Detecting 4 crtitical vulnerabilities in chartmuseum v0.16.0

[ameusel]

vulnerabilityID	title	resource	installedVersion	fixedVersion	severity	primaryLink	image
CVE-2022-48174	stack overflow vulnerability in ash.c leads to arbitrary code execution	busybox	1.36.1-r0	1.36.1-r1	CRITICAL	https://avd.aquasec.com/nvd/cve-2022-48174	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.0
CVE-2022-48174	stack overflow vulnerability in ash.c leads to arbitrary code execution	busybox-binsh	1.36.1-r0	1.36.1-r1	CRITICAL	https://avd.aquasec.com/nvd/cve-2022-48174	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.1
CVE-2023-3961	samba: smbd allows client access to unix domain sockets on the file system as root	libwbclient	4.18.3-r0	4.18.8-r0	CRITICAL	https://avd.aquasec.com/nvd/cve-2023-3961	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.2
CVE-2022-48174	stack overflow vulnerability in ash.c leads to arbitrary code execution	ssl_client	1.36.1-r0	1.36.1-r1	CRITICAL	https://avd.aquasec.com/nvd/cve-2022-48174	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.3
CVE-2023-5363	openssl: Incorrect cipher key and IV length processing	libcrypto3	3.1.1-r1	3.1.4-r0	HIGH	https://avd.aquasec.com/nvd/cve-2023-5363	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.4
CVE-2023-5363	openssl: Incorrect cipher key and IV length processing	libssl3	3.1.1-r1	3.1.4-r0	HIGH	https://avd.aquasec.com/nvd/cve-2023-5363	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.5
CVE-2023-39325	golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)	golang.org/x/net	v0.10.0	0.17.0	HIGH	https://avd.aquasec.com/nvd/cve-2023-39325	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.6
GHSA-m425-mq94-257g	gRPC-Go HTTP/2 Rapid Reset vulnerability	google.golang.org/grpc	v1.55.0	1.56.3, 1.57.1, 1.58.3	HIGH	https://github.com/advisories/GHSA-m425-mq94-257g	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.7
CVE-2023-2975	openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries	libcrypto3	3.1.1-r1	3.1.1-r2	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-2975	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.8
CVE-2023-3446	openssl: Excessive time spent checking DH keys and parameters	libcrypto3	3.1.1-r1	3.1.1-r3	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-3446	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.9
CVE-2023-3817	OpenSSL: Excessive time spent checking DH q parameter value	libcrypto3	3.1.1-r1	3.1.2-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-3817	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.10
CVE-2023-5678	openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow	libcrypto3	3.1.1-r1	3.1.4-r1	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-5678	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.11
CVE-2023-2975	openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries	libssl3	3.1.1-r1	3.1.1-r2	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-2975	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.12
CVE-2023-3446	openssl: Excessive time spent checking DH keys and parameters	libssl3	3.1.1-r1	3.1.1-r3	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-3446	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.13
CVE-2023-3817	OpenSSL: Excessive time spent checking DH q parameter value	libssl3	3.1.1-r1	3.1.2-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-3817	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.14
CVE-2023-5678	openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow	libssl3	3.1.1-r1	3.1.4-r1	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-5678	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.15
CVE-2023-4091	samba: SMB clients can truncate files with read-only permissions	libwbclient	4.18.3-r0	4.18.8-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-4091	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.16
CVE-2023-4154	AD DC password exposure to privileged users and RODCs	libwbclient	4.18.3-r0	4.18.8-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-4154	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.17
CVE-2023-42669	samba: "rpcecho" development server allows denial of service via sleep() call on AD DC	libwbclient	4.18.3-r0	4.18.8-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-42669	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.18
CVE-2023-42670	AD DC Busy RPC multiple listener DoS	libwbclient	4.18.3-r0	4.18.8-r0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-42670	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.19
GHSA-jq35-85cj-fj4p	/sys/devices/virtual/powercap accessible by default to containers	github.com/docker/docker	v20.10.24+incompatible	24.0.7	MEDIUM	https://github.com/advisories/GHSA-jq35-85cj-fj4p	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.20
CVE-2023-3978	golang.org/x/net/html: Cross site scripting	golang.org/x/net	v0.10.0	0.13.0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-3978	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.21
CVE-2023-44487	HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)	golang.org/x/net	v0.10.0	0.17.0	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-44487	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.22
CVE-2023-44487	HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)	google.golang.org/grpc	v1.55.0	1.58.3, 1.57.1, 1.56.3	MEDIUM	https://avd.aquasec.com/nvd/cve-2023-44487	ghcr.io/helm/chartmuseum/chartmuseum:v0.16.23

[kaiwalyajoshi]

Bumping to the latest version of alpine 3.19.0 removes the CRITICAL vulnerabilities.

@scbizu Could we get a v0.16.1 release with just alpine bumped as a bug-fix release?

[scbizu]

@kaiwalyajoshi ya , we will .

[scbizu]

ping @jdolitsky , could we cut the new version with these security patches ?

[cbuto]

:wave: @scbizu, I can start the release process and follow up with @jdolitsky for the remaining steps

[scbizu]

@cbuto wow , feel free to ping me if you need some help 🙋

[scbizu]

@ameusel We just released v0.16.1 , just check it out .

[ameusel]

@scbizu thanks, we have been running this for a few days now, no more critical vulnerabilities detected