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.</p> 2554 <h2 id="remediation">Remediation</h2> 2555 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>glibc</code>.</p> 2556 <h2 id="references">References</h2> 2557 <ul> 2558 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013</a></li> 2559 <li><a href="https://akkadia.org/drepper/SHA-crypt.txt">https://akkadia.org/drepper/SHA-crypt.txt</a></li> 2560 <li><a href="https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/">https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/</a></li> 2561 <li><a href="https://twitter.com/solardiz/status/795601240151457793">https://twitter.com/solardiz/status/795601240151457793</a></li> 2562 </ul> 2563 2564 <hr/> 2565 2566 <div class="cta card__cta"> 2567 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-6727419">More about this vulnerability</a></p> 2568 </div> 2569 2570 </div><!-- .card --> 2571 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2572 <h2 class="card__title">CVE-2025-9086</h2> 2573 <div class="card__section"> 2574 2575 <div class="card__labels"> 2576 <div class="label label--low"> 2577 <span class="label__text">low severity</span> 2578 </div> 2579 </div> 2580 2581 <hr/> 2582 2583 <ul class="card__meta"> 2584 <li class="card__meta__item"> 2585 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2586 </li> 2587 <li class="card__meta__item"> 2588 Package Manager: ubuntu:24.04 2589 </li> 2590 <li class="card__meta__item"> 2591 Vulnerable module: 2592 2593 curl/libcurl3t64-gnutls 2594 </li> 2595 2596 <li class="card__meta__item">Introduced through: 2597 2598 2599 docker-image|quay.io/argoproj/argocd@v3.1.5, git@1:2.43.0-1ubuntu7.3 and others 2600 </li> 2601 </ul> 2602 2603 <hr/> 2604 2605 2606 <h3 class="card__section__title">Detailed paths</h3> 2607 2608 <ul class="card__meta__paths"> 2609 <li> 2610 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2611 docker-image|quay.io/argoproj/argocd@v3.1.5 2612 <span class="list-paths__item__arrow">›</span> 2613 git@1:2.43.0-1ubuntu7.3 2614 <span class="list-paths__item__arrow">›</span> 2615 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2616 2617 </span> 2618 2619 </li> 2620 </ul><!-- .list-paths --> 2621 2622 </div><!-- .card__section --> 2623 2624 <hr/> 2625 <!-- Overview --> 2626 <h2 id="nvd-description">NVD Description</h2> 2627 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 2628 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2629 <ol> 2630 <li>A cookie is set using the <code>secure</code> keyword for <code>https://target</code></li> 2631 <li>curl is redirected to or otherwise made to speak with <code>http://target</code> (same 2632 hostname, but using clear text HTTP) using the same cookie set</li> 2633 <li>The same cookie name is set - but with just a slash as path (<code>path=&#39;/&#39;</code>). 2634 Since this site is not secure, the cookie <em>should</em> just be ignored.</li> 2635 <li>A bug in the path comparison logic makes curl read outside a heap buffer 2636 boundary</li> 2637 </ol> 2638 <p>The bug either causes a crash or it potentially makes the comparison come to 2639 the wrong conclusion and lets the clear-text site override the contents of the 2640 secure cookie, contrary to expectations and depending on the memory contents 2641 immediately following the single-byte allocation that holds the path.</p> 2642 <p>The presumed and correct behavior would be to plainly ignore the second set of 2643 the cookie since it was already set as secure on a secure host so overriding 2644 it on an insecure host should not be okay.</p> 2645 <h2 id="remediation">Remediation</h2> 2646 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 2647 <h2 id="references">References</h2> 2648 <ul> 2649 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9086</a></li> 2650 <li><a href="https://curl.se/docs/CVE-2025-9086.html">https://curl.se/docs/CVE-2025-9086.html</a></li> 2651 <li><a href="https://curl.se/docs/CVE-2025-9086.json">https://curl.se/docs/CVE-2025-9086.json</a></li> 2652 <li><a href="https://hackerone.com/reports/3294999">https://hackerone.com/reports/3294999</a></li> 2653 </ul> 2654 2655 <hr/> 2656 2657 <div class="cta card__cta"> 2658 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-12613443">More about this vulnerability</a></p> 2659 </div> 2660 2661 </div><!