search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.24k stars 413 forks source link

version 3.2.2 of the image contains a lot of vulnarabilities #335

Closed KYannick closed 3 years ago

KYannick commented 3 years ago

Scanning the latest image with trivy reveals lots of vulnarabilities in the latest image. 

trivy image k8s.gcr.io/git-sync/git-sync:v3.2.2
2021-02-12T09:20:39.853+0100    INFO    Detecting Debian vulnerabilities...
2021-02-12T09:20:39.881+0100    INFO    Trivy skips scanning programming language libraries because no supported file was detected

k8s.gcr.io/git-sync/git-sync:v3.2.2 (debian 10.7)
=================================================
Total: 163 (UNKNOWN: 0, LOW: 105, MEDIUM: 12, HIGH: 45, CRITICAL: 1)

+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
|      LIBRARY      |  VULNERABILITY ID   | SEVERITY |   INSTALLED VERSION   |     FIXED VERSION     |                            TITLE                             |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| apt               | CVE-2020-27350      | MEDIUM   | 1.8.2                 | 1.8.2.2               | APT had several integer                                      |
|                   |                     |          |                       |                       | overflows and underflows while                               |
|                   |                     |          |                       |                       | parsing .deb packages, aka...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27350                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-3810       |          |                       | 1.8.2.1               | Missing input validation in                                  |
|                   |                     |          |                       |                       | the ar/tar implementations of                                |
|                   |                     |          |                       |                       | APT before version 2.1.2...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-3810                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2011-3374       | LOW      |                       |                       | It was found that apt-key in apt,                            |
|                   |                     |          |                       |                       | all versions, do not correctly...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| coreutils         | CVE-2016-2781       |          | 8.30-3                |                       | coreutils: Non-privileged                                    |
|                   |                     |          |                       |                       | session can escape to the                                    |
|                   |                     |          |                       |                       | parent session in chroot                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-2781                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-18018      |          |                       |                       | coreutils: race condition                                    |
|                   |                     |          |                       |                       | vulnerability in chown and chgrp                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-18018                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| gcc-8-base        | CVE-2018-12886      | HIGH     | 8.3.0-6               |                       | gcc: spilling of stack                                       |
|                   |                     |          |                       |                       | protection address in cfgexpand.c                            |
|                   |                     |          |                       |                       | and function.c leads to...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-12886                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-15847      |          |                       |                       | gcc: POWER9 "DARN" RNG intrinsic                             |
|                   |                     |          |                       |                       | produces repeated output                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-15847                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| git               | CVE-2018-1000021    | LOW      | 1:2.20.1-2+deb10u3    |                       | git: client prints server-sent                               |
|                   |                     |          |                       |                       | ANSI escape codes to the                                     |
|                   |                     |          |                       |                       | terminal, allowing for...                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-1000021                      |
+-------------------+                     +          +                       +-----------------------+                                                              +
| git-man           |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| gpgv              | CVE-2019-14855      |          | 2.2.12-1+deb10u1      |                       | gnupg2: OpenPGP Key Certification                            |
|                   |                     |          |                       |                       | Forgeries with SHA-1                                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-14855                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| krb5-locales      | CVE-2004-0971       |          | 1.17-3+deb10u1        |                       | security flaw                                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2004-0971                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-5709       |          |                       |                       | krb5: integer overflow                                       |
|                   |                     |          |                       |                       | in dbentry->n_key_data                                       |
|                   |                     |          |                       |                       | in kadmin/dbutil/dump.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-5709                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libapt-pkg5.0     | CVE-2020-27350      | MEDIUM   | 1.8.2                 | 1.8.2.2               | APT had several integer                                      |
|                   |                     |          |                       |                       | overflows and underflows while                               |
|                   |                     |          |                       |                       | parsing .deb packages, aka...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27350                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-3810       |          |                       | 1.8.2.1               | Missing input validation in                                  |
|                   |                     |          |                       |                       | the ar/tar implementations of                                |
|                   |                     |          |                       |                       | APT before version 2.1.2...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-3810                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2011-3374       | LOW      |                       |                       | It was found that apt-key in apt,                            |
|                   |                     |          |                       |                       | all versions, do not correctly...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libbsd0           | CVE-2019-20367      | CRITICAL | 0.9.1-2               |                       | nlist.c in libbsd before                                     |
|                   |                     |          |                       |                       | 0.10.0 has an out-of-bounds                                  |
|                   |                     |          |                       |                       | read during a comparison...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20367                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libc-bin          | CVE-2020-1751       | HIGH     | 2.28-10               |                       | glibc: array overflow in                                     |
|                   |                     |          |                       |                       | backtrace functions for powerpc                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-1751                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-1752       |          |                       |                       | glibc: use-after-free in glob()                              |
