patrick-stephens
commented
1 year ago Have you tried more recent versions to check? 2.1.0 is out and 2.0.11 prior to that.
Closed dppatel99 closed 6 months ago
patrick-stephens
commented
1 year ago Have you tried more recent versions to check? 2.1.0 is out and 2.0.11 prior to that.
dppatel99
commented
1 year ago I tried scanning latest image fluent/fluent-bit:2.1.1 . It reported above vulnerabilities along with additional vulnerabilities. In specific 9 CRITICAL and 23 HIGH vulnerabilities
patrick-stephens
commented
1 year ago For OpenSSL and sqlite those come from the Debian repo so sounds like it is not patched or is not relevant. c-ares and luajit are vendored dependencies. Analysis will be required to determine whether they are relevant too - scanners will just flag a possible vulnerability.
What scanner are you using? I would suggest following the security policy as well to request any specific updates: https://github.com/fluent/fluent-bit/security/policy
dppatel99
commented
1 year ago I am using protecode to scan images for vulnerabilities. Also thanks for sharing discussion link.
patrick-stephens
commented
1 year ago Right, looking at grype it shows this (today):
$ docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest fluent/fluent-bit:2.1.1
Unable to find image 'anchore/grype:latest' locally
latest: Pulling from anchore/grype
3d4811e75147: Pull complete
657b6e8ab91d: Pull complete
e58480bec473: Pull complete
Digest: sha256:9d326e7fc0e4914481a2b0c458a0eb0891b04d00569a6f92bdc549507f2089a0
Status: Downloaded newer image for anchore/grype:latest
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libc6 2.31-13+deb11u5 deb CVE-2010-4756 Negligible
libc6 2.31-13+deb11u5 deb CVE-2018-20796 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-9192 Negligible
libcom-err2 1.46.2-2 (won't fix) deb CVE-2022-1304 High
libgcrypt20 1.8.7-6 deb CVE-2018-6829 Negligible
libgcrypt20 1.8.7-6 (won't fix) deb CVE-2021-33560 High
libgnutls30 3.7.1-5+deb11u3 deb CVE-2011-3389 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libkrb5support0 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2015-3276 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-14159 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-17740 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2020-15719 Negligible
libpq5 13.9-0+deb11u1 (won't fix) deb CVE-2022-41862 Low
libssl1.1 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible
libssl1.1 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium
libsystemd0 252.5-2~bpo11+1 deb CVE-2013-4392 Negligible
libsystemd0 252.5-2~bpo11+1 deb CVE-2020-13529 Negligible
libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-3821 Medium
libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-4415 Medium
libzstd1 1.4.8+dfsg-2.1 (won't fix) deb CVE-2022-4899 High
openssl 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible
openssl 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium Of those, all high ones are marked as won't fix by upstream.
patrick-stephens
commented
1 year ago I would encourage you to correlate your CVE results from other scanners and identify which CVEs you think are important to focus on. This can be done by the security team but will take time and therefore anything you do locally to speed it up is great, plus you can also respond to those CVEs internally as well then if you think they are irrelevant.
patrick-stephens
commented
1 year ago And again for 2.1.2 (as of today) it shows only Negligible ones but even those have no fixed version yet we could consume from Debian:
$ docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest fluent/fluent-bit:2.1.2
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libc6 2.31-13+deb11u5 deb CVE-2010-4756 Negligible
libc6 2.31-13+deb11u5 deb CVE-2018-20796 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010022 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010023 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010024 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-1010025 Negligible
libc6 2.31-13+deb11u5 deb CVE-2019-9192 Negligible
libcom-err2 1.46.2-2 (won't fix) deb CVE-2022-1304 High
libgcrypt20 1.8.7-6 deb CVE-2018-6829 Negligible
libgcrypt20 1.8.7-6 (won't fix) deb CVE-2021-33560 High
libgnutls30 3.7.1-5+deb11u3 deb CVE-2011-3389 Negligible
libgssapi-krb5-2 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libk5crypto3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libkrb5-3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libkrb5support0 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2015-3276 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-14159 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-17740 Negligible
libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2020-15719 Negligible
libpq5 13.9-0+deb11u1 (won't fix) deb CVE-2022-41862 Low
libssl1.1 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible
libssl1.1 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium
libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium
libsystemd0 252.5-2~bpo11+1 deb CVE-2013-4392 Negligible
libsystemd0 252.5-2~bpo11+1 deb CVE-2020-13529 Negligible
libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-3821 Medium
libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-4415 Medium
libzstd1 1.4.8+dfsg-2.1 (won't fix) deb CVE-2022-4899 High
openssl 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible
openssl 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium
openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium This shows no critical ones and all the high ones have been marked as "won't fix" by Debian.
