Closed emikolajczak closed 3 years ago
Hi, We have scanned official Rocket.Chat docker image (3.9.7) with Dockle and Trivy audit tools. Below you can find results. Could you check and if it is possible (an issue) fix this alerts?
Dockle:
dockle rocketchat/rocket.chat:3.9.7 FATAL - CIS-DI-0009: Use COPY instead of ADD in Dockerfile * Use COPY : /bin/sh -c #(nop) ADD dir:1bff38a2c35b62ea8aeb85837ba8ee4d4b5520aafb3ee25e8f33ed741d2d8121 in /app FATAL - DKL-DI-0005: Clear apt-get caches * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : /bin/sh -c groupadd -g 65533 -r rocketchat && useradd -u 65533 -r -g rocketchat rocketchat && mkdir -p /app/uploads && chown rocketchat:rocketchat /app/uploads && apt-get update && apt-get install -y --no-install-recommends fontconfig * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : /bin/sh -c aptMark="$(apt-mark showmanual)" && apt-get install -y --no-install-recommends g++ make python ca-certificates && cd /app/bundle/programs/server && npm install && apt-mark auto '.*' > /dev/null && apt-mark manual $aptMark > /dev/null && find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { print $(NF-1) }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && npm cache clear --force && chown -R rocketchat:rocketchat /app INFO - CIS-DI-0005: Enable Content trust for Docker * export DOCKER_CONTENT_TRUST=1 before docker pull/build INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image * not found HEALTHCHECK statement INFO - CIS-DI-0008: Confirm safety of setuid/setgid files * setuid file: urwxr-xr-x usr/bin/gpasswd * setgid file: grwxr-xr-x usr/bin/wall * setuid file: urwxr-xr-x usr/bin/passwd * setgid file: grwxr-xr-x usr/bin/expiry * setuid file: urwxr-xr-x usr/bin/chsh * setgid file: grwxr-xr-x sbin/unix_chkpwd * setuid file: urwxr-xr-x bin/su * setuid file: urwxr-xr-x usr/bin/chfn * setuid file: urwxr-xr-x usr/bin/newgrp * setuid file: urwxr-xr-x bin/mount * setgid file: grwxr-xr-x usr/bin/chage * setuid file: urwxr-xr-x bin/umount INFO - DKL-LI-0003: Only put necessary files * unnecessary file : app/Dockerfile * Suspicious directory : root/.npm
Trivy:
2021-03-05T08:11:37.657+0100 [34mINFO[0m Detecting Debian vulnerabilities... 2021-03-05T08:11:37.663+0100 [34mINFO[0m Trivy skips scanning programming language libraries because no supported file was detected rocketchat/rocket.chat:3.9.7 (debian 10.5) ========================================== Total: 102 (UNKNOWN: 0, LOW: 69, MEDIUM: 13, HIGH: 20, CRITICAL: 0) +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | apt | CVE-2020-27350 | MEDIUM | 1.8.2.1 | 1.8.2.2 | APT had several integer | | | | | | | overflows and underflows while | | | | | | | parsing .deb packages, aka... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2011-3374 | LOW | | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is not | | | | | | | equal to its real UID the... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-18276 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | TEMP-0841856-B18BAF | | | | -->security-tracker.debian.org/tracker/TEMP-0841856-B18BAF | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | | | | | | | -->avd.aquasec.com/nvd/cve-2016-2781 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and chgrp | | | | | | | -->avd.aquasec.com/nvd/cve-2017-18018 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | gcc-8-base | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in cfgexpand.c | | | | | | | and function.c leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic | | | | | | | produces repeated output | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key Certification | | | | | | | Forgeries with SHA-1 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-14855 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libapt-pkg5.0 | CVE-2020-27350 | MEDIUM | 1.8.2.1 | 1.8.2.2 | APT had several integer | | | | | | | overflows and underflows while | | | | | | | parsing .deb packages, aka... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27350 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2011-3374 | LOW | | | It was found that apt-key in apt, | | | | | | | all versions, do not correctly... | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3374 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libc-bin | CVE-2020-1751 | HIGH | 2.28-10 | | glibc: array overflow in | | | | | | | backtrace functions for powerpc | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1751 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in glob() | | | | | | | function when expanding ~user | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1752 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure in | | | | | | | ISO-2022-JP-3 gconv module | | | | | | | related to combining characters | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2019-25013 | MEDIUM | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption | | | | | | | from crafted input in cosl, | | | | | | | sinl, sincosl, and tanl... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10029 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation | | | | | | | can cause excessive CPU and | | | | | | | memory consumption due to... | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can hang | | | | | | | when invoked with the -c option | | | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection bypass | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF | | | | | | | leads to code execution because of... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using | | | | | | | cache of thread stack and heap | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure of heap | | | | | | | addresses of pthread_created thread | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: LD_PREFER_MAP_32BIT_EXEC | | | | | | | not ignored in setuid binaries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19126 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the | | | | | | | ARMv7 memcpy function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function | | | | | | | in netgroupcache.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 | +----------------+---------------------+----------+ +----------------------+------------------------------------------------------------+ | libc6 | CVE-2020-1751 | HIGH | | | glibc: array overflow in | | | | | | | backtrace functions for powerpc | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1751 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in glob() | | | | | | | function when expanding ~user | | | | | | | -->avd.aquasec.com/nvd/cve-2020-1752 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure in | | | | | | | ISO-2022-JP-3 gconv module | | | | | | | related to combining characters | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3326 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2019-25013 | MEDIUM | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-25013 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption | | | | | | | from crafted input in cosl, | | | | | | | sinl, sincosl, and tanl... