search

kube-tarian / sigrun

Sign your artifacts, source code or container images using Sigstore tools, Save the Signatures you want to use, and Validate & Control the deployments to allow only the known Sources based on Signatures, Maintainers & other payloads automatically.
https://sigrun.dev
Apache License 2.0
12 stars 3 forks source link

CVE-2018-16875 (High) detected in github.com/docker/docker-v20.10.7 #118

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2018-16875 - High Severity Vulnerability

Vulnerable Library - github.com/docker/docker-v20.10.7

Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

Dependency Hierarchy: - github.com/google/go-containerregistry-v0.6.0 (Root Library) - github.com/docker/cli-v20.10.7 - :x: **github.com/docker/docker-v20.10.7** (Vulnerable Library)

Found in HEAD commit: df1f7d3f67826e841793324e4796be4fbd91c00f

Found in base branch: main

Vulnerability Details

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Publish Date: 2018-12-14

URL: CVE-2018-16875

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-16875

Release Date: 2018-12-14

Fix Resolution: 1.10.6,1.11.3

Step up your Open Source Security Game with Mend here

github-actions[bot] commented 2 years ago

Stale issue message