We scanned your images with Jfrog’s xray image scanner. We found several critical vulnerabilities. Here are the critical vulnerabilities which are CVE >= 9.0, We appreciate your project and feedback.
XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:curl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | 7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 | 2023-01-26 | https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
-- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --
XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | 7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 | 2023-01-26 | https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:curl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-localcicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 | 2023-01-26 | https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/ | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 | 2023-01-26 | https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/ | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-187759 | CVE-2021-38297 | 9.8 | go://github.com/golang/go:1.10.3 | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 1.16.9 1.17.2 | go | Critical | 2021-10-19 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/ https://security.gentoo.org/glsa/202208-02 https://groups.google.com/forum/#!forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://security.netapp.com/advisory/ntap-20211118-0006/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/ | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
XRAY-85927 | CVE-2019-14809 | 9.8 | go://github.com/golang/go:1.10.3 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | 1.11.13 1.12.8 | go | Critical | 2019-08-16 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://www.debian.org/security/2019/dsa-4503 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/ https://groups.google.com/forum/#!topic/golang-announce/0uuMm1BwpHE https://access.redhat.com/errata/RHSA-2019:3433 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg https://seclists.org/bugtraq/2019/Aug/31 https://github.com/golang/go/issues/29098 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
XRAY-82071 | CVE-2019-11888 | 9.8 | go://github.com/golang/go:1.10.3 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. | 1.12.6 1.13beta1 | go | Critical | 2019-05-20 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://go-review.googlesource.com/c/go/+/176619 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
XRAY-124116 | | 9.8 | alpine://3.15:openssl:1.1.1q-r0 | OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow | 3.0.0-r0 | alpine | Critical | 2020-09-10 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0/sha256__a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0.tar.gz alpine://3.15:openssl:1.1.1q-r0 | 2023-01-26 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17173 | OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
XRAY-198036 | CVE-2022-23806 | 9.1 | go://github.com/golang/go:1.10.3 | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | 1.16.14 1.17.7 | go | Critical | 2022-02-14 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html https://www.oracle.com/security-alerts/cpujul2022.html https://security.gentoo.org/glsa/202208-02 https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html https://security.netapp.com/advisory/ntap-20220225-0006/ | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
We scanned your images with Jfrog’s xray image scanner. We found several critical vulnerabilities. Here are the critical vulnerabilities which are CVE >= 9.0, We appreciate your project and feedback.
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:curl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | 7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 | 2023-01-26 | https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | 7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 | 2023-01-26 | https://hackerone.com/reports/1704017 https://security.gentoo.org/glsa/202212-01 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:curl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-localcicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 | 2023-01-26 | https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/ | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker:/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 | 2023-01-26 | https://curl.se/docs/CVE-2022-42915.html https://security.gentoo.org/glsa/202212-01 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/ https://security.netapp.com/advisory/ntap-20221209-0010/ | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. XRAY-187759 | CVE-2021-38297 | 9.8 | go://github.com/golang/go:1.10.3 | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 1.16.9 1.17.2 | go | Critical | 2021-10-19 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OFS3M3OFB24SWPTIAPARKGPUMQVUY6Z/ https://security.gentoo.org/glsa/202208-02 https://groups.google.com/forum/#!forum/golang-announce https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A https://security.netapp.com/advisory/ntap-20211118-0006/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ON7BQRRJZBOR5TJHURBAB3WLF4YXFC6Z/ | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. XRAY-85927 | CVE-2019-14809 | 9.8 | go://github.com/golang/go:1.10.3 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | 1.11.13 1.12.8 | go | Critical | 2019-08-16 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://www.debian.org/security/2019/dsa-4503 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/ https://groups.google.com/forum/#!topic/golang-announce/0uuMm1BwpHE https://access.redhat.com/errata/RHSA-2019:3433 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg https://seclists.org/bugtraq/2019/Aug/31 https://github.com/golang/go/issues/29098 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. XRAY-82071 | CVE-2019-11888 | 9.8 | go://github.com/golang/go:1.10.3 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. | 1.12.6 1.13beta1 | go | Critical | 2019-05-20 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://go-review.googlesource.com/c/go/+/176619 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. XRAY-124116 | | 9.8 | alpine://3.15:openssl:1.1.1q-r0 | OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow | 3.0.0-r0 | alpine | Critical | 2020-09-10 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0/sha256__a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0.tar.gz alpine://3.15:openssl:1.1.1q-r0 | 2023-01-26 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17173 | OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. XRAY-198036 | CVE-2022-23806 | 9.1 | go://github.com/golang/go:1.10.3 | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | 1.16.14 1.17.7 | go | Critical | 2022-02-14 | JFrog | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 | 2023-01-26 | https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html https://www.oracle.com/security-alerts/cpujul2022.html https://security.gentoo.org/glsa/202208-02 https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html https://security.netapp.com/advisory/ntap-20220225-0006/ | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.