dppatel99
commented
1 year ago I have scanned 2.1.2 in our security analysis tool , I am still getting vulnerabilities in following components 1.) glibc 2.) openssl 3.) c-ares 4.) zlib 5.) libtasn1 6.) kerberos 7.) p11-kit 8.) cyrus-sasl 9.) gnutls 10.) gmp 11.) nettle 12.) sqlite3 13.) systemd
All these components are far behind the latest versions. There are many vulnerabilities which our scanner is listing but not listed in your scanner results. For example, in the glibc component(libc6 in your results) , following vulnerabilities are detected which I cannot see in the your list above.
In openssl , I have following vulnerabilities listed in our tool
patrick-stephens
commented
1 year ago All these versions (except c-ares I think) come from the base image. Fluent Bit does not control them, they come from the upstream repostories.
butterflyinfly
commented
1 year ago And again for 2.1.2 (as of today) it shows only
Negligibleones but even those have no fixed version yet we could consume from Debian:$ docker run --rm --volume /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest fluent/fluent-bit:2.1.2 NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libc6 2.31-13+deb11u5 deb CVE-2010-4756 Negligible libc6 2.31-13+deb11u5 deb CVE-2018-20796 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010022 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010023 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010024 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010025 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-9192 Negligible libcom-err2 1.46.2-2 (won't fix) deb CVE-2022-1304 High libgcrypt20 1.8.7-6 deb CVE-2018-6829 Negligible libgcrypt20 1.8.7-6 (won't fix) deb CVE-2021-33560 High libgnutls30 3.7.1-5+deb11u3 deb CVE-2011-3389 Negligible libgssapi-krb5-2 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libk5crypto3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libkrb5-3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libkrb5support0 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2015-3276 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-14159 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-17740 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2020-15719 Negligible libpq5 13.9-0+deb11u1 (won't fix) deb CVE-2022-41862 Low libssl1.1 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible libssl1.1 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium libsystemd0 252.5-2~bpo11+1 deb CVE-2013-4392 Negligible libsystemd0 252.5-2~bpo11+1 deb CVE-2020-13529 Negligible libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-3821 Medium libsystemd0 252.5-2~bpo11+1 (won't fix) deb CVE-2022-4415 Medium libzstd1 1.4.8+dfsg-2.1 (won't fix) deb CVE-2022-4899 High openssl 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible openssl 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 MediumThis shows no critical ones and all the high ones have been marked as "won't fix" by Debian.
Hi @patrick-stephens !
Could you please help me to understand why I see the different output?
docker run anchore/grype:latest fluent/fluent-bit:2.1.2 Unable to find image 'anchore/grype:latest' locally latest: Pulling from anchore/grype 3d4811e75147: Pull complete 657b6e8ab91d: Pull complete e58480bec473: Pull complete Digest: sha256:9d326e7fc0e4914481a2b0c458a0eb0891b04d00569a6f92bdc549507f2089a0 Status: Downloaded newer image for anchore/grype:latest NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libc6 2.31-13+deb11u5 deb CVE-2010-4756 Negligible libc6 2.31-13+deb11u5 deb CVE-2018-20796 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010022 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010023 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010024 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-1010025 Negligible libc6 2.31-13+deb11u5 deb CVE-2019-9192 Negligible libcom-err2 1.46.2-2 (won't fix) deb CVE-2022-1304 High libgcrypt20 1.8.7-6 deb CVE-2018-6829 Negligible libgcrypt20 1.8.7-6 (won't fix) deb CVE-2021-33560 High libgnutls30 3.7.1-5+deb11u3 deb CVE-2011-3389 Negligible libgssapi-krb5-2 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libk5crypto3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libkrb5-3 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libkrb5support0 1.18.3-6+deb11u3 deb CVE-2018-5709 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2015-3276 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-14159 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2017-17740 Negligible libldap-2.4-2 2.4.57+dfsg-3+deb11u1 deb CVE-2020-15719 Negligible