|                   |                     |          |                       |                       | function when expanding ~user                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-1752                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2021-3326       |          |                       |                       | glibc: Assertion failure in                                  |
|                   |                     |          |                       |                       | ISO-2022-JP-3 gconv module                                   |
|                   |                     |          |                       |                       | related to combining characters                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-25013      | MEDIUM   |                       |                       | glibc: buffer over-read in                                   |
|                   |                     |          |                       |                       | iconv when processing invalid                                |
|                   |                     |          |                       |                       | multi-byte input sequences in...                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-10029      |          |                       |                       | glibc: stack corruption                                      |
|                   |                     |          |                       |                       | from crafted input in cosl,                                  |
|                   |                     |          |                       |                       | sinl, sincosl, and tanl...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-10029                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-27618      |          |                       |                       | glibc: iconv when processing                                 |
|                   |                     |          |                       |                       | invalid multi-byte input                                     |
|                   |                     |          |                       |                       | sequences fails to advance the...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27618                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4051       | LOW      |                       |                       | CVE-2010-4052 glibc: De-recursivise                          |
|                   |                     |          |                       |                       | regular expression engine                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4051                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4052       |          |                       |                       | CVE-2010-4051 CVE-2010-4052                                  |
|                   |                     |          |                       |                       | glibc: De-recursivise                                        |
|                   |                     |          |                       |                       | regular expression engine                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4052                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4756       |          |                       |                       | glibc: glob implementation                                   |
|                   |                     |          |                       |                       | can cause excessive CPU and                                  |
|                   |                     |          |                       |                       | memory consumption due to...                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4756                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2016-10228      |          |                       |                       | glibc: iconv program can hang                                |
|                   |                     |          |                       |                       | when invoked with the -c option                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-20796      |          |                       |                       | glibc: uncontrolled recursion in                             |
|                   |                     |          |                       |                       | function check_dst_limits_calc_pos_1                         |
|                   |                     |          |                       |                       | in posix/regexec.c                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-20796                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010022    |          |                       |                       | glibc: stack guard protection bypass                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010022                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010023    |          |                       |                       | glibc: running ldd on malicious ELF                          |
|                   |                     |          |                       |                       | leads to code execution because of...                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010023                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010024    |          |                       |                       | glibc: ASLR bypass using                                     |
|                   |                     |          |                       |                       | cache of thread stack and heap                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010024                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010025    |          |                       |                       | glibc: information disclosure of heap                        |
|                   |                     |          |                       |                       | addresses of pthread_created thread                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010025                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-19126      |          |                       |                       | glibc: LD_PREFER_MAP_32BIT_EXEC                              |
|                   |                     |          |                       |                       | not ignored in setuid binaries                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-19126                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-9192       |          |                       |                       | glibc: uncontrolled recursion in                             |
|                   |                     |          |                       |                       | function check_dst_limits_calc_pos_1                         |
|                   |                     |          |                       |                       | in posix/regexec.c                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-9192                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-6096       |          |                       |                       | glibc: signed comparison                                     |
|                   |                     |          |                       |                       | vulnerability in the                                         |
|                   |                     |          |                       |                       | ARMv7 memcpy function                                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096                         |
+-------------------+---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
| libc6             | CVE-2020-1751       | HIGH     |                       |                       | glibc: array overflow in                                     |
|                   |                     |          |                       |                       | backtrace functions for powerpc                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-1751                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-1752       |          |                       |                       | glibc: use-after-free in glob()                              |
|                   |                     |          |                       |                       | function when expanding ~user                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-1752                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2021-3326       |          |                       |                       | glibc: Assertion failure in                                  |
|                   |                     |          |                       |                       | ISO-2022-JP-3 gconv module                                   |
|                   |                     |          |                       |                       | related to combining characters                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-3326                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-25013      | MEDIUM   |                       |                       | glibc: buffer over-read in                                   |