-- .card --> 2662 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2663 <h2 class="card__title">CVE-2025-10148</h2> 2664 <div class="card__section"> 2665 2666 <div class="card__labels"> 2667 <div class="label label--low"> 2668 <span class="label__text">low severity</span> 2669 </div> 2670 </div> 2671 2672 <hr/> 2673 2674 <ul class="card__meta"> 2675 <li class="card__meta__item"> 2676 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2677 </li> 2678 <li class="card__meta__item"> 2679 Package Manager: ubuntu:24.04 2680 </li> 2681 <li class="card__meta__item"> 2682 Vulnerable module: 2683 2684 curl/libcurl3t64-gnutls 2685 </li> 2686 2687 <li class="card__meta__item">Introduced through: 2688 2689 2690 docker-image|quay.io/argoproj/argocd@v3.1.5, git@1:2.43.0-1ubuntu7.3 and others 2691 </li> 2692 </ul> 2693 2694 <hr/> 2695 2696 2697 <h3 class="card__section__title">Detailed paths</h3> 2698 2699 <ul class="card__meta__paths"> 2700 <li> 2701 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2702 docker-image|quay.io/argoproj/argocd@v3.1.5 2703 <span class="list-paths__item__arrow">›</span> 2704 git@1:2.43.0-1ubuntu7.3 2705 <span class="list-paths__item__arrow">›</span> 2706 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2707 2708 </span> 2709 2710 </li> 2711 </ul><!-- .list-paths --> 2712 2713 </div><!-- .card__section --> 2714 2715 <hr/> 2716 <!-- Overview --> 2717 <h2 id="nvd-description">NVD Description</h2> 2718 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 2719 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2720 <p>curl's websocket code did not update the 32 bit mask pattern for each new 2721 outgoing frame as the specification says. Instead it used a fixed mask that 2722 persisted and was used throughout the entire connection.</p> 2723 <p>A predictable mask pattern allows for a malicious server to induce traffic 2724 between the two communicating parties that could be interpreted by an involved 2725 proxy (configured or transparent) as genuine, real, HTTP traffic with content 2726 and thereby poison its cache. That cached poisoned content could then be 2727 served to all users of that proxy.</p> 2728 <h2 id="remediation">Remediation</h2> 2729 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 2730 <h2 id="references">References</h2> 2731 <ul> 2732 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-10148</a></li> 2733 <li><a href="https://curl.se/docs/CVE-2025-10148.html">https://curl.se/docs/CVE-2025-10148.html</a></li> 2734 <li><a href="https://curl.se/docs/CVE-2025-10148.json">https://curl.se/docs/CVE-2025-10148.json</a></li> 2735 <li><a href="https://hackerone.com/reports/3330839">https://hackerone.com/reports/3330839</a></li> 2736 </ul> 2737 2738 <hr/> 2739 2740 <div class="cta card__cta"> 2741 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-12613507">More about this vulnerability</a></p> 2742 </div> 2743 2744 </div><!-- .card --> 2745 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2746 <h2 class="card__title">CVE-2025-0167</h2> 2747 <div class="card__section"> 2748 2749 <div class="card__labels"> 2750 <div class="label label--low"> 2751 <span class="label__text">low severity</span> 2752 </div> 2753 </div> 2754 2755 <hr/> 2756 2757 <ul class="card__meta"> 2758 <li class="card__meta__item"> 2759 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2760 </li> 2761 <li class="card__meta__item"> 2762 Package Manager: ubuntu:24.04 2763 </li> 2764 <li class="card__meta__item"> 2765 Vulnerable module: 2766 2767 curl/libcurl3t64-gnutls 2768 </li> 2769 2770 <li class="card__meta__item">Introduced through: 2771 2772 2773 docker-image|quay.io/argoproj/argocd@v3.1.5, git@1:2.43.0-1ubuntu7.3 and others 2774 </li> 2775 </ul> 2776 2777 <hr/> 2778 2779 2780 <h3 class="card__section__title">Detailed paths</h3> 2781 2782 <ul class="card__meta__paths"> 2783 <li> 2784 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2785 docker-image|quay.io/argoproj/argocd@v3.1.5 2786 <span class="list-paths__item__arrow">›</span> 2787 git@1:2.43.0-1ubuntu7.3 2788 <span class="list-paths__item__arrow">›</span> 2789 curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 2790 2791 </span> 2792 2793 </li> 2794 </ul><!-- .list-paths --> 2795 2796 </div><!-- .card__section --> 2797 2798 <hr/> 2799 <!-- Overview --> 2800 <h2 id="nvd-description">NVD Description</h2> 2801 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>curl</code> package and not the <code>curl</code> package as distributed by <code>Ubuntu</code>.