libpq5 13.9-0+deb11u1 (won't fix) deb CVE-2022-41862 Low libpq5 13.9-0+deb11u1 13.11-0+deb11u1 deb CVE-2023-2454 Unknown libpq5 13.9-0+deb11u1 13.11-0+deb11u1 deb CVE-2023-2455 Unknown libssl1.1 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible libssl1.1 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium libssl1.1 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium libsystemd0 252.5-2~bpo11+1 deb CVE-2013-4392 Negligible libsystemd0 252.5-2~bpo11+1 deb CVE-2020-13529 Negligible libzstd1 1.4.8+dfsg-2.1 (won't fix) deb CVE-2022-4899 High openssl 1.1.1n-0+deb11u4 deb CVE-2007-6755 Negligible openssl 1.1.1n-0+deb11u4 deb CVE-2010-0928 Negligible openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0464 High openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0465 Medium openssl 1.1.1n-0+deb11u4 (won't fix) deb CVE-2023-0466 Medium
I'm interested in fixing these vulnerabilities: libpq5 13.9-0+deb11u1 13.11-0+deb11u1 deb CVE-2023-2454 Unknown libpq5 13.9-0+deb11u1 13.11-0+deb11u1 deb CVE-2023-2455 Unknown
But looks like they exist even in the latest version of fluent-bit image
patrick-stephens
commented
1 year ago To be clear, those dependencies come from Debian - Fluent Bit does not control or fix them. We just pull the dependencies at release time so if they are fixed at that point it will be picked up. OSS does not rebuild older releases for new patches so the only way to get a "fix" is to consume a new version. There will be a new release shortly so I would check in that.
I've no idea why your output is different - we probably ran it at different times so CVEs will come up and be fixed at different times too which may be it. I think those CVEs are both recent ones looking at the notifications so hopefully the next release will resolve them.
Do you think they are relevant in some way to Fluent Bit, is that why you're asking? Whilst a CVE may be flagged, scanners tend to produce false positives so it may just be a possible CVE if something is leveraged in a particular way and the CVEs can document both the specific scenario and any mitigation.
cc @lecaros
chuasweechin
commented
1 year ago Are there plans to upgrade c-ares and sqlite3 to the latest version to fix the vulnerabilities? Or are there assessment if these CVE are valid for fluent-bit?
I have tried the latest fluent-bit v2.1.8 image and saw that these component are still on the older version with these reported vulnerabilities.
lrsy
commented
1 year ago Hi,
@patrick-stephens - I am using Trivy scanner. This flags hundreds of CRITICAL and HIGH vulnerabilities in all fluent-bit versions I used. Newest fluent-bit version I have (v2.1.6) shows a total of 94 distinct CRITICAL + HIGH vulnerabilities, only 3% of those having a "will_not_fix" status. While I understand some/most issues come from an underlying Debian image, it's hard to defend in front of others why fluent-bit seems to have so many issues, as reported by Trivy.
Attached please find the outcome of the scanner.
I also used Anchore in the past, situation was the same. I don't know why Grype only shows Negligible issues.
Could you please let me know what would be fluent-bit team's approach with regards to these vulnerabilities and if it would be perhaps possible to use a newer Debian image that would include less issues?
Thank you
patrick-stephens
commented
1 year ago The latest image is 2.1.8, older versions will not have fixes backported I'm afraid.
From the perspective of OSS we just pick up dependencies from upstream.
There is some work ongoing to update to OpenSSL 3 but if you can identify any specific dependencies that are problematic then PRs will be greatly appreciated.
chuasweechin
commented
1 year ago @patrick-stephens About c-ares and sqlite3, are there plans to upgrade them to the latest version to fix the vulnerabilities? Or are there assessment if these CVE are valid for fluent-bit?
https://github.com/fluent/fluent-bit/issues/7224#issuecomment-1652901313
patrick-stephens
commented
1 year ago I can't comment on those, @edsiper or @leonardo-albertovich may be better, but generally yes dependencies are updated. Feel free to submit a PR as well to speed it up.
leonardo-albertovich
commented
1 year ago From what I see we've been bundling c-ares 1.19.0 since fluent-bit 2.0.9 and in the meantime they have released version 1.19.1 which addresses a few vulnerabilities that are not really concerning (except maybe CVE-2023-31130).
As for sqlite, I think we could update the amalgamation but unless there is an actual vulnerability that they haven't listed in their webpage there is nothing of substance.