|                   |                     |          |                       |                       | iconv when processing invalid                                |
|                   |                     |          |                       |                       | multi-byte input sequences in...                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-25013                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-10029      |          |                       |                       | glibc: stack corruption                                      |
|                   |                     |          |                       |                       | from crafted input in cosl,                                  |
|                   |                     |          |                       |                       | sinl, sincosl, and tanl...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-10029                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-27618      |          |                       |                       | glibc: iconv when processing                                 |
|                   |                     |          |                       |                       | invalid multi-byte input                                     |
|                   |                     |          |                       |                       | sequences fails to advance the...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27618                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4051       | LOW      |                       |                       | CVE-2010-4052 glibc: De-recursivise                          |
|                   |                     |          |                       |                       | regular expression engine                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4051                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4052       |          |                       |                       | CVE-2010-4051 CVE-2010-4052                                  |
|                   |                     |          |                       |                       | glibc: De-recursivise                                        |
|                   |                     |          |                       |                       | regular expression engine                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4052                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-4756       |          |                       |                       | glibc: glob implementation                                   |
|                   |                     |          |                       |                       | can cause excessive CPU and                                  |
|                   |                     |          |                       |                       | memory consumption due to...                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4756                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2016-10228      |          |                       |                       | glibc: iconv program can hang                                |
|                   |                     |          |                       |                       | when invoked with the -c option                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2016-10228                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-20796      |          |                       |                       | glibc: uncontrolled recursion in                             |
|                   |                     |          |                       |                       | function check_dst_limits_calc_pos_1                         |
|                   |                     |          |                       |                       | in posix/regexec.c                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-20796                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010022    |          |                       |                       | glibc: stack guard protection bypass                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010022                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010023    |          |                       |                       | glibc: running ldd on malicious ELF                          |
|                   |                     |          |                       |                       | leads to code execution because of...                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010023                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010024    |          |                       |                       | glibc: ASLR bypass using                                     |
|                   |                     |          |                       |                       | cache of thread stack and heap                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010024                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1010025    |          |                       |                       | glibc: information disclosure of heap                        |
|                   |                     |          |                       |                       | addresses of pthread_created thread                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1010025                      |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-19126      |          |                       |                       | glibc: LD_PREFER_MAP_32BIT_EXEC                              |
|                   |                     |          |                       |                       | not ignored in setuid binaries                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-19126                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-9192       |          |                       |                       | glibc: uncontrolled recursion in                             |
|                   |                     |          |                       |                       | function check_dst_limits_calc_pos_1                         |
|                   |                     |          |                       |                       | in posix/regexec.c                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-9192                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-6096       |          |                       |                       | glibc: signed comparison                                     |
|                   |                     |          |                       |                       | vulnerability in the                                         |
|                   |                     |          |                       |                       | ARMv7 memcpy function                                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-6096                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libcurl3-gnutls   | CVE-2020-8169       | HIGH     | 7.64.0-4+deb10u1      |                       | libcurl: partial password                                    |
|                   |                     |          |                       |                       | leak over DNS on HTTP redirect                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8169                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-8177       |          |                       |                       | curl: Incorrect argument                                     |
|                   |                     |          |                       |                       | check can allow remote servers                               |
|                   |                     |          |                       |                       | to overwrite local files...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8177                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-8231       |          |                       |                       | curl: Expired pointer                                        |
|                   |                     |          |                       |                       | dereference via multi API with                               |
|                   |                     |          |                       |                       | `CURLOPT_CONNECT_ONLY` option set                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8231                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-8285       |          |                       |                       | curl: malicious FTP server can                               |
|                   |                     |          |                       |                       | trigger stack overflow when                                  |
|                   |                     |          |                       |                       | CURLOPT_CHUNK_BGN_FUNCTION                                   |
