search

alphagov / cyber-security-concourse-base-image

1 stars 3 forks source link

Multiple CVE's in concourse-chrome-driver #45

Closed pritchyspritch closed 3 years ago

pritchyspritch commented 3 years ago

The concourse-chrome-driver container was scanned with Trivy during an assessment and it was flagged as having multiple outstanding CVE's.

Output:

gdscyber/concourse-chrome-driver (amazon 2 (Karoo))
===================================================
Total: 136 (UNKNOWN: 0, LOW: 0, MEDIUM: 109, HIGH: 27, CRITICAL: 0)

+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION   |     FIXED VERSION     |                  TITLE                  |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| bash                   | CVE-2019-9924    | MEDIUM   | 4.2.46-33.amzn2       | 4.2.46-34.amzn2       | bash: BASH_CMD is writable              |
|                        |                  |          |                       |                       | in restricted bash shells               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-9924    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| cpio                   | CVE-2019-14866   |          | 2.11-27.amzn2         | 2.11-28.amzn2         | cpio: improper input validation         |
|                        |                  |          |                       |                       | when writing tar header                 |
|                        |                  |          |                       |                       | fields leads to unexpected...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-14866   |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| expat                  | CVE-2018-20843   |          | 2.1.0-10.amzn2.0.2    | 2.1.0-12.amzn2        | expat: large number of                  |
|                        |                  |          |                       |                       | colons in input makes parser            |
|                        |                  |          |                       |                       | consume high amount...                  |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-20843   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-15903   |          |                       |                       | expat: heap-based buffer                |
|                        |                  |          |                       |                       | over-read via crafted XML input         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-15903   |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| freetype               | CVE-2020-15999   | HIGH     | 2.8-14.amzn2          | 2.8-14.amzn2.1        | freetype: Heap-based buffer             |
|                        |                  |          |                       |                       | overflow due to integer                 |
|                        |                  |          |                       |                       | truncation in Load_SBit_Png             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-15999   |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| glib2                  | CVE-2019-12450   | MEDIUM   | 2.56.1-5.amzn2.0.1    | 2.56.1-7.amzn2.0.1    | glib2: file_copy_fallback in            |
|                        |                  |          |                       |                       | gio/gfile.c in GNOME GLib does          |
|                        |                  |          |                       |                       | not properly restrict file...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-12450   |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| glibc                  | CVE-2016-10228   | HIGH     | 2.26-35.amzn2         | 2.26-41.amzn2         | glibc: iconv program can hang           |
|                        |                  |          |                       |                       | when invoked with the -c option         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-25013   |          |                       |                       | glibc: buffer over-read in              |
|                        |                  |          |                       |                       | iconv when processing invalid           |
|                        |                  |          |                       |                       | multi-byte input sequences in...        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29562   |          |                       |                       | glibc: assertion failure in iconv       |
|                        |                  |          |                       |                       | when converting invalid UCS4            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6096    |          |                       |                       | glibc: signed comparison                |
|                        |                  |          |                       |                       | vulnerability in the                    |
|                        |                  |          |                       |                       | ARMv7 memcpy function                   |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2016-10739   | MEDIUM   |                       | 2.26-36.amzn2         | glibc: getaddrinfo should reject IP     |
|                        |                  |          |                       |                       | addresses with trailing characters      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10739   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3326    |          |                       | 2.26-42.amzn2         | glibc: Assertion failure in             |
|                        |                  |          |                       |                       | ISO-2022-JP-3 gconv module              |
|                        |                  |          |                       |                       | related to combining characters         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------------------+------------------+----------+                       +-----------------------+-----------------------------------------+
| glibc-common           | CVE-2016-10228   | HIGH     |                       | 2.26-41.amzn2         | glibc: iconv program can hang           |
|                        |                  |          |                       |                       | when invoked with the -c option         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-25013   |          |                       |                       | glibc: buffer over-read in              |
|                        |                  |          |                       |                       | iconv when processing invalid           |
|                        |                  |          |                       |                       | multi-byte input sequences in...        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29562   |          |                       |                       | glibc: assertion failure in iconv       |
|                        |                  |          |                       |                       | when converting invalid UCS4            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6096    |          |                       |                       | glibc: signed comparison                |
|                        |                  |          |                       |                       | vulnerability in the                    |
|                        |                  |          |                       |                       | ARMv7 memcpy function                   |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2016-10739   | MEDIUM   |                       | 2.26-36.amzn2         | glibc: getaddrinfo should reject IP     |
|                        |                  |          |                       |                       | addresses with trailing characters      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10739   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3326    |          |                       | 2.26-42.amzn2         | glibc: Assertion failure in             |
|                        |                  |          |                       |                       | ISO-2022-JP-3 gconv module              |
|                        |                  |          |                       |                       | related to combining characters         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------------------+------------------+----------+                       +-----------------------+-----------------------------------------+
| glibc-langpack-en      | CVE-2016-10228   | HIGH     |                       | 2.26-41.amzn2         | glibc: iconv program can hang           |
|                        |                  |          |                       |                       | when invoked with the -c option         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-25013   |          |                       |                       | glibc: buffer over-read in              |
