vitorvezani / blog Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
For Deployment nginx-deployment in namespace
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently alpine 3.11.11),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod etcd-manager-events-ip-172-20-30-225.ap-northeast-1.compute.internal in namespace kube-system
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.7),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Job polaris in namespace insights-agent
Description:
Image Name: quay.io/fairwinds/polaris:0.6
From sha256:2c07f590891617b1bc4d3743be7f6d2b73012a50e49444f7404bbfd8db3ede10:
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
openssl | CVE-2019-1551 | 1.1.1d-r0 | MEDIUM | openssl: Integer overflow in RSAZ modular exponentiation on x86_64 | There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t). |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently alpine 3.10.3),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For CronJob helm-prune in namespace fwinsights
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image,
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod nginx-failure in namespace default
Description:
Liveness probes are designed to ensure that an application stays in a healthy state.
When a liveness probe goes from passing to failing, the pod will be restarted.
Without a liveness probe, Kubernetes' self-healing ability is hampered.
If your application is long-lived, it's important to utilize a liveness probe to tell
if the application has crashed or become unresponsive. Otherwise, Kubernetes may keep
a broken Pod running, and continue serving traffic to it.
References
Remediation:
Add a livenessProbe
to your container spec.
It's up to you how to decide if your application is alive. You might
check that you're able to connect to an HTTP endpoint, or ensure that a
particular process is running.
You can configure your liveness probe
to execute a command or check for a healthy HTTP/TCP response.
Examples
Using an HTTP request
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
Using a command
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
livenessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep my-app
initialDelaySeconds: 5
periodSeconds: 10
For Job kube-hunter in namespace insights-agent
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently alpine 3.10.2),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Node kind-control-plane in namespace
Description:
Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
Audit: ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
Remediation:
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
For Deployment local-path-provisioner in namespace local-path-storage
Description:
Setting memory requests guarantees that your container will have at least that much memory available.
Without memory requests, a pod may be scheduled on a node that is already overutilized, and
will suffer from performance problems or out-of-memory errors as a result.
For production-grade workloads, memory requests should always be set.
References
Remediation:
Add a memory request to each of your container specifications. Memory can be specified
as a fixed number of bytes (e.g. 1024
), with a power-of-ten suffix (e.g. 1K
),
or with a power-of-two suffix (e.g. 1Ki
).
It's up to you to decide how much memory to allocate to your application. Setting memory requests
too high could potentially lead to cost overruns, whereas setting it too low may cause
performance issues.
Insights can help you determine your application's memory usage via the
Prometheus Collector
and Goldilocks reports.
We strongly recommend you enable one or both of these reports to help determine appropriate resource
requests and limits.
Examples
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
For Pod nginx-failure in namespace default
Description:
Configuring CPU limits makes sure a container never uses an excessive amount of CPU.
If CPU limits are not set, a misbehaving application could end up utilizing most of the
CPU available on its node, potentially slowing down other workloads or causing cost overruns as
the cluster tries to scale up.
In contrast to memory limits, a CPU limit will never cause your application to crash.
Instead, it will get throttled - it will only be allowed to run a certain number of operations
per second.
References
Remediation:
Add a CPU limit to each of your container specifications. CPU may be set in terms of
whole CPUs (e.g. 1.0
or .25
), or more commonly, in terms of millicpus (e.g. 1000m
or 250m
).
It's up to you to decide how much CPU to allocate to your application. Setting CPU limits
too high could potentially lead to cost overruns, whereas setting it too low may cause
your application to get throttled.
Insights can help you determine your application's CPU usage via the
Prometheus Collector
and Goldilocks reports.
We strongly recommend you enable one or both of these reports to help determine appropriate resource
requests and limits.
For mission-critical or user-facing applications,
Fairwinds recommends setting a high CPU limit, so only a misbehaving application will be throttled.
Examples
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
For Pod nginx-failure in namespace default
Description:
Disabling access to the root filesystem can prevent attackers from altering configuration,
installing new software, or overwriting binaries with malicious code.
By default, Kubernetes runs containers with a writeable filesystem. However, Kubernetes workloads should
generally be stateless, and should not need write access to the root filesystem. If workloads do need
to write files to disk, there are safer methods of doing so (see remediation guidance).
References
Remediation:
In your workload's container configuration, set securityContext.readOnlyRootFilesystem = true
.
If your workload needs to write data to disk, you can still protect the root filesystem by
mounting a separate volume. This creates a special writeable directory for your app, while
preventing changes to system components, application configuration, etc. See the example
below, or view the docs to learn more.
Examples
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
volumes:
- name: data
emptyDir: {}
containers:
- name: busybox
image: busybox
command: [ "sh", "-c", "echo 'hello world' > /data/hello.txt" ]
volumeMounts:
- name: data
mountPath: /data
securityContext:
readOnlyRootFilesystem: true
For Pod nginx-failure in namespace default
Description:
Every container running in Kubernetes comes with a configurable set of kernel-level
capabilities. Generally these capabilities are not needed by most workloads, and
can be exploited by an attacker who gains access to the container.
Many of the available capabilities are enabled by default in Kubernetes, including:
NET_ADMIN
CHOWN
DAC_OVERRIDE
FSETID
FOWNER
MKNOD
NET_RAW
SETGID
SETUID
SETFCAP
SETPCAP
NET_BIND_SERVICE
SYS_CHROOT
KILL
AUDIT_WRITE
Unless these capabilities are explicitly needed by your workload, they should be dropped.
References
Remediation:
The easiest way to remove insecure capabilities from your container is to drop
them all (see example below).