|                   |                     |          |                       |                       | is used...                                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8285                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-8286       |          |                       |                       | curl: inferior OCSP verification                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8286                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-8284       | LOW      |                       |                       | curl: dangerous nature                                       |
|                   |                     |          |                       |                       | of PASV command could                                        |
|                   |                     |          |                       |                       | be used to make curl...                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-8284                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libexpat1         | CVE-2013-0340       |          | 2.2.6-2+deb10u1       |                       | expat: internal entity expansion                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2013-0340                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libgcc1           | CVE-2018-12886      | HIGH     | 8.3.0-6               |                       | gcc: spilling of stack                                       |
|                   |                     |          |                       |                       | protection address in cfgexpand.c                            |
|                   |                     |          |                       |                       | and function.c leads to...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-12886                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-15847      |          |                       |                       | gcc: POWER9 "DARN" RNG intrinsic                             |
|                   |                     |          |                       |                       | produces repeated output                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-15847                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libgcrypt20       | CVE-2019-13627      | MEDIUM   | 1.8.4-5               |                       | libgcrypt: ECDSA timing attack                               |
|                   |                     |          |                       |                       | allowing private key leak                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-13627                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-6829       | LOW      |                       |                       | libgcrypt: ElGamal implementation                            |
|                   |                     |          |                       |                       | doesn't have semantic security due                           |
|                   |                     |          |                       |                       | to incorrectly encoded plaintexts...                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-6829                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libgnutls30       | CVE-2020-24659      | HIGH     | 3.6.7-4+deb10u5       |                       | gnutls: Heap buffer                                          |
|                   |                     |          |                       |                       | overflow in handshake with                                   |
|                   |                     |          |                       |                       | no_renegotiation alert sent                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-24659                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2011-3389       | LOW      |                       |                       | HTTPS: block-wise chosen-plaintext                           |
|                   |                     |          |                       |                       | attack against SSL/TLS (BEAST)                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2011-3389                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libgssapi-krb5-2  | CVE-2004-0971       |          | 1.17-3+deb10u1        |                       | security flaw                                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2004-0971                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-5709       |          |                       |                       | krb5: integer overflow                                       |
|                   |                     |          |                       |                       | in dbentry->n_key_data                                       |
|                   |                     |          |                       |                       | in kadmin/dbutil/dump.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-5709                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libidn2-0         | CVE-2019-12290      | HIGH     | 2.0.5-1+deb10u1       |                       | GNU libidn2 before 2.2.0                                     |
|                   |                     |          |                       |                       | fails to perform the roundtrip                               |
|                   |                     |          |                       |                       | checks specified in...                                       |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-12290                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libk5crypto3      | CVE-2004-0971       | LOW      | 1.17-3+deb10u1        |                       | security flaw                                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2004-0971                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-5709       |          |                       |                       | krb5: integer overflow                                       |
|                   |                     |          |                       |                       | in dbentry->n_key_data                                       |
|                   |                     |          |                       |                       | in kadmin/dbutil/dump.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-5709                         |
+-------------------+---------------------+          +                       +-----------------------+--------------------------------------------------------------+
| libkrb5-3         | CVE-2004-0971       |          |                       |                       | security flaw                                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2004-0971                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-5709       |          |                       |                       | krb5: integer overflow                                       |
|                   |                     |          |                       |                       | in dbentry->n_key_data                                       |
|                   |                     |          |                       |                       | in kadmin/dbutil/dump.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-5709                         |
+-------------------+---------------------+          +                       +-----------------------+--------------------------------------------------------------+
| libkrb5support0   | CVE-2004-0971       |          |                       |                       | security flaw                                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2004-0971                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-5709       |          |                       |                       | krb5: integer overflow                                       |
|                   |                     |          |                       |                       | in dbentry->n_key_data                                       |
|                   |                     |          |                       |                       | in kadmin/dbutil/dump.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-5709                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libldap-2.4-2     | CVE-2020-36221      | HIGH     | 2.4.47+dfsg-3+deb10u4 | 2.4.47+dfsg-3+deb10u5 | openldap: Integer underflow                                  |
|                   |                     |          |                       |                       | in serialNumberAndIssuerCheck                                |
|                   |                     |          |                       |                       | in schema_init.c                                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36221                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36222      |          |                       |                       | openldap: Assertion failure in                               |
|                   |                     |          |                       |                       | slapd in the saslAuthzTo validation                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36222                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36223      |          |                       |                       | openldap: Out-of-bounds                                      |