|                        |                  |          |                       |                       | iconv when processing invalid           |
|                        |                  |          |                       |                       | multi-byte input sequences in...        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29562   |          |                       |                       | glibc: assertion failure in iconv       |
|                        |                  |          |                       |                       | when converting invalid UCS4            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6096    |          |                       |                       | glibc: signed comparison                |
|                        |                  |          |                       |                       | vulnerability in the                    |
|                        |                  |          |                       |                       | ARMv7 memcpy function                   |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2016-10739   | MEDIUM   |                       | 2.26-36.amzn2         | glibc: getaddrinfo should reject IP     |
|                        |                  |          |                       |                       | addresses with trailing characters      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10739   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3326    |          |                       | 2.26-42.amzn2         | glibc: Assertion failure in             |
|                        |                  |          |                       |                       | ISO-2022-JP-3 gconv module              |
|                        |                  |          |                       |                       | related to combining characters         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------------------+------------------+----------+                       +-----------------------+-----------------------------------------+
| glibc-minimal-langpack | CVE-2016-10228   | HIGH     |                       | 2.26-41.amzn2         | glibc: iconv program can hang           |
|                        |                  |          |                       |                       | when invoked with the -c option         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-25013   |          |                       |                       | glibc: buffer over-read in              |
|                        |                  |          |                       |                       | iconv when processing invalid           |
|                        |                  |          |                       |                       | multi-byte input sequences in...        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29562   |          |                       |                       | glibc: assertion failure in iconv       |
|                        |                  |          |                       |                       | when converting invalid UCS4            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6096    |          |                       |                       | glibc: signed comparison                |
|                        |                  |          |                       |                       | vulnerability in the                    |
|                        |                  |          |                       |                       | ARMv7 memcpy function                   |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2016-10739   | MEDIUM   |                       | 2.26-36.amzn2         | glibc: getaddrinfo should reject IP     |
|                        |                  |          |                       |                       | addresses with trailing characters      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10739   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3326    |          |                       | 2.26-42.amzn2         | glibc: Assertion failure in             |
|                        |                  |          |                       |                       | ISO-2022-JP-3 gconv module              |
|                        |                  |          |                       |                       | related to combining characters         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| libX11                 | CVE-2020-14363   | HIGH     | 1.6.7-2.amzn2         | 1.6.7-3.amzn2         | libX11: integer overflow leads          |
|                        |                  |          |                       |                       | to double free in locale handling       |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-14363   |
+------------------------+                  +          +                       +                       +                                         +
| libX11-common          |                  |          |                       |                       |                                         |
|                        |                  |          |                       |                       |                                         |
|                        |                  |          |                       |                       |                                         |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| libcom_err             | CVE-2019-5094    | MEDIUM   | 1.42.9-12.amzn2.0.2   | 1.42.9-19.amzn2       | e2fsprogs: Crafted ext4 partition       |
|                        |                  |          |                       |                       | leads to out-of-bounds write            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-5094    |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-5188    |          |                       |                       | e2fsprogs: Out-of-bounds                |
|                        |                  |          |                       |                       | write in e2fsck/rehash.c                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-5188    |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| libcrypt               | CVE-2016-10228   | HIGH     | 2.26-35.amzn2         | 2.26-41.amzn2         | glibc: iconv program can hang           |
|                        |                  |          |                       |                       | when invoked with the -c option         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-25013   |          |                       |                       | glibc: buffer over-read in              |
|                        |                  |          |                       |                       | iconv when processing invalid           |
|                        |                  |          |                       |                       | multi-byte input sequences in...        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29562   |          |                       |                       | glibc: assertion failure in iconv       |
|                        |                  |          |                       |                       | when converting invalid UCS4            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6096    |          |                       |                       | glibc: signed comparison                |
|                        |                  |          |                       |                       | vulnerability in the                    |
|                        |                  |          |                       |                       | ARMv7 memcpy function                   |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2016-10739   | MEDIUM   |                       | 2.26-36.amzn2         | glibc: getaddrinfo should reject IP     |
|                        |                  |          |                       |                       | addresses with trailing characters      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10739   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3326    |          |                       | 2.26-42.amzn2         | glibc: Assertion failure in             |
|                        |                  |          |                       |                       | ISO-2022-JP-3 gconv module              |
|                        |                  |          |                       |                       | related to combining characters         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| libssh2                | CVE-2019-17498   |          | 1.4.3-12.amzn2.2.2    | 1.4.3-12.amzn2.2.3    | libssh2: integer overflow in            |
|                        |                  |          |                       |                       | SSH_MSG_DISCONNECT logic in packet.c    |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17498   |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| libxml2                | CVE-2019-19956   |          | 2.9.1-6.amzn2.4.1     | 2.9.1-6.amzn2.5.1     | libxml2: memory leak in                 |