If particular capabilities are necessary for your workload to run properly,
Fairwinds recommends dropping all, and then explicitly adding the ones that are necessary
Examples
Drop all
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: busybox
image: busybox
securityContext:
capabilities:
drop:
- ALL
Add back necessary capabilities
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: busybox
image: busybox
securityContext:
capabilities:
drop:
- ALL
add:
- CHOWN
- SETUID
For Deployment fwinsights-dashboard in namespace fwinsights
Description:
Setting memory limits too high causes workloads to use more resources than they need, incurring extra compute costs
Remediation:
resources:
limits:
cpu: 25m
memory: 250Mi
requests:
cpu: 25m
memory: 250Mi
For StatefulSet fairwinds-insights-postgresql in namespace
Description:
Image Name: docker.io/bitnami/postgresql:11.8.0-debian-10-r13
From :
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
bash | CVE-2019-18276 | 5.0-4 | HIGH | bash: when effective UID is not equal to its real UID the saved UID is not dropped | An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. |
TEMP-0841856-B18BAF | LOW | ||||
coreutils | CVE-2016-2781 | 8.30-3 | LOW | coreutils: Non-privileged session can escape to the parent session in chroot | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
CVE-2017-18018 | LOW | coreutils: race condition vulnerability in chown and chgrp | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | ||
gpgv | CVE-2019-14855 | 2.2.12-1+deb10u1 | MEDIUM | gnupg2: OpenPGP Key Certification Forgeries with SHA-1 | A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. |
libapt-pkg5.0 | CVE-2011-3374 | 1.8.2.1 | MEDIUM | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |
libbsd0 | CVE-2019-20367 | 0.9.1-2 | MEDIUM | nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). | |
libcurl4 | CVE-2020-8169 | 7.64.0-4+deb10u1 | MEDIUM | libcurl: partial password leak over DNS on HTTP redirect | No description is available for this CVE. |
CVE-2020-8177 | MEDIUM | curl: command line arguments lead to local file overwrite | No description is available for this CVE. | ||
libgcrypt20 | CVE-2018-6829 | 1.8.4-5 | MEDIUM | libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
CVE-2019-12904 | MEDIUM | Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) | ||
CVE-2019-13627 | LOW | libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. | ||
libgnutls30 | CVE-2011-3389 | 3.6.7-4+deb10u3 | MEDIUM | HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. |
CVE-2020-13777 | MEDIUM | gnutls: session resumption works without master key allowing MITM | GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | ||
libidn2-0 | CVE-2019-12290 | 2.0.5-1+deb10u1 | MEDIUM | GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. | |
libkrb5support0 | CVE-2004-0971 | 1.17-3 | LOW | security flaw | The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. |
CVE-2018-5709 | MEDIUM | krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c | An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. | ||
libldap-common | CVE-2015-3276 | 2.4.47+dfsg-3+deb10u2 | MEDIUM | openldap: incorrect multi-keyword mode cipherstring parsing | The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. |
CVE-2017-14159 | LOW | openldap: Privilege escalation via PID file manipulation | slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname " command, as demonstrated by openldap-initscript. |
||
CVE-2017-17740 | MEDIUM | openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service | contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. | ||
liblz4-1 | CVE-2019-17543 | 1.8.3-1 | MEDIUM | lz4: heap-based buffer overflow in LZ4_write32 | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
libnghttp2-14 | TEMP-0000000-A4EF31 | 1.36.0-2+deb10u1 | LOW | ||
libpcre3 | CVE-2017-11164 | 2:8.39-12 | HIGH | pcre: OP_KETRMAX feature in the match function in pcre_exec.c | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
CVE-2017-16231 | LOW | pcre: self-recursive call in match() in pcre_exec.c leads to denial of service | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. | ||
CVE-2017-7245 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | ||
CVE-2017-7246 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | ||
CVE-2019-20838 | MEDIUM | pcre: buffer over-read in JIT when UTF is disabled | libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. | ||
CVE-2020-14155 | MEDIUM | pcre: integer overflow in libpcre | libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. | ||
libseccomp2 | CVE-2019-9893 | 2.3.3-4 | HIGH | libseccomp: incorrect generation of syscall filters in libseccomp | libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations. |
libsqlite3-0 | CVE-2019-16168 | 3.27.2-3 | MEDIUM | sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." |
CVE-2019-19242 | MEDIUM | sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c | SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. | ||
CVE-2019-19244 | MEDIUM | sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage | sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. | ||
CVE-2019-19603 | MEDIUM | sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS | SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. | ||
CVE-2019-19645 | LOW | sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements | alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. | ||
CVE-2019-19923 | MEDIUM | sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference | flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). | ||
CVE-2019-19924 | MEDIUM | sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting | SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. | ||
CVE-2019-19925 | MEDIUM | sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive | zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. | ||
CVE-2019-19959 | MEDIUM | sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames | ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. | ||
CVE-2019-20218 | MEDIUM | sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error | selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. | ||
CVE-2020-11655 | MEDIUM | sqlite: malformed window-function query leads to DoS | SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. | ||
CVE-2020-11656 | HIGH | sqlite: use-after-free in the ALTER TABLE implementation | In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. | ||
CVE-2020-13434 | LOW | sqlite: integer overflow in sqlite3_str_vappendf function in printf.c | SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. | ||
CVE-2020-13435 | LOW | sqlite: NULL pointer dereference leads to segmentation fault in sqlite3ExprCodeTarget in expr.c | SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. | ||
CVE-2020-13630 | MEDIUM | sqlite: use-after-free in fts3EvalNextRow in ext/fts3/fts3.c | ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. | ||
CVE-2020-13631 | LOW | sqlite: virtual table can be renamed into the name of one of its shadow tables | SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. | ||
CVE-2020-13632 | LOW | sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query | ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. | ||
CVE-2020-13871 | MEDIUM | sqlite: use-after-free in resetAccumulator in select.c | SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late. | ||
CVE-2020-15358 | HIGH | sqlite: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization in select.c | In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. | ||
CVE-2020-9327 | MEDIUM | sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations | In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. | ||
libssh2-1 | CVE-2019-13115 | 1.8.0-2.1 | MEDIUM | libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write | In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. |
CVE-2019-17498 | MEDIUM | libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c | In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. | ||
libstdc++6 | CVE-2018-12886 | 8.3.0-6 | MEDIUM | gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
CVE-2019-15847 | MEDIUM | gcc: POWER9 "DARN" RNG intrinsic produces repeated output | The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. | ||
libtasn1-6 | CVE-2018-1000654 | 4.13-3 | HIGH | libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. |
libudev1 | CVE-2013-4392 | 241-7~deb10u4 | LOW | systemd: TOCTOU race condition when updating file permissions and SELinux security contexts | systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. |
CVE-2019-20386 | LOW | systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received | An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. | ||
CVE-2019-3843 | MEDIUM | systemd: services with DynamicUser can create SUID/SGID binaries | It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. | ||
CVE-2019-3844 | MEDIUM | systemd: services with DynamicUser can get new privileges and create SGID binaries | It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. | ||
CVE-2020-13776 | MEDIUM | systemd: mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits | systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. | ||
libxml2 | CVE-2016-9318 | 2.9.4+dfsg1-7 | MEDIUM | libxml2: XML External Entity vulnerability | libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. |
CVE-2017-16932 | MEDIUM | libxml2: Infinite recursion in parameter entities | parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. | ||
CVE-2017-18258 | MEDIUM | libxml2: Unrestricted memory usage in xz_head() function in xzlib.c | The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. | ||
CVE-2018-14404 | MEDIUM | libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c | A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. | ||
CVE-2018-14567 | MEDIUM | libxml2: Infinite loop caused by incorrect error detection during LZMA decompression | libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. | ||
CVE-2019-19956 | MEDIUM | libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash | xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. | ||
CVE-2019-20388 | MEDIUM | libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c | xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. | ||
CVE-2020-7595 | MEDIUM | libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | ||
libxslt1.1 | CVE-2015-9019 | 1.1.32-2.2~deb10u1 | MEDIUM | libxslt: math.random() in xslt uses unseeded randomness | In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. |
locales | CVE-2010-4051 | 2.28-10 | MEDIUM | CVE-2010-4052 glibc: De-recursivise regular expression engine | The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." |
CVE-2010-4052 | MEDIUM | CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine | Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. | ||
CVE-2010-4756 | MEDIUM | glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||
CVE-2016-10228 | MEDIUM | glibc: iconv program can hang when invoked with the -c option | The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. | ||