</em> 2802 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2803 <p>When asked to use a <code>.netrc</code> file for credentials <strong>and</strong> to follow HTTP 2804 redirects, curl could leak the password used for the first host to the 2805 followed-to host under certain circumstances.</p> 2806 <p>This flaw only manifests itself if the netrc file has a <code>default</code> entry that 2807 omits both login and password. A rare circumstance.</p> 2808 <h2 id="remediation">Remediation</h2> 2809 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>curl</code>.</p> 2810 <h2 id="references">References</h2> 2811 <ul> 2812 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167</a></li> 2813 <li><a href="https://curl.se/docs/CVE-2025-0167.json">https://curl.se/docs/CVE-2025-0167.json</a></li> 2814 <li><a href="https://hackerone.com/reports/2917232">https://hackerone.com/reports/2917232</a></li> 2815 <li><a href="https://security.netapp.com/advisory/ntap-20250306-0008/">https://security.netapp.com/advisory/ntap-20250306-0008/</a></li> 2816 <li><a href="https://curl.se/docs/CVE-2025-0167.html">https://curl.se/docs/CVE-2025-0167.html</a></li> 2817 </ul> 2818 2819 <hr/> 2820 2821 <div class="cta card__cta"> 2822 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-CURL-8689015">More about this vulnerability</a></p> 2823 </div> 2824 2825 </div><!-- .card --> 2826 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 2827 <h2 class="card__title">Improper Input Validation</h2> 2828 <div class="card__section"> 2829 2830 <div class="card__labels"> 2831 <div class="label label--low"> 2832 <span class="label__text">low severity</span> 2833 </div> 2834 </div> 2835 2836 <hr/> 2837 2838 <ul class="card__meta"> 2839 <li class="card__meta__item"> 2840 Manifest file: quay.io/argoproj/argocd:v3.1.5/argoproj/argocd <span class="list-paths__item__arrow">›</span> Dockerfile 2841 </li> 2842 <li class="card__meta__item"> 2843 Package Manager: ubuntu:24.04 2844 </li> 2845 <li class="card__meta__item"> 2846 Vulnerable module: 2847 2848 coreutils 2849 </li> 2850 2851 <li class="card__meta__item">Introduced through: 2852 2853 docker-image|quay.io/argoproj/argocd@v3.1.5 and coreutils@9.4-3ubuntu6.1 2854 2855 </li> 2856 </ul> 2857 2858 <hr/> 2859 2860 2861 <h3 class="card__section__title">Detailed paths</h3> 2862 2863 <ul class="card__meta__paths"> 2864 <li> 2865 <span class="list-paths__item__introduced"><em>Introduced through</em>: 2866 docker-image|quay.io/argoproj/argocd@v3.1.5 2867 <span class="list-paths__item__arrow">›</span> 2868 coreutils@9.4-3ubuntu6.1 2869 2870 </span> 2871 2872 </li> 2873 </ul><!-- .list-paths --> 2874 2875 </div><!-- .card__section --> 2876 2877 <hr/> 2878 <!-- Overview --> 2879 <h2 id="nvd-description">NVD Description</h2> 2880 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu</code>.</em> 2881 <em>See <code>How to fix?</code> for <code>Ubuntu:24.04</code> relevant fixed versions and status.</em></p> 2882 <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.</p> 2883 <h2 id="remediation">Remediation</h2> 2884 <p>There is no fixed version for <code>Ubuntu:24.04</code> <code>coreutils</code>.</p> 2885 <h2 id="references">References</h2> 2886 <ul> 2887 <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781">http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781</a></li> 2888 <li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2781">https://security-tracker.debian.org/tracker/CVE-2016-2781</a></li> 2889 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E</a></li> 2890 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/2">http://www.openwall.com/lists/oss-security/2016/02/28/2</a></li> 2891 <li><a href="http://www.openwall.com/lists/oss-security/2016/02/28/3">http://www.openwall.com/lists/oss-security/2016/02/28/3</a></li> 2892 <li><a href="https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E">https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E</a></li> 2893 </ul> 2894 2895 <hr/> 2896 2897 <div class="cta card__cta"> 2898 <p><a href="https://snyk.io/vuln/SNYK-UBUNTU2404-COREUTILS-6727355">More about this vulnerability</a></p> 2899 </div> 2900 2901 </div><!-- .card --> 2902 </div><!-- cards --> 2903 </div> 2904 </main><!-- .layout-stacked__content --> 2905 </body> 2906 2907 </html>