|                        |                  |          |                       |                       | xmlParseBalancedChunkMemoryRecover      |
|                        |                  |          |                       |                       | in parser.c                             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-19956   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-20388   |          |                       |                       | libxml2: memory leak in                 |
|                        |                  |          |                       |                       | xmlSchemaPreRun in xmlschemas.c         |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20388   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-7595    |          |                       |                       | libxml2: infinite loop in               |
|                        |                  |          |                       |                       | xmlStringLenDecodeEntities in           |
|                        |                  |          |                       |                       | some end-of-file situations             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-7595    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| nspr                   | CVE-2019-11719   |          | 4.21.0-1.amzn2.0.2    | 4.25.0-2.amzn2        | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| nss                    | CVE-2019-11719   |          | 3.44.0-7.amzn2        | 3.53.1-3.amzn2        | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| nss-softokn            | CVE-2019-11719   |          | 3.44.0-8.amzn2        | 3.53.1-6.amzn2        | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +                       +                       +-----------------------------------------+
| nss-softokn-freebl     | CVE-2019-11719   |          |                       |                       | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| nss-sysinit            | CVE-2019-11719   |          | 3.44.0-7.amzn2        | 3.53.1-3.amzn2        | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +                       +                       +-----------------------------------------+
| nss-tools              | CVE-2019-11719   |          |                       |                       | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| nss-util               | CVE-2019-11719   |          | 3.44.0-4.amzn2        | 3.53.1-1.amzn2        | nss: Out-of-bounds read when            |
|                        |                  |          |                       |                       | importing curve25519 private key        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11719   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11727   |          |                       |                       | nss: PKCS#1 v1.5 signatures             |
|                        |                  |          |                       |                       | can be used for TLS 1.3                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11727   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-11756   |          |                       |                       | nss: Use-after-free in                  |
|                        |                  |          |                       |                       | sftk_FreeSession due                    |
|                        |                  |          |                       |                       | to improper refcounting                 |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-11756   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17006   |          |                       |                       | nss: Check length of inputs             |
|                        |                  |          |                       |                       | for cryptographic primitives            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17006   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2019-17023   |          |                       |                       | nss: TLS 1.3 HelloRetryRequest          |
|                        |                  |          |                       |                       | downgrade request sets                  |
|                        |                  |          |                       |                       | client into invalid state               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17023   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12400   |          |                       |                       | nss: P-384 and P-521 implementation     |
|                        |                  |          |                       |                       | uses a side-channel vulnerable          |
|                        |                  |          |                       |                       | modular inversion function...           |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12400   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12401   |          |                       |                       | nss: ECDSA timing                       |
|                        |                  |          |                       |                       | attack mitigation bypass                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12401   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12402   |          |                       |                       | nss: Side channel vulnerabilities       |
|                        |                  |          |                       |                       | during RSA key generation               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12402   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-12403   |          |                       |                       | nss: CHACHA20-POLY1305                  |
|                        |                  |          |                       |                       | decryption with undersized tag          |
|                        |                  |          |                       |                       | leads to out-of-bounds read             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12403   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-6829    |          |                       |                       | nss: Side channel attack on             |
|                        |                  |          |                       |                       | ECDSA signature generation              |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6829    |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| openldap               | CVE-2020-12243   |          | 2.4.44-15.amzn2       | 2.4.44-22.amzn2       | openldap: denial of service             |
|                        |                  |          |                       |                       | via nested boolean expressions          |
|                        |                  |          |                       |                       | in LDAP search filters...               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12243   |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| openssl-libs           | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.amzn2.0.3 | 1:1.0.2k-19.amzn2.0.4 | openssl: EDIPARTYNAME                   |
|                        |                  |          |                       |                       | NULL pointer de-reference               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-1971    |
+                        +------------------+----------+                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-23839   | MEDIUM   |                       | 1:1.0.2k-19.amzn2.0.6 | openssl: incorrect SSLv2                |
|                        |                  |          |                       |                       | rollback protection                     |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-23839   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2021-23840   |          |                       |                       | openssl: integer                        |
|                        |                  |          |                       |                       | overflow in CipherUpdate                |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-23840   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2021-23841   |          |                       |                       | openssl: NULL pointer dereference       |
|                        |                  |          |                       |                       | in X509_issuer_and_serial_hash()        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-23841   |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| p11-kit                | CVE-2020-29361   |          | 0.23.19-1.amzn2       | 0.23.22-1.amzn2.0.1   | p11-kit: integer overflow when          |