CVE-2018-20796 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227 | ||
CVE-2019-1010022 | HIGH | glibc: stack guard protection bypass | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. | ||
CVE-2019-1010023 | MEDIUM | glibc: running ldd on malicious ELF leads to code execution because of wrong size computation | GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. | ||
CVE-2019-1010024 | MEDIUM | glibc: ASLR bypass using cache of thread stack and heap | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. | ||
CVE-2019-1010025 | MEDIUM | glibc: information disclosure of heap addresses of pthread_created thread | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." | ||
CVE-2019-19126 | LOW | glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | ||
CVE-2019-9192 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '( | ||
CVE-2020-10029 | LOW | glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. | ||
CVE-2020-1751 | MEDIUM | glibc: array overflow in backtrace functions for powerpc | An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. | ||
CVE-2020-1752 | LOW | glibc: use-after-free in glob() function when expanding ~user | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. | ||
CVE-2020-6096 | MEDIUM | glibc: signed comparison vulnerability in the ARMv7 memcpy function | An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. | ||
openssl | CVE-2007-6755 | 1.1.1d-0+deb10u3 | MEDIUM | Dual_EC_DRBG: weak pseudo random number generator | The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE. |
CVE-2010-0928 | MEDIUM | openssl: RSA authentication weakness | OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." | ||
CVE-2019-1551 | MEDIUM | openssl: Integer overflow in RSAZ modular exponentiation on x86_64 | There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). | ||
passwd | CVE-2007-5686 | 1:4.5-1.1 | MEDIUM | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. | |
CVE-2013-4235 | LOW | shadow-utils: TOCTOU race conditions by copying and removing directory trees | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
CVE-2018-7169 | MEDIUM | shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | ||
CVE-2019-19882 | MEDIUM | shadow-utils: local users can obtain root access because setuid programs are misconfigured | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). | ||
TEMP-0628843-DBAD28 | LOW | ||||
perl-base | CVE-2011-4116 | 5.28.1-6 | MEDIUM | perl: File::Temp insecure temporary file handling | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
CVE-2020-10543 | MEDIUM | perl: heap-based buffer overflow in regular expression compiler leads to DoS | Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. | ||
CVE-2020-10878 | HIGH | perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS | Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. | ||
CVE-2020-12723 | MEDIUM | perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS | regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. | ||
sysvinit-utils | TEMP-0517018-A83CE6 | 2.93-8 | LOW | ||
tar | CVE-2005-2541 | 1.30+dfsg-6 | CRITICAL | Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. | |
CVE-2019-9923 | MEDIUM | tar: null-pointer dereference in pax_decode_header in sparse.c | pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. | ||
TEMP-0290435-0B57B5 | LOW |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.4),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Deployment nginx-deployment in namespace
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently alpine 3.11.11),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Node kind-control-plane in namespace
Description:
Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
Audit: ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
Remediation:
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
For ReplicaSet nginx-ingress-controller-5659c7c9cd in namespace nginx-ingress
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.0),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For DaemonSet kube-proxy in namespace kube-system
Description:
Image Name: k8s.gcr.io/kube-proxy:v1.16.3
From sha256:f4fd1d7052b4e7c9ad43e4038c9ffe15773b9cc422557af0738ee5e6fcc08051:
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
coreutils | CVE-2016-2781 | 8.26-3 | LOW | coreutils: Non-privileged session can escape to the parent session in chroot | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
CVE-2017-18018 | LOW | coreutils: race condition vulnerability in chown and chgrp | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | ||
gpgv | CVE-2018-1000858 | 2.1.18-8~deb9u4 | MEDIUM | gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service | GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. |
CVE-2018-9234 | MEDIUM | GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. | ||
CVE-2019-14855 | LOW | ||||
libapt-pkg5.0 | CVE-2011-3374 | 1.4.9 | MEDIUM | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |
libbz2-1.0 | CVE-2019-12900 | 1.0.6-8.1 | HIGH | bzip2: out-of-bounds write in function BZ2_decompress | BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. |
libcomerr2 | CVE-2019-5094 | 1.43.4-2 | MEDIUM | e2fsprogs: crafted ext4 partition leads to out-of-bounds write | An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. |
CVE-2019-5188 | MEDIUM | e2fsprogs: Out-of-bounds write in e2fsck/rehash.c | A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. | ||
libelf1 | CVE-2018-16062 | 0.168-1 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file | dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. |
CVE-2018-16402 | HIGH | elfutils: Double-free due to double decompression of sections in crafted ELF causes crash | libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. | ||
CVE-2018-16403 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash | libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. | ||
CVE-2018-18310 | MEDIUM | elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl | An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. | ||
CVE-2018-18520 | MEDIUM | elfutils: eu-size cannot handle recursive ar files | An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. | ||
CVE-2018-18521 | MEDIUM | elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c | Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. | ||
CVE-2019-7148 | MEDIUM | elfutils: excessive memory allocation in read_long_names in elf_begin.c in libelf | DISPUTED An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens." | ||
CVE-2019-7149 | MEDIUM | elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw | A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. | ||
CVE-2019-7150 | MEDIUM | elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c | An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. | ||
CVE-2019-7664 | MEDIUM | elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h | In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). | ||
CVE-2019-7665 | MEDIUM | elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c | In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. | ||
libgcrypt20 | CVE-2018-6829 | 1.7.6-2+deb9u3 | MEDIUM | libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
CVE-2019-12904 | MEDIUM | Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) | ||
CVE-2019-13627 | MEDIUM | libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. | ||
liblz4-1 | CVE-2019-17543 | 0.0~r131-2 | MEDIUM | lz4: heap-based buffer overflow in LZ4_write32 | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
libnettle6 | CVE-2018-16869 | 3.3-1 | LOW | nettle: Leaky data conversion exposing a manager oracle | A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. |
libpcre3 | CVE-2017-11164 | 2:8.39-3 | HIGH | pcre: OP_KETRMAX feature in the match function in pcre_exec.c | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
CVE-2017-16231 | LOW | pcre: self-recursive call in match() in pcre_exec.c leads to denial of service | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. | ||
CVE-2017-7245 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | ||
CVE-2017-7246 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | ||
libstdc++6 | CVE-2018-12886 | 6.3.0-18+deb9u1 | MEDIUM | gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
libtinfo5 | CVE-2018-19211 | 6.0+20161126-1+deb9u2 | MEDIUM | ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c | In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. |
CVE-2019-17594 | MEDIUM | ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
CVE-2019-17595 | MEDIUM | ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
libuuid1 | CVE-2016-2779 | 2.29.2-1+deb9u1 | HIGH | util-linux: runuser tty hijack via TIOCSTI ioctl | runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
libxtables12 | CVE-2012-2663 | 1.6.0+snapshot20161117-6 | HIGH | iptables: --syn flag bypass | extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant. |
CVE-2019-11360 | MEDIUM | A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | |||
multiarch-support | CVE-2009-5155 | 2.24-11+deb9u4 | MEDIUM | glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result | In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. |
CVE-2010-4051 | MEDIUM | CVE-2010-4052 glibc: De-recursivise regular expression engine | The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." | ||
CVE-2010-4052 | MEDIUM | CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine | Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. | ||
CVE-2010-4756 | MEDIUM | glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||
CVE-2015-8985 | MEDIUM | glibc: potential denial of service in pop_fail_stack() | The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing. | ||
CVE-2016-10228 | MEDIUM | glibc: iconv program can hang when invoked with the -c option | The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. | ||
CVE-2016-10739 | MEDIUM | glibc: getaddrinfo should reject IP addresses with trailing characters | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. | ||
CVE-2017-12132 | MEDIUM | glibc: Fragmentation attacks possible when EDNS0 is enabled | The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. | ||
CVE-2018-1000001 | HIGH | glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation | In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. | ||
CVE-2018-20796 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227 | ||
CVE-2018-6485 | HIGH | glibc: Integer overflow in posix_memalign in memalign functions | An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. | ||
CVE-2018-6551 | HIGH | glibc: integer overflow in malloc functions | The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. | ||
CVE-2019-1010022 | HIGH | glibc: stack guard protection bypass | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. | ||
CVE-2019-1010023 | MEDIUM | glibc: running ldd on malicious ELF leads to code execution because of wrong size computation | GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. | ||
CVE-2019-1010024 | MEDIUM | glibc: ASLR bypass using cache of thread stack and heap | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. | ||
