Closed mend-for-github-com[bot] closed 4 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1
The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-9122
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability Detailsgo-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.
Publish Date: 2017-03-28
URL: CVE-2016-9122
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0011
Release Date: 2017-03-28
Fix Resolution: v1.1.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2023-0431
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsThe go-jose package before 3.0.1 is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Publish Date: 2023-11-22
URL: WS-2023-0431
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2c7c-3mj9-8fqh
Release Date: 2023-11-22
Fix Resolution: v3.0.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-2253
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsA flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Publish Date: 2023-06-06
URL: CVE-2023-2253
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-hqxw-f8mx-cpmw
Release Date: 2023-04-24
Fix Resolution: v2.8.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2016-9121
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability Detailsgo-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.
Publish Date: 2017-03-28
URL: CVE-2016-9121
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121
Release Date: 2017-03-28
Fix Resolution: 1.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-11023
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2019-8331
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2019-11358
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
CVE-2018-20677
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2018-20676
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2018-14042
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
CVE-2015-9251
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsjQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
CVE-2023-48795
### Vulnerable Library - github.com/golang/crypto-v0.1.0[mirror] Go supplementary cryptography libraries
Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.1.0.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/golang/crypto-v0.1.0** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
Publish Date: 2023-12-18
URL: CVE-2023-48795
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-48795
Release Date: 2023-12-18
Fix Resolution: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0
CVE-2021-4235
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsDue to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
Publish Date: 2022-12-27
URL: CVE-2021-4235
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-12-27
Fix Resolution: v2.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2016-9123
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability Detailsgo-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.
Publish Date: 2017-03-28
URL: CVE-2016-9123
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0009
Release Date: 2017-03-28
Fix Resolution: v1.0.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2024-28180
### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1The toolkit to pack, ship, store, and deliver container content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsPackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Publish Date: 2024-03-09
URL: CVE-2024-28180
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180
Release Date: 2024-03-09
Fix Resolution: v2.6.3,v3.0.3,v4.0.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-14040
### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel
Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)
Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417
Found in base branch: master
### Vulnerability DetailsIn Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040
Release Date: 2018-07-13
Fix Resolution: bootstrap - 3.4.0,4.1.2
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.