|                        |                  |          |                       |                       | allocating memory for arrays            |
|                        |                  |          |                       |                       | or attributes and object...             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29361   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29362   |          |                       |                       | p11-kit: out-of-bounds read in          |
|                        |                  |          |                       |                       | p11_rpc_buffer_get_byte_array           |
|                        |                  |          |                       |                       | function in rpc-message.c               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29362   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29363   |          |                       |                       | p11-kit: out-of-bounds write in         |
|                        |                  |          |                       |                       | p11_rpc_buffer_get_byte_array_value     |
|                        |                  |          |                       |                       | function in rpc-message.c               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29363   |
+------------------------+------------------+          +                       +                       +-----------------------------------------+
| p11-kit-trust          | CVE-2020-29361   |          |                       |                       | p11-kit: integer overflow when          |
|                        |                  |          |                       |                       | allocating memory for arrays            |
|                        |                  |          |                       |                       | or attributes and object...             |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29361   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29362   |          |                       |                       | p11-kit: out-of-bounds read in          |
|                        |                  |          |                       |                       | p11_rpc_buffer_get_byte_array           |
|                        |                  |          |                       |                       | function in rpc-message.c               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29362   |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2020-29363   |          |                       |                       | p11-kit: out-of-bounds write in         |
|                        |                  |          |                       |                       | p11_rpc_buffer_get_byte_array_value     |
|                        |                  |          |                       |                       | function in rpc-message.c               |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-29363   |
+------------------------+------------------+          +-----------------------+-----------------------+-----------------------------------------+
| python                 | CVE-2019-20907   |          | 2.7.18-1.amzn2        | 2.7.18-1.amzn2.0.2    | python: infinite loop in the tarfile    |
|                        |                  |          |                       |                       | module via crafted TAR archive          |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20907   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2020-8492    |          |                       | 2.7.18-1.amzn2.0.1    | python: wrong backtracking in           |
|                        |                  |          |                       |                       | urllib.request.AbstractBasicAuthHandler |
|                        |                  |          |                       |                       | allows for a ReDoS                      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8492    |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3177    |          |                       | 2.7.18-1.amzn2.0.3    | python: Stack-based buffer overflow     |
|                        |                  |          |                       |                       | in PyCArg_repr in _ctypes/callproc.c    |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3177    |
+------------------------+------------------+          +                       +-----------------------+-----------------------------------------+
| python-libs            | CVE-2019-20907   |          |                       | 2.7.18-1.amzn2.0.2    | python: infinite loop in the tarfile    |
|                        |                  |          |                       |                       | module via crafted TAR archive          |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20907   |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2020-8492    |          |                       | 2.7.18-1.amzn2.0.1    | python: wrong backtracking in           |
|                        |                  |          |                       |                       | urllib.request.AbstractBasicAuthHandler |
|                        |                  |          |                       |                       | allows for a ReDoS                      |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8492    |
+                        +------------------+          +                       +-----------------------+-----------------------------------------+
|                        | CVE-2021-3177    |          |                       | 2.7.18-1.amzn2.0.3    | python: Stack-based buffer overflow     |
|                        |                  |          |                       |                       | in PyCArg_repr in _ctypes/callproc.c    |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3177    |
+------------------------+                  +          +-----------------------+-----------------------+                                         +
| python3                |                  |          | 3.7.9-1.amzn2.0.1     | 3.7.9-1.amzn2.0.2     |                                         |
|                        |                  |          |                       |                       |                                         |
|                        |                  |          |                       |                       |                                         |
+------------------------+                  +          +                       +                       +                                         +
| python3-libs           |                  |          |                       |                       |                                         |
|                        |                  |          |                       |                       |                                         |
|                        |                  |          |                       |                       |                                         |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
| unzip                  | CVE-2015-7697    | HIGH     | 6.0-21.amzn2          | 6.0-43.amzn2          | CVE-2015-7696 CVE-2015-7697 unzip:      |
|                        |                  |          |                       |                       | Heap overflow and DoS in 6.0            |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2015-7697    |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2016-9844    |          |                       |                       | unzip: methbuf[] buffer                 |
|                        |                  |          |                       |                       | overflow in zipinfo's zi_short()        |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-9844    |
+                        +------------------+          +                       +                       +-----------------------------------------+
|                        | CVE-2018-1000035 |          |                       |                       | unzip: Heap-based buffer                |
|                        |                  |          |                       |                       | overflow in fileio.c:UzpPassword        |
|                        |                  |          |                       |                       | function allows code execution          |
|                        |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-1000035 |
+------------------------+------------------+----------+-----------------------+-----------------------+-----------------------------------------+
danjoneslf commented 3 years ago

This isn't urgent for us because we don't use it for anything but we can probably fix it by nicking the new VPS one's Dockerfile in alphagov/covid-engineering