CVE-2019-1010025 | MEDIUM | glibc: information disclosure of heap addresses of pthread_created thread | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." | ||
CVE-2019-19126 | LOW | glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | ||
CVE-2019-6488 | MEDIUM | glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault | The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy. | ||
CVE-2019-7309 | LOW | glibc: memcmp function incorrectly returns zero | In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. | ||
CVE-2019-9169 | HIGH | glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | ||
CVE-2019-9192 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '( | ||
passwd | CVE-2007-5686 | 1:4.4-4.1 | MEDIUM | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. | |
CVE-2013-4235 | LOW | shadow-utils: TOCTOU race conditions by copying and removing directory trees | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
CVE-2017-12424 | HIGH | shadow-utils: Buffer overflow via newusers tool | In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. | ||
CVE-2018-7169 | MEDIUM | shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | ||
CVE-2019-19882 | MEDIUM | shadow-utils: local users can obtain root access because setuid programs are misconfigured | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). | ||
TEMP-0628843-DBAD28 | LOW | ||||
perl-base | CVE-2011-4116 | 5.24.1-3+deb9u5 | MEDIUM | perl: File::Temp insecure temporary file handling | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
tar | CVE-2005-2541 | 1.29b-1.1 | CRITICAL | Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. | |
CVE-2018-20482 | LOW | tar: Infinite read loop in sparse_dump_region function in sparse.c | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). | ||
CVE-2019-9923 | MEDIUM | tar: null-pointer dereference in pax_decode_header in sparse.c | pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. | ||
TEMP-0290435-0B57B5 | LOW |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.8),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod kube-apiserver-kind-control-plane in namespace kube-system
Description:
Image Name: k8s.gcr.io/kube-apiserver:v1.16.3
From sha256:392249bd869670a8d19a7160d1fb3e94012825366d80aa0e4ef4d73f074bbaa2:
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
coreutils | CVE-2016-2781 | 8.26-3 | LOW | coreutils: Non-privileged session can escape to the parent session in chroot | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
CVE-2017-18018 | LOW | coreutils: race condition vulnerability in chown and chgrp | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | ||
gpgv | CVE-2018-1000858 | 2.1.18-8~deb9u4 | MEDIUM | gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service | GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. |
CVE-2018-9234 | MEDIUM | GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. | ||
CVE-2019-14855 | LOW | ||||
libapt-pkg5.0 | CVE-2011-3374 | 1.4.9 | MEDIUM | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |
libbz2-1.0 | CVE-2019-12900 | 1.0.6-8.1 | HIGH | bzip2: out-of-bounds write in function BZ2_decompress | BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. |
libcomerr2 | CVE-2019-5094 | 1.43.4-2 | MEDIUM | e2fsprogs: crafted ext4 partition leads to out-of-bounds write | An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. |
CVE-2019-5188 | MEDIUM | e2fsprogs: Out-of-bounds write in e2fsck/rehash.c | A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. | ||
libelf1 | CVE-2018-16062 | 0.168-1 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file | dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. |
CVE-2018-16402 | HIGH | elfutils: Double-free due to double decompression of sections in crafted ELF causes crash | libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. | ||
CVE-2018-16403 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash | libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. | ||
CVE-2018-18310 | MEDIUM | elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl | An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. | ||
CVE-2018-18520 | MEDIUM | elfutils: eu-size cannot handle recursive ar files | An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. | ||
CVE-2018-18521 | MEDIUM | elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c | Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. | ||
CVE-2019-7148 | MEDIUM | elfutils: excessive memory allocation in read_long_names in elf_begin.c in libelf | DISPUTED An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens." | ||
CVE-2019-7149 | MEDIUM | elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw | A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. | ||
CVE-2019-7150 | MEDIUM | elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c | An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. | ||
CVE-2019-7664 | MEDIUM | elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h | In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). | ||
CVE-2019-7665 | MEDIUM | elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c | In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. | ||
libgcrypt20 | CVE-2018-6829 | 1.7.6-2+deb9u3 | MEDIUM | libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
CVE-2019-12904 | MEDIUM | Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) | ||
CVE-2019-13627 | MEDIUM | libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. | ||
liblz4-1 | CVE-2019-17543 | 0.0~r131-2 | MEDIUM | lz4: heap-based buffer overflow in LZ4_write32 | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
libnettle6 | CVE-2018-16869 | 3.3-1 | LOW | nettle: Leaky data conversion exposing a manager oracle | A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. |
libpcre3 | CVE-2017-11164 | 2:8.39-3 | HIGH | pcre: OP_KETRMAX feature in the match function in pcre_exec.c | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
CVE-2017-16231 | LOW | pcre: self-recursive call in match() in pcre_exec.c leads to denial of service | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. | ||
CVE-2017-7245 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | ||
CVE-2017-7246 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | ||
libstdc++6 | CVE-2018-12886 | 6.3.0-18+deb9u1 | MEDIUM | gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
libtinfo5 | CVE-2018-19211 | 6.0+20161126-1+deb9u2 | MEDIUM | ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c | In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. |
CVE-2019-17594 | MEDIUM | ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
CVE-2019-17595 | MEDIUM | ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
libuuid1 | CVE-2016-2779 | 2.29.2-1+deb9u1 | HIGH | util-linux: runuser tty hijack via TIOCSTI ioctl | runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
multiarch-support | CVE-2009-5155 | 2.24-11+deb9u4 | MEDIUM | glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result | In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. |
CVE-2010-4051 | MEDIUM | CVE-2010-4052 glibc: De-recursivise regular expression engine | The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." | ||
CVE-2010-4052 | MEDIUM | CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine | Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. | ||
CVE-2010-4756 | MEDIUM | glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||
CVE-2015-8985 | MEDIUM | glibc: potential denial of service in pop_fail_stack() | The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing. | ||
CVE-2016-10228 | MEDIUM | glibc: iconv program can hang when invoked with the -c option | The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. | ||
CVE-2016-10739 | MEDIUM | glibc: getaddrinfo should reject IP addresses with trailing characters | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. | ||
CVE-2017-12132 | MEDIUM | glibc: Fragmentation attacks possible when EDNS0 is enabled | The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. | ||
CVE-2018-1000001 | HIGH | glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation | In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. | ||
CVE-2018-20796 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227 | ||
CVE-2018-6485 | HIGH | glibc: Integer overflow in posix_memalign in memalign functions | An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. | ||
CVE-2018-6551 | HIGH | glibc: integer overflow in malloc functions | The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. | ||
CVE-2019-1010022 | HIGH | glibc: stack guard protection bypass | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. | ||
CVE-2019-1010023 | MEDIUM | glibc: running ldd on malicious ELF leads to code execution because of wrong size computation | GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. | ||
CVE-2019-1010024 | MEDIUM | glibc: ASLR bypass using cache of thread stack and heap | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. | ||
CVE-2019-1010025 | MEDIUM | glibc: information disclosure of heap addresses of pthread_created thread | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." | ||
CVE-2019-19126 | LOW | glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | ||
CVE-2019-6488 | MEDIUM | glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault | The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy. | ||
CVE-2019-7309 | LOW | glibc: memcmp function incorrectly returns zero | In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. | ||
CVE-2019-9169 | HIGH | glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | ||
CVE-2019-9192 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '( | ||
passwd | CVE-2007-5686 | 1:4.4-4.1 | MEDIUM | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. | |
CVE-2013-4235 | LOW | shadow-utils: TOCTOU race conditions by copying and removing directory trees | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
CVE-2017-12424 | HIGH | shadow-utils: Buffer overflow via newusers tool | In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. | ||
CVE-2018-7169 | MEDIUM | shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | ||
CVE-2019-19882 | MEDIUM | shadow-utils: local users can obtain root access because setuid programs are misconfigured | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). | ||
TEMP-0628843-DBAD28 | LOW | ||||
perl-base | CVE-2011-4116 | 5.24.1-3+deb9u5 | MEDIUM | perl: File::Temp insecure temporary file handling | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
tar | CVE-2005-2541 | 1.29b-1.1 | CRITICAL | Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. | |
CVE-2018-20482 | LOW | tar: Infinite read loop in sparse_dump_region function in sparse.c | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). | ||
CVE-2019-9923 | MEDIUM | tar: null-pointer dereference in pax_decode_header in sparse.c | pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. | ||
TEMP-0290435-0B57B5 | LOW |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.8),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod nginx-failure in namespace default
Description:
If runAsNonRoot
is not set to true, containers are allowed to run as the root user.