We will update those libraries as soon as possible.
github-actions[bot]
commented
11 months ago This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. Maintainers can add the exempt-stale label.
saurabhsinghhpe
commented
11 months ago I am using trivy to scan cve. i seee crtical CVE issue with fluentbit:2.1.10, 2.1.6. can you please help me resolving zlib1g │ CVE-2023-45853 │ CRITICAL issue
`trivy image fluent/fluent-bit --scanners vuln
2023-11-10T11:44:19.288+0530 INFO Vulnerability scanning is enabled
2023-11-10T11:44:24.142+0530 INFO Detected OS: debian
2023-11-10T11:44:24.142+0530 INFO Detecting Debian vulnerabilities...
2023-11-10T11:44:24.166+0530 INFO Number of language-specific files: 0
fluent/fluent-bit (debian 11.8)
Total: 41 (UNKNOWN: 0, LOW: 27, MEDIUM: 8, HIGH: 5, CRITICAL: 1)
┌──────────────────┬──────────────────┬──────────┬──────────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼──────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libatomic1 │ CVE-2023-4039 │ MEDIUM │ affected │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2023-4806 │ │ │ 2.31-13+deb11u7 │ │ potential use-after-free in getaddrinfo() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4806 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-4813 │ │ │ │ │ potential use-after-free in gaih_inet() │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4813 │ │ ├──────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-4756 │ LOW │ │ │ │ glibc: glob implementation can cause excessive CPU and │ │ │ │ │ │ │ │ memory consumption due to... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2018-20796 │ │ │ │ │ glibc: uncontrolled recursion in function │ │ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010022 │ │ │ │ │ glibc: stack guard protection bypass │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010023 │ │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │ │ │ │ │ │ │ │ because of... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010024 │ │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010025 │ │ │ │ │ glibc: information disclosure of heap addresses of │ │ │ │ │ │ │ │ pthread_created thread │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-9192 │ │ │ │ │ glibc: uncontrolled recursion in function │ │ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcom-err2 │ CVE-2022-1304 │ HIGH │ │ 1.46.2-2 │ │ out-of-bounds read/write via crafted filesystem │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1304 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgcc-s1 │ CVE-2023-4039 │ MEDIUM │ │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgcrypt20 │ CVE-2021-33560 │ HIGH │ │ 1.8.7-6 │ │ mishandles ElGamal encryption because it lacks exponent │ │ │ │ │ │ │ │ blinding to address a side-channel... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33560 │ │ ├──────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2018-6829 │ LOW │ │ │ │ libgcrypt: ElGamal implementation doesn't have semantic │ │ │ │ │ │ │ │ security due to incorrectly encoded plaintexts... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-6829 │ ├──────────────────┼──────────────────┤ │ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgnutls30 │ CVE-2011-3389 │ │ │ 3.7.1-5+deb11u3 │ │ HTTPS: block-wise chosen-plaintext attack against SSL/TLS │ │ │ │ │ │ │ │ (BEAST) │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3389 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgomp1 │ CVE-2023-4039 │ MEDIUM │ │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgssapi-krb5-2 │ CVE-2018-5709 │ LOW │ │ 1.18.3-6+deb11u4 │ │ krb5: integer overflow in dbentry->n_key_data in │ │ │ │ │ │ │ │ kadmin/dbutil/dump.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-5709 │ ├──────────────────┤ │ │ │ ├───────────────┤ │ │ libk5crypto3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┤ │ │ │ ├───────────────┤ │ │ libkrb5-3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┤ │ │ │ ├───────────────┤ │ │ libkrb5support0 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libldap-2.4-2 │ CVE-2023-2953 │ HIGH │ │ 2.4.57+dfsg-3+deb11u1 │ │ null pointer dereference in ber_memalloc_x function │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2953 │ │ ├──────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2015-3276 │ LOW │ │ │ │ incorrect multi-keyword mode cipherstring parsing │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-3276 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-14159 │ │ │ │ │ openldap: Privilege escalation via PID file manipulation │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-14159 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-17740 │ │ │ │ │ openldap: contrib/slapd-modules/nops/nops.c attempts to free │ │ │ │ │ │ │ │ stack buffer allowing remote attackers to cause... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-17740 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2020-15719 │ │ │ │ │ openldap: Certificate validation incorrectly matches name │ │ │ │ │ │ │ │ against CN-ID │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-15719 │ ├──────────────────┼──────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libpq5 │ CVE-2023-39417 │ HIGH │ fix_deferred │ 13.11-0+deb11u1 │ │ postgresql: extension script @substitutions@ within quoting │ │ │ │ │ │ │ │ allow SQL injection │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39417 │ │ ├──────────────────┼──────────┼──────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2022-41862 │ LOW │ affected │ │ │ Client memory disclosure when connecting with Kerberos to │ │ │ │ │ │ │ │ modified server │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41862 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libssl1.1 │ CVE-2023-5678 │ MEDIUM │ │ 1.1.1w-0+deb11u1 │ │ openssl: Generating excessively long X9.42 DH keys or │ │ │ │ │ │ │ │ checking excessively long X9.42... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │ │ ├──────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2007-6755 │ LOW │ │ │ │ Dual_EC_DRBG: weak pseudo random number generator │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libstdc++6 │ CVE-2023-4039 │ MEDIUM │ │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libsystemd0 │ CVE-2013-4392 │ LOW │ │ 252.5-2~bpo11+1 │ │ TOCTOU race condition when updating file permissions and │ │ │ │ │ │ │ │ SELinux security contexts │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2020-13529 │ │ │ │ │ systemd: DHCP FORCERENEW authentication not implemented can │ │ │ │ │ │ │ │ cause a system running the... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-13529 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31437 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ │ modify a... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31438 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ │ truncate a... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31439 │ │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ │ modify the... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libzstd1 │ CVE-2022-4899 │ HIGH │ │ 1.4.8+dfsg-2.1 │ │ buffer overrun in util.c │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4899 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ openssl │ CVE-2023-5678 │ MEDIUM │ │ 1.1.1w-0+deb11u1 │ │ openssl: Generating excessively long X9.42 DH keys or │ │ │ │ │ │ │ │ checking excessively long X9.42... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │ │ ├──────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2007-6755 │ LOW │ │ │ │ Dual_EC_DRBG: weak pseudo random number generator │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │ │ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-0928 │ │ │ │ │ openssl: RSA authentication weakness │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │ ├──────────────────┼──────────────────┼──────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ zlib1g │ CVE-2023-45853 │ CRITICAL │ │ 1:1.2.11.dfsg-2+deb11u2 │ │ zlib: integer overflow and resultant heap-based buffer │ │ │ │ │ │ │ │ overflow in zipOpenNewFileInZip4_6 │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45853 │ └──────────────────┴──────────────────┴──────────┴──────────────┴─────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘`
SohilShri
commented
9 months ago Please help me with CVE-2023-45853, the fix is not available on the latest version 2.2.1.
Total: 43 (UNKNOWN: 0, LOW: 26, MEDIUM: 12, HIGH: 4, CRITICAL: 1)
┌──────────────────┬──────────────────┬──────────┬─────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libatomic1 │ CVE-2023-4039 │ MEDIUM │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libc6 │ CVE-2023-4806 │ │ 2.31-13+deb11u7 │ │ glibc: potential use-after-free in getaddrinfo() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4806 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-4813 │ │ │ │ glibc: potential use-after-free in gaih_inet() │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4813 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-4756 │ LOW │ │ │ glibc: glob implementation can cause excessive CPU and │ │ │ │ │ │ │ memory consumption due to... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-4756 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2018-20796 │ │ │ │ glibc: uncontrolled recursion in function │ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-20796 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010022 │ │ │ │ glibc: stack guard protection bypass │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010022 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010023 │ │ │ │ glibc: running ldd on malicious ELF leads to code execution │ │ │ │ │ │ │ because of... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010023 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010024 │ │ │ │ glibc: ASLR bypass using cache of thread stack and heap │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010024 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-1010025 │ │ │ │ glibc: information disclosure of heap addresses of │ │ │ │ │ │ │ pthread_created thread │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1010025 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2019-9192 │ │ │ │ glibc: uncontrolled recursion in function │ │ │ │ │ │ │ check_dst_limits_calc_pos_1 in posix/regexec.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-9192 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcom-err2 │ CVE-2022-1304 │ HIGH │ 1.46.2-2 │ │ e2fsprogs: out-of-bounds read/write via crafted filesystem │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1304 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgcc-s1 │ CVE-2023-4039 │ MEDIUM │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgcrypt20 │ CVE-2021-33560 │ HIGH │ 1.8.7-6 │ │ mishandles ElGamal encryption because it lacks exponent │ │ │ │ │ │ │ blinding to address a side-channel... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33560 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2018-6829 │ LOW │ │ │ libgcrypt: ElGamal implementation doesn't have semantic │ │ │ │ │ │ │ security due to incorrectly encoded plaintexts... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-6829 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgnutls30 │ CVE-2023-5981 │ MEDIUM │ 3.7.1-5+deb11u3 │ │ gnutls: timing side-channel in the RSA-PSK authentication │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5981 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-0553 │ │ │ │ gnutls: incomplete fix for CVE-2023-5981 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0553 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-0567 │ │ │ │ gnutls: rejects certificate chain with distributed trust │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0567 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2011-3389 │ LOW │ │ │ HTTPS: block-wise chosen-plaintext attack against SSL/TLS │ │ │ │ │ │ │ (BEAST) │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2011-3389 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgomp1 │ CVE-2023-4039 │ MEDIUM │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libgssapi-krb5-2 │ CVE-2018-5709 │ LOW │ 1.18.3-6+deb11u4 │ │ krb5: integer overflow in dbentry->n_key_data in │ │ │ │ │ │ │ kadmin/dbutil/dump.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-5709 │ ├──────────────────┤ │ │ ├───────────────┤ │ │ libk5crypto3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┤ │ │ ├───────────────┤ │ │ libkrb5-3 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┤ │ │ ├───────────────┤ │ │ libkrb5support0 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libldap-2.4-2 │ CVE-2023-2953 │ HIGH │ 2.4.57+dfsg-3+deb11u1 │ │ null pointer dereference in ber_memalloc_x function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2953 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2015-3276 │ LOW │ │ │ incorrect multi-keyword mode cipherstring parsing │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-3276 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-14159 │ │ │ │ openldap: Privilege escalation via PID file manipulation │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-14159 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2017-17740 │ │ │ │ openldap: contrib/slapd-modules/nops/nops.c attempts to free │ │ │ │ │ │ │ stack buffer allowing remote attackers to cause... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-17740 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2020-15719 │ │ │ │ openldap: Certificate validation incorrectly matches name │ │ │ │ │ │ │ against CN-ID │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-15719 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libssl1.1 │ CVE-2023-5678 │ MEDIUM │ 1.1.1w-0+deb11u1 │ │ openssl: Generating excessively long X9.42 DH keys or │ │ │ │ │ │ │ checking excessively long X9.42... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2007-6755 │ LOW │ │ │ Dual_EC_DRBG: weak pseudo random number generator │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-0928 │ │ │ │ openssl: RSA authentication weakness │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libstdc++6 │ CVE-2023-4039 │ MEDIUM │ 10.2.1-6 │ │ gcc: -fstack-protector fails to guard dynamic stack │ │ │ │ │ │ │ allocations on ARM64 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-4039 │ ├──────────────────┼──────────────────┤ ├─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libsystemd0 │ CVE-2023-7008 │ │ 252.5-2~bpo11+1 │ │ systemd-resolved: Unsigned name response in signed zone is │ │ │ │ │ │ │ not refused when DNSSEC=yes... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-7008 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2013-4392 │ LOW │ │ │ TOCTOU race condition when updating file permissions and │ │ │ │ │ │ │ SELinux security contexts │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4392 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2020-13529 │ │ │ │ systemd: DHCP FORCERENEW authentication not implemented can │ │ │ │ │ │ │ cause a system running the... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-13529 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31437 │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ modify a... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31437 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31438 │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ truncate a... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31438 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-31439 │ │ │ │ An issue was discovered in systemd 253. An attacker can │ │ │ │ │ │ │ modify the... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-31439 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libzstd1 │ CVE-2022-4899 │ HIGH │ 1.4.8+dfsg-2.1 │ │ zstd: mysql: buffer overrun in util.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4899 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ openssl │ CVE-2023-5678 │ MEDIUM │ 1.1.1w-0+deb11u1 │ │ openssl: Generating excessively long X9.42 DH keys or │ │ │ │ │ │ │ checking excessively long X9.42... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │ │ ├──────────────────┼──────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2007-6755 │ LOW │ │ │ Dual_EC_DRBG: weak pseudo random number generator │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2007-6755 │ │ ├──────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2010-0928 │ │ │ │ openssl: RSA authentication weakness │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2010-0928 │ ├──────────────────┼──────────────────┼──────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ zlib1g │ CVE-2023-45853 │ CRITICAL │ 1:1.2.11.dfsg-2+deb11u2 │ │ zlib: integer overflow and resultant heap-based buffer │ │ │ │ │ │ │ overflow in zipOpenNewFileInZip4_6 │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45853 │
patrick-stephens
commented
6 months ago I think I've clarified enough here about old versions not going to be updated, if you want to resolve issues then update. I'm going to close this as it is just noise now.
Hi team,
In our vulnerability scan report there are 8 HIGH and 1 CRITICAL vulnerabilities in fluent/fluent-bit:2.0.8
I would like to know if there is any plan in place to fix them in upcoming releases ?