Closed ameusel closed 5 months ago
vulnerabilityID | title | resource | installedVersion | fixedVersion | severity | primaryLink | image |
---|---|---|---|---|---|---|---|
CVE-2022-48174 | stack overflow vulnerability in ash.c leads to arbitrary code execution | busybox | 1.36.1-r0 | 1.36.1-r1 | CRITICAL | https://avd.aquasec.com/nvd/cve-2022-48174 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.0 |
CVE-2022-48174 | stack overflow vulnerability in ash.c leads to arbitrary code execution | busybox-binsh | 1.36.1-r0 | 1.36.1-r1 | CRITICAL | https://avd.aquasec.com/nvd/cve-2022-48174 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.1 |
CVE-2023-3961 | samba: smbd allows client access to unix domain sockets on the file system as root | libwbclient | 4.18.3-r0 | 4.18.8-r0 | CRITICAL | https://avd.aquasec.com/nvd/cve-2023-3961 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.2 |
CVE-2022-48174 | stack overflow vulnerability in ash.c leads to arbitrary code execution | ssl_client | 1.36.1-r0 | 1.36.1-r1 | CRITICAL | https://avd.aquasec.com/nvd/cve-2022-48174 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.3 |
CVE-2023-5363 | openssl: Incorrect cipher key and IV length processing | libcrypto3 | 3.1.1-r1 | 3.1.4-r0 | HIGH | https://avd.aquasec.com/nvd/cve-2023-5363 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.4 |
CVE-2023-5363 | openssl: Incorrect cipher key and IV length processing | libssl3 | 3.1.1-r1 | 3.1.4-r0 | HIGH | https://avd.aquasec.com/nvd/cve-2023-5363 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.5 |
CVE-2023-39325 | golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) | golang.org/x/net | v0.10.0 | 0.17.0 | HIGH | https://avd.aquasec.com/nvd/cve-2023-39325 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.6 |
GHSA-m425-mq94-257g | gRPC-Go HTTP/2 Rapid Reset vulnerability | google.golang.org/grpc | v1.55.0 | 1.56.3, 1.57.1, 1.58.3 | HIGH | https://github.com/advisories/GHSA-m425-mq94-257g | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.7 |
CVE-2023-2975 | openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries | libcrypto3 | 3.1.1-r1 | 3.1.1-r2 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-2975 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.8 |
CVE-2023-3446 | openssl: Excessive time spent checking DH keys and parameters | libcrypto3 | 3.1.1-r1 | 3.1.1-r3 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-3446 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.9 |
CVE-2023-3817 | OpenSSL: Excessive time spent checking DH q parameter value | libcrypto3 | 3.1.1-r1 | 3.1.2-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-3817 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.10 |
CVE-2023-5678 | openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow | libcrypto3 | 3.1.1-r1 | 3.1.4-r1 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-5678 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.11 |
CVE-2023-2975 | openssl: AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries | libssl3 | 3.1.1-r1 | 3.1.1-r2 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-2975 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.12 |
CVE-2023-3446 | openssl: Excessive time spent checking DH keys and parameters | libssl3 | 3.1.1-r1 | 3.1.1-r3 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-3446 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.13 |
CVE-2023-3817 | OpenSSL: Excessive time spent checking DH q parameter value | libssl3 | 3.1.1-r1 | 3.1.2-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-3817 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.14 |
CVE-2023-5678 | openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow | libssl3 | 3.1.1-r1 | 3.1.4-r1 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-5678 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.15 |
CVE-2023-4091 | samba: SMB clients can truncate files with read-only permissions | libwbclient | 4.18.3-r0 | 4.18.8-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-4091 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.16 |
CVE-2023-4154 | AD DC password exposure to privileged users and RODCs | libwbclient | 4.18.3-r0 | 4.18.8-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-4154 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.17 |
CVE-2023-42669 | samba: "rpcecho" development server allows denial of service via sleep() call on AD DC | libwbclient | 4.18.3-r0 | 4.18.8-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-42669 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.18 |
CVE-2023-42670 | AD DC Busy RPC multiple listener DoS | libwbclient | 4.18.3-r0 | 4.18.8-r0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-42670 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.19 |
GHSA-jq35-85cj-fj4p | /sys/devices/virtual/powercap accessible by default to containers | github.com/docker/docker | v20.10.24+incompatible | 24.0.7 | MEDIUM | https://github.com/advisories/GHSA-jq35-85cj-fj4p | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.20 |
CVE-2023-3978 | golang.org/x/net/html: Cross site scripting | golang.org/x/net | v0.10.0 | 0.13.0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-3978 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.21 |
CVE-2023-44487 | HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) | golang.org/x/net | v0.10.0 | 0.17.0 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-44487 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.22 |
CVE-2023-44487 | HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) | google.golang.org/grpc | v1.55.0 | 1.58.3, 1.57.1, 1.56.3 | MEDIUM | https://avd.aquasec.com/nvd/cve-2023-44487 | ghcr.io/helm/chartmuseum/chartmuseum:v0.16.23 |
Bumping to the latest version of alpine 3.19.0
removes the CRITICAL
vulnerabilities.
@scbizu Could we get a v0.16.1
release with just alpine bumped as a bug-fix release?
@kaiwalyajoshi ya , we will .
ping @jdolitsky , could we cut the new version with these security patches ?
:wave: @scbizu, I can start the release process and follow up with @jdolitsky for the remaining steps
@cbuto wow , feel free to ping me if you need some help 🙋
@ameusel We just released v0.16.1 , just check it out .
@scbizu thanks, we have been running this for a few days now, no more critical vulnerabilities detected