This makes it easier for an attacker to gain access to resources on the host, especially
when used in combination
with other security configurations (like adding additional capabilities
or procMount
).
Occasionally, there may be good reason for a container process to run as the root user,
but unless you have an explicit need, setting runAsNonRoot=true
will greatly reduce
security risk.
References
Remediation:
In your workload configuration, set securityContext.runAsNonRoot=true
. This can be set at either
the container level (in which case it needs to be set for all containers) or at the pod level
(where it will become the default for all containers).
If the corresponding container is currently running as the root user,
you will also need to do one of the following to change it to run as a non-root user:
securityContext.runAsUser
to a non-zero integerUSER 1000
If there are no non-root users in the Docker image, you may also need to create one
in the Dockerfile, e.g. with
RUN useradd nonroot -u 1000 --user-group
If you're changing from a root user to a non-root user, be on the lookout for issues with
things like file permissions - you may need to utilize chown
and chmod
in your Dockerfile
to get things running properly.
Examples
At pod level
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
At the container level
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: busybox
image: busybox
securityContext:
runAsNonRoot: true
runAsUser: 1000
For Pod nginx-failure in namespace default
Description:
Readiness probes are designed to ensure that an application has reached a "ready" state -
e.g. it's ready to serve traffic to your end-users.
In many cases there is a period of time between when a webserver process starts and when
it is ready to receive traffic; for example, your app may need some time to connect to a
database or download configuration. Your application may also intermittently need to
stop serving traffic, e.g. to reconnect to the database.
When a readiness probe fails on a particular pod, Kubernetes will divert traffic
away from that pod, preferring pods that are in a ready state. Not setting a readiness
probe can lead to gaps in service or inconsistencies if users
connect to a pod which is not yet ready for traffic.
References
Remediation:
Add a readinessProbe
to your container spec.
It's up to you how to decide if your application is ready for traffic. You might
check that you're able to connect to your database, or ensure that a configuration
file exists.
You can configure your readiness probe
to execute a command or check for a healthy HTTP/TCP response.
Examples
Using an HTTP request
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
Using a command
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
args:
- /bin/bash
- -c
- sleep 30; touch /tmp/ready
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 5
periodSeconds: 10
For StatefulSet fwinsights-postgresql in namespace fwinsights
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.11),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For ReplicaSet datadog-cluster-agent-6bf6dd6657 in namespace infra
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.0),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Node kind-control-plane in namespace
Description:
Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
Audit: ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
Remediation:
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
For Deployment nginx-deployment in namespace
Description:
Kubernetes will often cache images on worker nodes. By default, an image will only be pulled
if it isn't already cached on the node attempting to run it.
However, utilizing cached versions of a Docker image can be a reliability issue.
It can lead to different images running on different nodes, leading to inconsistent
behavior. It can also be a security issue, as a workload can access a cached image even if it
doesn't have permission to access the remote Docker repository (via imagePullSecret
).
Specifying pullPolicy=Always
will prevent these problems by ensuring the latest image is
downloaded every time a new pod is created.
References
Remediation:
In your Pod spec, set imagePullPolicy
to Always
Examples
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
imagePullPolicy: Always
command: [ "echo", "SUCCESS" ]
For Pod kube-apiserver-ip-172-20-30-225.ap-northeast-1.compute.internal in namespace kube-system
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.8),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Job cronjob-executor in namespace insights-agent
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.3),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod nginx-failure in namespace default
Description:
Under particular configurations, a container may be able to escalate its privileges.
Setting allowPrivilegeEscalation
to false will set the no_new_privs
flag
on the container process, preventing setuid
binaries from changing the effective user ID.
Setting this flag is particularly important when using runAsNonRoot
, which can otherwise be circumvented.
References
Remediation:
In your workload configuration, set securityContext.allowPrivilegeEscalation
to false
Note that your workload might currently rely on the ability to escalate its privileges -
be sure to test the change to ensure nothing breaks.