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-10029 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance the... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-27618 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4051 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise | | | | | | | regular expression engine | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4052 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation | | | | | | | can cause excessive CPU and | | | | | | | memory consumption due to... | | | | | | | -->avd.aquasec.com/nvd/cve-2010-4756 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can hang | | | | | | | when invoked with the -c option | | | | | | | -->avd.aquasec.com/nvd/cve-2016-10228 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2018-20796 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection bypass | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010022 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on malicious ELF | | | | | | | leads to code execution because of... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010023 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using | | | | | | | cache of thread stack and heap | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010024 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure of heap | | | | | | | addresses of pthread_created thread | | | | | | | -->avd.aquasec.com/nvd/cve-2019-1010025 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: LD_PREFER_MAP_32BIT_EXEC | | | | | | | not ignored in setuid binaries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19126 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled recursion in | | | | | | | function check_dst_limits_calc_pos_1 | | | | | | | in posix/regexec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9192 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the | | | | | | | ARMv7 memcpy function | | | | | | | -->avd.aquasec.com/nvd/cve-2020-6096 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function | | | | | | | in netgroupcache.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-27645 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libexpat1 | CVE-2013-0340 | | 2.2.6-2+deb10u1 | | expat: internal entity expansion | | | | | | | -->avd.aquasec.com/nvd/cve-2013-0340 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libgcc1 | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in cfgexpand.c | | | | | | | and function.c leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic | | | | | | | produces repeated output | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libgcrypt20 | CVE-2019-13627 | MEDIUM | 1.8.4-5 | | libgcrypt: ECDSA timing attack | | | | | | | allowing private key leak | | | | | | | -->avd.aquasec.com/nvd/cve-2019-13627 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2018-6829 | LOW | | | libgcrypt: ElGamal implementation | | | | | | | doesn't have semantic security due | | | | | | | to incorrectly encoded plaintexts... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-6829 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libgnutls30 | CVE-2020-24659 | HIGH | 3.6.7-4+deb10u5 | | gnutls: Heap buffer | | | | | | | overflow in handshake with | | | | | | | no_renegotiation alert sent | | | | | | | -->avd.aquasec.com/nvd/cve-2020-24659 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2011-3389 | LOW | | | HTTPS: block-wise chosen-plaintext | | | | | | | attack against SSL/TLS (BEAST) | | | | | | | -->avd.aquasec.com/nvd/cve-2011-3389 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libidn2-0 | CVE-2019-12290 | HIGH | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 | | | | | | | fails to perform the roundtrip | | | | | | | checks specified in... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-12290 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | liblz4-1 | CVE-2019-17543 | LOW | 1.8.3-1 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-17543 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libp11-kit0 | CVE-2020-29361 | HIGH | 0.23.15-2 | 0.23.15-2+deb10u1 | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29361 | + +---------------------+ + + +------------------------------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29363 | + +---------------------+----------+ + +------------------------------------------------------------+ | | CVE-2020-29362 | MEDIUM | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29362 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libpcre3 | CVE-2020-14155 | | 2:8.39-12 | | pcre: integer overflow in libpcre | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14155 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2017-11164 | LOW | | | pcre: OP_KETRMAX feature in the | | | | | | | match function in pcre_exec.c | | | | | | | -->avd.aquasec.com/nvd/cve-2017-11164 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2017-16231 | | | | pcre: self-recursive call | | | | | | | in match() in pcre_exec.c | | | | | | | leads to denial of service... | | | | | | | -->avd.aquasec.com/nvd/cve-2017-16231 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2017-7245 | | | | pcre: stack-based buffer overflow | | | | | | | write in pcre32_copy_substring | | | | | | | -->avd.aquasec.com/nvd/cve-2017-7245 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2017-7246 | | | | pcre: stack-based buffer overflow | | | | | | | write in pcre32_copy_substring | | | | | | | -->avd.aquasec.com/nvd/cve-2017-7246 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-20838 | | | | pcre: buffer over-read in | | | | | | | JIT when UTF is disabled | | | | | | | -->avd.aquasec.com/nvd/cve-2019-20838 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libpng16-16 | CVE-2018-14048 | | 1.6.36-6 | | libpng: Segmentation fault in | | | | | | | png.c:png_free_data function | | | | | | | causing denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2018-14048 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2018-14550 | | | | libpng: Stack-based buffer overflow in | | | | | | | contrib/pngminus/pnm2png.c:get_token() | | | | | | | potentially leading to | | | | | | | arbitrary code execution... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-14550 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-6129 | | | | libpng: memory leak of | | | | | | | png_info struct in pngcp.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-6129 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libseccomp2 | CVE-2019-9893 | | 2.3.3-4 | | libseccomp: incorrect generation | | | | | | | of syscall filters in libseccomp | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9893 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libstdc++6 | CVE-2018-12886 | HIGH | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in cfgexpand.c | | | | | | | and function.c leads to... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-12886 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic | | | | | | | produces repeated output | | | | | | | -->avd.aquasec.com/nvd/cve-2019-15847 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u4 | | systemd: services with DynamicUser | | | | | | | can create SUID/SGID binaries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-3843 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with DynamicUser | | | | | | | can get new privileges and | | | | | | | create SGID binaries... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-3844 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security contexts... | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak in button_open() | | | | | | | in login/logind-button.c when | | | | | | | udev events are received... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-20386 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with decimal | | | | | | | digits or 0x followed by... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13776 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | libtasn1-6 | CVE-2018-1000654 | | 4.13-3 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | | | | | | | -->avd.aquasec.com/nvd/cve-2018-1000654 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libudev1 | CVE-2019-3843 | HIGH | 241-7~deb10u4 | | systemd: services with DynamicUser | | | | | | | can create SUID/SGID binaries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-3843 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with DynamicUser | | | | | | | can get new privileges and | | | | | | | create SGID binaries... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-3844 | + +---------------------+----------+ +----------------------+------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security contexts... | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4392 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak in button_open() | | | | | | | in login/logind-button.c when | | | | | | | udev events are received... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-20386 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with decimal | | | | | | | digits or 0x followed by... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13776 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | libzstd1 | CVE-2021-24031 | MEDIUM | 1.3.8+dfsg-3 | 1.3.8+dfsg-3+deb10u1 | zstd: adds read permissions | | | | | | | to files while being | | | | | | | compressed or uncompressed | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24031 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-24032 | | | 1.3.8+dfsg-3+deb10u2 | zstd: Race condition | | | | | | | allows attacker to access | | | | | | | world-readable destination file | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24032 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+ | login | CVE-2007-5686 | LOW | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | | | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user to | | | | | | | drop supplementary groups | | | | | | | potentially allowing privilege... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-7169 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users can | | | | | | | obtain root access because setuid | | | | | | | programs are misconfigured... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | -->security-tracker.debian.org/tracker/TEMP-0628843-DBAD28 | +----------------+---------------------+ + +----------------------+------------------------------------------------------------+ | passwd | CVE-2007-5686 | | | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | | | | | | | -->avd.aquasec.com/nvd/cve-2007-5686 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | | | | | | | -->avd.aquasec.com/nvd/cve-2013-4235 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user to | | | | | | | drop supplementary groups | | | | | | | potentially allowing privilege... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-7169 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users can | | | | | | | obtain root access because setuid | | | | | | | programs are misconfigured... | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19882 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | -->security-tracker.debian.org/tracker/TEMP-0628843-DBAD28 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | perl-base | CVE-2011-4116 | | 5.28.1-6+deb10u1 | | perl: File::Temp insecure | | | | | | | temporary file handling | | | | | | | -->avd.aquasec.com/nvd/cve-2011-4116 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | sysvinit-utils | TEMP-0517018-A83CE6 | | 2.93-8 | | -->security-tracker.debian.org/tracker/TEMP-0517018-A83CE6 | +----------------+---------------------+ +-------------------+----------------------+------------------------------------------------------------+ | tar | CVE-2005-2541 | | 1.30+dfsg-6 | | Tar 1.15.1 does not | | | | | | | properly warn the user when | | | | | | | extracting setuid or... | | | | | | | -->avd.aquasec.com/nvd/cve-2005-2541 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2019-9923 | | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in sparse.c | | | | | | | -->avd.aquasec.com/nvd/cve-2019-9923 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | CVE-2021-20193 | | | | tar: Memory leak in | | | | | | | read_header() in list.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20193 | + +---------------------+ + +----------------------+------------------------------------------------------------+ | | TEMP-0290435-0B57B5 | | | | -->security-tracker.debian.org/tracker/TEMP-0290435-0B57B5 | +----------------+---------------------+----------+-------------------+----------------------+------------------------------------------------------------+
Hi, We have scanned official Rocket.Chat docker image (3.9.7) with Dockle and Trivy audit tools. Below you can find results. Could you check and if it is possible (an issue) fix this alerts?
Dockle:
Trivy: