Gal-Doron / operator-registry

Operator Registry runs in a Kubernetes or OpenShift cluster to provide operator catalog data to Operator Lifecycle Manager.
Apache License 2.0
0 stars 0 forks source link

github.com/docker/distribution-v2.8.0-beta.1: 18 vulnerabilities (highest severity is: 7.5) - autoclosed #5

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/docker/distribution-v2.8.0-beta.1 version) Remediation Possible**
CVE-2016-9122 High 7.5 github.com/docker/distribution-v2.8.0-beta.1 Direct v1.1.0
WS-2023-0431 Medium 6.5 github.com/docker/distribution-v2.8.0-beta.1 Direct v3.0.1
CVE-2023-2253 Medium 6.5 github.com/docker/distribution-v2.8.0-beta.1 Direct v2.8.2
CVE-2016-9121 Medium 6.5 github.com/docker/distribution-v2.8.0-beta.1 Direct 1.0.4
CVE-2020-11023 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2020-11022 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2019-8331 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2019-11358 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2018-20677 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2018-20676 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2018-14042 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2016-10735 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2015-9251 Medium 6.1 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*
CVE-2023-48795 Medium 5.9 github.com/golang/crypto-v0.1.0 Transitive N/A*
CVE-2021-4235 Medium 5.5 github.com/docker/distribution-v2.8.0-beta.1 Direct v2.2.3
CVE-2016-9123 Medium 5.3 github.com/docker/distribution-v2.8.0-beta.1 Direct v1.0.5
CVE-2024-28180 Medium 4.3 github.com/docker/distribution-v2.8.0-beta.1 Direct v2.6.3,v3.0.3,v4.0.1
CVE-2018-14040 Low 3.7 github.com/bugsnag/bugsnag-go-v1.5.3 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2016-9122 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Publish Date: 2017-03-28

URL: CVE-2016-9122

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0011

Release Date: 2017-03-28

Fix Resolution: v1.1.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2023-0431 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

The go-jose package before 3.0.1 is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Publish Date: 2023-11-22

URL: WS-2023-0431

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2c7c-3mj9-8fqh

Release Date: 2023-11-22

Fix Resolution: v3.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-2253 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.

Publish Date: 2023-06-06

URL: CVE-2023-2253

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hqxw-f8mx-cpmw

Release Date: 2023-04-24

Fix Resolution: v2.8.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-9121 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.

Publish Date: 2017-03-28

URL: CVE-2016-9121

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121

Release Date: 2017-03-28

Fix Resolution: 1.0.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-11023 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing

Publish Date: 2020-04-29

URL: CVE-2020-11023

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

CVE-2020-11022 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2019-8331 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

CVE-2019-11358 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

CVE-2018-20677 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

CVE-2018-20676 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

CVE-2018-14042 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

CVE-2016-10735 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. Mend Note: Converted from WS-2018-0021, on 2022-11-08.

Publish Date: 2019-01-09

URL: CVE-2016-10735

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

CVE-2015-9251 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

CVE-2023-48795 ### Vulnerable Library - github.com/golang/crypto-v0.1.0

[mirror] Go supplementary cryptography libraries

Library home page: https://proxy.golang.org/github.com/golang/crypto/@v/v0.1.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/golang/crypto-v0.1.0** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Publish Date: 2023-12-18

URL: CVE-2023-48795

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-48795

Release Date: 2023-12-18

Fix Resolution: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0

CVE-2021-4235 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

Publish Date: 2022-12-27

URL: CVE-2021-4235

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-12-27

Fix Resolution: v2.2.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-9123 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.

Publish Date: 2017-03-28

URL: CVE-2016-9123

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0009

Release Date: 2017-03-28

Fix Resolution: v1.0.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-28180 ### Vulnerable Library - github.com/docker/distribution-v2.8.0-beta.1

The toolkit to pack, ship, store, and deliver container content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.8.0-beta.1+incompatible.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/docker/distribution-v2.8.0-beta.1** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Publish Date: 2024-03-09

URL: CVE-2024-28180

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-28180

Release Date: 2024-03-09

Fix Resolution: v2.6.3,v3.0.3,v4.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-14040 ### Vulnerable Library - github.com/bugsnag/bugsnag-go-v1.5.3

Automatic panic monitoring for Go and Go web frameworks, like negroni, gin, and revel

Library home page: https://proxy.golang.org/github.com/bugsnag/bugsnag-go/@v/v1.5.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - github.com/docker/distribution-v2.8.0-beta.1 (Root Library) - :x: **github.com/bugsnag/bugsnag-go-v1.5.3** (Vulnerable Library)

Found in HEAD commit: 2450865822b744535024a00af8448cba4c41d417

Found in base branch: master

### Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

### CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040

Release Date: 2018-07-13

Fix Resolution: bootstrap - 3.4.0,4.1.2


:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 2 years ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.