Examples
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
securityContext:
allowPrivilegeEscalation: false
For DaemonSet kindnet in namespace kube-system
Description:
Image Name: docker.io/kindest/kindnetd:0.5.3
From sha256:aa67fec7d7ef71445da9a84e9bc88afca2538e9a0aebcba6ef9509b7cf313d17:
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
coreutils | CVE-2016-2781 | 8.26-3 | LOW | coreutils: Non-privileged session can escape to the parent session in chroot | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
CVE-2017-18018 | LOW | coreutils: race condition vulnerability in chown and chgrp | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | ||
gpgv | CVE-2018-1000858 | 2.1.18-8~deb9u4 | MEDIUM | gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service | GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. |
CVE-2018-9234 | MEDIUM | GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. | ||
CVE-2019-14855 | LOW | ||||
libapt-pkg5.0 | CVE-2011-3374 | 1.4.9 | MEDIUM | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |
libbz2-1.0 | CVE-2019-12900 | 1.0.6-8.1 | HIGH | bzip2: out-of-bounds write in function BZ2_decompress | BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. |
libcomerr2 | CVE-2019-5094 | 1.43.4-2 | MEDIUM | e2fsprogs: crafted ext4 partition leads to out-of-bounds write | An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. |
CVE-2019-5188 | MEDIUM | e2fsprogs: Out-of-bounds write in e2fsck/rehash.c | A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. | ||
libelf1 | CVE-2018-16062 | 0.168-1 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file | dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. |
CVE-2018-16402 | HIGH | elfutils: Double-free due to double decompression of sections in crafted ELF causes crash | libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. | ||
CVE-2018-16403 | MEDIUM | elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash | libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. | ||
CVE-2018-18310 | MEDIUM | elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl | An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. | ||
CVE-2018-18520 | MEDIUM | elfutils: eu-size cannot handle recursive ar files | An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. | ||
CVE-2018-18521 | MEDIUM | elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c | Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. | ||
CVE-2019-7148 | MEDIUM | elfutils: excessive memory allocation in read_long_names in elf_begin.c in libelf | DISPUTED An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens." | ||
CVE-2019-7149 | MEDIUM | elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw | A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. | ||
CVE-2019-7150 | MEDIUM | elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c | An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. | ||
CVE-2019-7664 | MEDIUM | elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h | In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). | ||
CVE-2019-7665 | MEDIUM | elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c | In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. | ||
libgcrypt20 | CVE-2018-6829 | 1.7.6-2+deb9u3 | MEDIUM | libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
CVE-2019-12904 | MEDIUM | Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) | ||
CVE-2019-13627 | MEDIUM | libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. | ||
liblz4-1 | CVE-2019-17543 | 0.0~r131-2 | MEDIUM | lz4: heap-based buffer overflow in LZ4_write32 | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
libnettle6 | CVE-2018-16869 | 3.3-1 | LOW | nettle: Leaky data conversion exposing a manager oracle | A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. |
libpcre3 | CVE-2017-11164 | 2:8.39-3 | HIGH | pcre: OP_KETRMAX feature in the match function in pcre_exec.c | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
CVE-2017-16231 | LOW | pcre: self-recursive call in match() in pcre_exec.c leads to denial of service | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. | ||
CVE-2017-7245 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | ||
CVE-2017-7246 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | ||
libstdc++6 | CVE-2018-12886 | 6.3.0-18+deb9u1 | MEDIUM | gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
libtinfo5 | CVE-2018-19211 | 6.0+20161126-1+deb9u2 | MEDIUM | ncurses: Null pointer dereference at function _nc_parse_entry in parse_entry.c | In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. |
CVE-2019-17594 | MEDIUM | ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
CVE-2019-17595 | MEDIUM | ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c | There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. | ||
libuuid1 | CVE-2016-2779 | 2.29.2-1+deb9u1 | HIGH | util-linux: runuser tty hijack via TIOCSTI ioctl | runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
libxtables12 | CVE-2012-2663 | 1.6.0+snapshot20161117-6 | HIGH | iptables: --syn flag bypass | extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant. |
CVE-2019-11360 | MEDIUM | A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. | |||
multiarch-support | CVE-2009-5155 | 2.24-11+deb9u4 | MEDIUM | glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result | In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. |
CVE-2010-4051 | MEDIUM | CVE-2010-4052 glibc: De-recursivise regular expression engine | The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." | ||
CVE-2010-4052 | MEDIUM | CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine | Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. | ||
CVE-2010-4756 | MEDIUM | glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||
CVE-2015-8985 | MEDIUM | glibc: potential denial of service in pop_fail_stack() | The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing. | ||
CVE-2016-10228 | MEDIUM | glibc: iconv program can hang when invoked with the -c option | The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. | ||
CVE-2016-10739 | MEDIUM | glibc: getaddrinfo should reject IP addresses with trailing characters | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. | ||
CVE-2017-12132 | MEDIUM | glibc: Fragmentation attacks possible when EDNS0 is enabled | The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. | ||
CVE-2018-1000001 | HIGH | glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation | In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. | ||
CVE-2018-20796 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227 | ||
CVE-2018-6485 | HIGH | glibc: Integer overflow in posix_memalign in memalign functions | An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. | ||
CVE-2018-6551 | HIGH | glibc: integer overflow in malloc functions | The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. | ||
CVE-2019-1010022 | HIGH | glibc: stack guard protection bypass | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. | ||
CVE-2019-1010023 | MEDIUM | glibc: running ldd on malicious ELF leads to code execution because of wrong size computation | GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. | ||
CVE-2019-1010024 | MEDIUM | glibc: ASLR bypass using cache of thread stack and heap | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. | ||
CVE-2019-1010025 | MEDIUM | glibc: information disclosure of heap addresses of pthread_created thread | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." | ||
CVE-2019-19126 | LOW | glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | ||
CVE-2019-6488 | MEDIUM | glibc: Incorrect attempt to use a 64-bit register for size_t in assembly codes results in segmentation fault | The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy. | ||
CVE-2019-7309 | LOW | glibc: memcmp function incorrectly returns zero | In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. | ||
CVE-2019-9169 | HIGH | glibc: regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read | In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. | ||
CVE-2019-9192 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '( | ||
passwd | CVE-2007-5686 | 1:4.4-4.1 | MEDIUM | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. | |
CVE-2013-4235 | LOW | shadow-utils: TOCTOU race conditions by copying and removing directory trees | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
CVE-2017-12424 | HIGH | shadow-utils: Buffer overflow via newusers tool | In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. | ||
CVE-2018-7169 | MEDIUM | shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | ||
CVE-2019-19882 | MEDIUM | shadow-utils: local users can obtain root access because setuid programs are misconfigured | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). | ||
TEMP-0628843-DBAD28 | LOW | ||||
perl-base | CVE-2011-4116 | 5.24.1-3+deb9u5 | MEDIUM | perl: File::Temp insecure temporary file handling | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
tar | CVE-2005-2541 | 1.29b-1.1 | CRITICAL | Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. | |
CVE-2018-20482 | LOW | tar: Infinite read loop in sparse_dump_region function in sparse.c | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). | ||
CVE-2019-9923 | MEDIUM | tar: null-pointer dereference in pax_decode_header in sparse.c | pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. | ||
TEMP-0290435-0B57B5 | LOW |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.8),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Job cronjob-executor in namespace insights-agent
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.3),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For StatefulSet fairwinds-insights-postgresql in namespace
Description:
Image Name: docker.io/bitnami/postgresql:11.8.0-debian-10-r13
From :
Package | CVE | Version | Severity | Title | Description |
---|---|---|---|---|---|
bash | CVE-2019-18276 | 5.0-4 | HIGH | bash: when effective UID is not equal to its real UID the saved UID is not dropped | An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. |
TEMP-0841856-B18BAF | LOW | ||||
coreutils | CVE-2016-2781 | 8.30-3 | LOW | coreutils: Non-privileged session can escape to the parent session in chroot | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
CVE-2017-18018 | LOW | coreutils: race condition vulnerability in chown and chgrp | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. | ||
gpgv | CVE-2019-14855 | 2.2.12-1+deb10u1 | MEDIUM | gnupg2: OpenPGP Key Certification Forgeries with SHA-1 | A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. |
libapt-pkg5.0 | CVE-2011-3374 | 1.8.2.1 | MEDIUM | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. | |
libbsd0 | CVE-2019-20367 | 0.9.1-2 | MEDIUM | nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). | |
libcurl4 | CVE-2020-8169 | 7.64.0-4+deb10u1 | MEDIUM | libcurl: partial password leak over DNS on HTTP redirect | No description is available for this CVE. |
CVE-2020-8177 | MEDIUM | curl: command line arguments lead to local file overwrite | No description is available for this CVE. | ||
libgcrypt20 | CVE-2018-6829 | 1.8.4-5 | MEDIUM | libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. |
CVE-2019-12904 | MEDIUM | Libgcrypt: physical addresses being available to other processes leads to a flush-and-reload side-channel attack | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) | ||
CVE-2019-13627 | LOW | libgcrypt: ECDSA timing attack in the libgcrypt20 cryptographic library | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. | ||
libgnutls30 | CVE-2011-3389 | 3.6.7-4+deb10u3 | MEDIUM | HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. |
CVE-2020-13777 | MEDIUM | gnutls: session resumption works without master key allowing MITM | GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. | ||
libidn2-0 | CVE-2019-12290 | 2.0.5-1+deb10u1 | MEDIUM | GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. | |
libkrb5support0 | CVE-2004-0971 | 1.17-3 | LOW | security flaw | The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. |
CVE-2018-5709 | MEDIUM | krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c | An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. | ||
libldap-common | CVE-2015-3276 | 2.4.47+dfsg-3+deb10u2 | MEDIUM | openldap: incorrect multi-keyword mode cipherstring parsing | The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. |
CVE-2017-14159 | LOW | openldap: Privilege escalation via PID file manipulation | slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname " command, as demonstrated by openldap-initscript. |
||
CVE-2017-17740 | MEDIUM | openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service | contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. | ||
liblz4-1 | CVE-2019-17543 | 1.8.3-1 | MEDIUM | lz4: heap-based buffer overflow in LZ4_write32 | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." |
libnghttp2-14 | TEMP-0000000-A4EF31 | 1.36.0-2+deb10u1 | LOW | ||
libpcre3 | CVE-2017-11164 | 2:8.39-12 | HIGH | pcre: OP_KETRMAX feature in the match function in pcre_exec.c | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. |
CVE-2017-16231 | LOW | pcre: self-recursive call in match() in pcre_exec.c leads to denial of service | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. | ||
CVE-2017-7245 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | ||
CVE-2017-7246 | MEDIUM | pcre: stack-based buffer overflow write in pcre32_copy_substring | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | ||
CVE-2019-20838 | MEDIUM | pcre: buffer over-read in JIT when UTF is disabled | libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. | ||
CVE-2020-14155 | MEDIUM | pcre: integer overflow in libpcre | libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. | ||
libseccomp2 | CVE-2019-9893 | 2.3.3-4 | HIGH | libseccomp: incorrect generation of syscall filters in libseccomp | libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations. |
libsqlite3-0 | CVE-2019-16168 | 3.27.2-3 | MEDIUM | sqlite: division by zero in whereLoopAddBtreeIndex in sqlite3.c | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner." |
CVE-2019-19242 | MEDIUM | sqlite: SQL injection in sqlite3ExprCodeTarget in expr.c | SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c. | ||
CVE-2019-19244 | MEDIUM | sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usage | sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage. | ||
CVE-2019-19603 | MEDIUM | sqlite: mishandles certain SELECT statements with a nonexistent VIEW, leading to DoS | SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. | ||
CVE-2019-19645 | LOW | sqlite: infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements | alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. | ||
CVE-2019-19923 | MEDIUM | sqlite: mishandling of certain uses of SELECT DISTINCT involving a LEFT JOIN in flattenSubquery in select.c leads to a NULL pointer dereference | flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses of SELECT DISTINCT involving a LEFT JOIN in which the right-hand side is a view. This can cause a NULL pointer dereference (or incorrect results). | ||
CVE-2019-19924 | MEDIUM | sqlite: incorrect sqlite3WindowRewrite() error handling leads to mishandling certain parser-tree rewriting | SQLite 3.30.1 mishandles certain parser-tree rewriting, related to expr.c, vdbeaux.c, and window.c. This is caused by incorrect sqlite3WindowRewrite() error handling. | ||
CVE-2019-19925 | MEDIUM | sqlite: zipfileUpdate in ext/misc/zipfile.c mishandles a NULL pathname during an update of a ZIP archive | zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL pathname during an update of a ZIP archive. | ||
CVE-2019-19959 | MEDIUM | sqlite: mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames | ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT INTO in situations involving embedded '\0' characters in filenames, leading to a memory-management error that can be detected by (for example) valgrind. | ||
CVE-2019-20218 | MEDIUM | sqlite: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error | selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error. | ||
CVE-2020-11655 | MEDIUM | sqlite: malformed window-function query leads to DoS | SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. | ||
CVE-2020-11656 | HIGH | sqlite: use-after-free in the ALTER TABLE implementation | In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. | ||
CVE-2020-13434 | LOW | sqlite: integer overflow in sqlite3_str_vappendf function in printf.c | SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. | ||
CVE-2020-13435 | LOW | sqlite: NULL pointer dereference leads to segmentation fault in sqlite3ExprCodeTarget in expr.c | SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. | ||
CVE-2020-13630 | MEDIUM | sqlite: use-after-free in fts3EvalNextRow in ext/fts3/fts3.c | ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. | ||
CVE-2020-13631 | LOW | sqlite: virtual table can be renamed into the name of one of its shadow tables | SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. | ||
CVE-2020-13632 | LOW | sqlite: NULL pointer dereference in ext/fts3/fts3_snippet.c via a crafted matchinfo() query | ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query. | ||
CVE-2020-13871 | MEDIUM | sqlite: use-after-free in resetAccumulator in select.c | SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late. | ||
CVE-2020-15358 | HIGH | sqlite: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization in select.c | In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. | ||
CVE-2020-9327 | MEDIUM | sqlite: NULL pointer dereference and segmentation fault because of generated column optimizations | In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. | ||
libssh2-1 | CVE-2019-13115 | 1.8.0-2.1 | MEDIUM | libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write | In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. |
CVE-2019-17498 | MEDIUM | libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c | In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. | ||
libstdc++6 | CVE-2018-12886 | 8.3.0-6 | MEDIUM | gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. |
CVE-2019-15847 | MEDIUM | gcc: POWER9 "DARN" RNG intrinsic produces repeated output | The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. | ||
libtasn1-6 | CVE-2018-1000654 | 4.13-3 | HIGH | libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. |
libudev1 | CVE-2013-4392 | 241-7~deb10u4 | LOW | systemd: TOCTOU race condition when updating file permissions and SELinux security contexts | systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. |
CVE-2019-20386 | LOW | systemd: a memory leak was discovered in button_open in login/logind-button.c when udev events are received | An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. | ||
CVE-2019-3843 | MEDIUM | systemd: services with DynamicUser can create SUID/SGID binaries | It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. | ||
CVE-2019-3844 | MEDIUM | systemd: services with DynamicUser can get new privileges and create SGID binaries | It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. | ||
CVE-2020-13776 | MEDIUM | systemd: mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits | systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. | ||
libxml2 | CVE-2016-9318 | 2.9.4+dfsg1-7 | MEDIUM | libxml2: XML External Entity vulnerability | libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. |
CVE-2017-16932 | MEDIUM | libxml2: Infinite recursion in parameter entities | parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. | ||
CVE-2017-18258 | MEDIUM | libxml2: Unrestricted memory usage in xz_head() function in xzlib.c | The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. | ||
CVE-2018-14404 | MEDIUM | libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c | A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. | ||
CVE-2018-14567 | MEDIUM | libxml2: Infinite loop caused by incorrect error detection during LZMA decompression | libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. | ||
CVE-2019-19956 | MEDIUM | libxml2: There's a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c that could result in a crash | xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. | ||
CVE-2019-20388 | MEDIUM | libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c | xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. | ||
CVE-2020-7595 | MEDIUM | libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | ||
libxslt1.1 | CVE-2015-9019 | 1.1.32-2.2~deb10u1 | MEDIUM | libxslt: math.random() in xslt uses unseeded randomness | In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. |
locales | CVE-2010-4051 | 2.28-10 | MEDIUM | CVE-2010-4052 glibc: De-recursivise regular expression engine | The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." |
CVE-2010-4052 | MEDIUM | CVE-2010-4051 CVE-2010-4052 glibc: De-recursivise regular expression engine | Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. | ||
CVE-2010-4756 | MEDIUM | glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. | ||
CVE-2016-10228 | MEDIUM | glibc: iconv program can hang when invoked with the -c option | The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. | ||
CVE-2018-20796 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227 | ||
CVE-2019-1010022 | HIGH | glibc: stack guard protection bypass | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. | ||
CVE-2019-1010023 | MEDIUM | glibc: running ldd on malicious ELF leads to code execution because of wrong size computation | GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. | ||
CVE-2019-1010024 | MEDIUM | glibc: ASLR bypass using cache of thread stack and heap | GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. | ||
CVE-2019-1010025 | MEDIUM | glibc: information disclosure of heap addresses of pthread_created thread | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." | ||
CVE-2019-19126 | LOW | glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. | ||
CVE-2019-9192 | MEDIUM | glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '( | ||
CVE-2020-10029 | LOW | glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. | ||
CVE-2020-1751 | MEDIUM | glibc: array overflow in backtrace functions for powerpc | An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. | ||
CVE-2020-1752 | LOW | glibc: use-after-free in glob() function when expanding ~user | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. | ||
CVE-2020-6096 | MEDIUM | glibc: signed comparison vulnerability in the ARMv7 memcpy function | An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. | ||
openssl | CVE-2007-6755 | 1.1.1d-0+deb10u3 | MEDIUM | Dual_EC_DRBG: weak pseudo random number generator | The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE. |
CVE-2010-0928 | MEDIUM | openssl: RSA authentication weakness | OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." | ||
CVE-2019-1551 | MEDIUM | openssl: Integer overflow in RSAZ modular exponentiation on x86_64 | There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). | ||
passwd | CVE-2007-5686 | 1:4.5-1.1 | MEDIUM | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. | |
CVE-2013-4235 | LOW | shadow-utils: TOCTOU race conditions by copying and removing directory trees | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
CVE-2018-7169 | MEDIUM | shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. | ||
CVE-2019-19882 | MEDIUM | shadow-utils: local users can obtain root access because setuid programs are misconfigured | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). | ||
TEMP-0628843-DBAD28 | LOW | ||||
perl-base | CVE-2011-4116 | 5.28.1-6 | MEDIUM | perl: File::Temp insecure temporary file handling | _is_safe in the File::Temp module for Perl does not properly handle symlinks. |
CVE-2020-10543 | MEDIUM | perl: heap-based buffer overflow in regular expression compiler leads to DoS | Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow. | ||
CVE-2020-10878 | HIGH | perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS | Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection. | ||
CVE-2020-12723 | MEDIUM | perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS | regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls. | ||
sysvinit-utils | TEMP-0517018-A83CE6 | 2.93-8 | LOW | ||
tar | CVE-2005-2541 | 1.30+dfsg-6 | CRITICAL | Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. | |
CVE-2019-9923 | MEDIUM | tar: null-pointer dereference in pax_decode_header in sparse.c | pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. | ||
TEMP-0290435-0B57B5 | LOW |
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 10.4),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For Pod nginx-failure in namespace default
Description:
Docker's latest tag is applied by default to images where a tag hasn't been specified.
Not specifying a specific version of an image can lead to a wide variety of problems.
The underlying image could include unexpected breaking changes that break your application
whenever the latest image is pulled. Reusing the same tag for multiple versions of an image
can lead to different nodes in the same cluster having different versions of an image, even
if the tag is identical.
Remediation:
Add a tag to your image, e.g. image: hello_world:1.2.3
For Pod kube-scheduler-kind-control-plane in namespace kube-system
Description:
Every container running in Kubernetes comes with a configurable set of kernel-level
capabilities. Generally these capabilities are not needed by most workloads, and
can be exploited by an attacker who gains access to the container.
Many of the available capabilities are enabled by default in Kubernetes, including:
NET_ADMIN
CHOWN
DAC_OVERRIDE
FSETID
FOWNER
MKNOD
NET_RAW
SETGID
SETUID
SETFCAP
SETPCAP
NET_BIND_SERVICE
SYS_CHROOT
KILL
AUDIT_WRITE
Unless these capabilities are explicitly needed by your workload, they should be dropped.
References
Remediation:
The easiest way to remove insecure capabilities from your container is to drop
them all (see example below).
If particular capabilities are necessary for your workload to run properly,
Fairwinds recommends dropping all, and then explicitly adding the ones that are necessary
Examples
Drop all
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: busybox
image: busybox
securityContext:
capabilities:
drop:
- ALL
Add back necessary capabilities
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
containers:
- name: busybox
image: busybox
securityContext:
capabilities:
drop:
- ALL
add:
- CHOWN
- SETUID
For Pod nginx-failure in namespace default
Description:
Setting CPU requests guarantees that your container will have at least that much CPU available.
Without CPU requests, a pod may be scheduled on a node that is already overutilized, and
will suffer from performance problems as a result.
For production-grade workloads, CPU requests should always be set.
References
Remediation:
Add CPU requests to each of your container specifications. CPU may be set in terms of
whole CPUs (e.g. 1.0
or .25
), or more commonly, in terms of millicpus (e.g. 1000m
or 250m
).
It's up to you to decide how much CPU to allocate to your application. Setting CPU requests
too high could potentially lead to cost overruns, whereas setting it too low may cause
performance issues.
Insights can help you determine your application's CPU usage via the
Prometheus Collector
and Goldilocks reports.
We strongly recommend you enable one or both of these reports to help determine appropriate resource
requests and limits.
Examples
apiVersion: v1
kind: Pod
metadata:
name: busybox
spec:
containers:
- name: busybox
image: busybox
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
For DaemonSet kube-flannel-ds in namespace kube-system
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently alpine 3.8.2),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For ReplicaSet cluster-autoscaler-aws-cluster-autoscaler-59b66849d4 in namespace cluster-autoscaler
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.8),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
For StatefulSet fwinsights-postgresql in namespace fwinsights
Description:
View this CVE in the Vulnerabilities page for more details
Remediation:
If this image is from a third-party application or Helm chart, try updating
to the latest version. If this doesn't solve the issue, let the maintainers
know that the image they're using may contain vulnerabilities, e.g. by
filing an issue on GitHub.
If this image is from an application you own, try updating the base image (currently debian 9.11),
as well as any libraries you're installing on top of it. If this doesn't solve
the issue, let the maintainer of the base image or offending libraries
know, e.g. by filing an issue on GitHub.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.