|                   |                     |          |                       |                       | read in Values Return Filter                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36223                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36224      |          |                       |                       | openldap: Invalid pointer free                               |
|                   |                     |          |                       |                       | in the saslAuthzTo processing                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36224                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36225      |          |                       |                       | openldap: Double free in                                     |
|                   |                     |          |                       |                       | the saslAuthzTo processing                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36225                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36226      |          |                       |                       | openldap: Denial of service                                  |
|                   |                     |          |                       |                       | via length miscalculation                                    |
|                   |                     |          |                       |                       | in slap_parse_user                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36226                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36227      |          |                       |                       | openldap: Infinite loop in slapd with                        |
|                   |                     |          |                       |                       | the cancel_extop Cancel operation                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36227                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36228      |          |                       |                       | openldap: Integer underflow                                  |
|                   |                     |          |                       |                       | in issuerAndThisUpdateCheck                                  |
|                   |                     |          |                       |                       | in schema_init.c                                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36228                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36229      |          |                       |                       | openldap: Type confusion                                     |
|                   |                     |          |                       |                       | in ad_keystring in ad.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36229                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36230      |          |                       |                       | openldap: Assertion failure in                               |
|                   |                     |          |                       |                       | ber_next_element in decode.c                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36230                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2015-3276       | LOW      |                       |                       | openldap: incorrect multi-keyword                            |
|                   |                     |          |                       |                       | mode cipherstring parsing                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2015-3276                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-14159      |          |                       |                       | openldap: Privilege escalation                               |
|                   |                     |          |                       |                       | via PID file manipulation                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-14159                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-17740      |          |                       |                       | openldap:                                                    |
|                   |                     |          |                       |                       | contrib/slapd-modules/nops/nops.c                            |
|                   |                     |          |                       |                       | attempts to free stack buffer                                |
|                   |                     |          |                       |                       | allowing remote attackers to cause...                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-17740                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-15719      |          |                       |                       | openldap: Certificate                                        |
|                   |                     |          |                       |                       | validation incorrectly                                       |
|                   |                     |          |                       |                       | matches name against CN-ID                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-15719                        |
+-------------------+---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
| libldap-common    | CVE-2020-36221      | HIGH     |                       | 2.4.47+dfsg-3+deb10u5 | openldap: Integer underflow                                  |
|                   |                     |          |                       |                       | in serialNumberAndIssuerCheck                                |
|                   |                     |          |                       |                       | in schema_init.c                                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36221                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36222      |          |                       |                       | openldap: Assertion failure in                               |
|                   |                     |          |                       |                       | slapd in the saslAuthzTo validation                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36222                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36223      |          |                       |                       | openldap: Out-of-bounds                                      |
|                   |                     |          |                       |                       | read in Values Return Filter                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36223                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36224      |          |                       |                       | openldap: Invalid pointer free                               |
|                   |                     |          |                       |                       | in the saslAuthzTo processing                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36224                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36225      |          |                       |                       | openldap: Double free in                                     |
|                   |                     |          |                       |                       | the saslAuthzTo processing                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36225                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36226      |          |                       |                       | openldap: Denial of service                                  |
|                   |                     |          |                       |                       | via length miscalculation                                    |
|                   |                     |          |                       |                       | in slap_parse_user                                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36226                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36227      |          |                       |                       | openldap: Infinite loop in slapd with                        |
|                   |                     |          |                       |                       | the cancel_extop Cancel operation                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36227                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36228      |          |                       |                       | openldap: Integer underflow                                  |
|                   |                     |          |                       |                       | in issuerAndThisUpdateCheck                                  |
|                   |                     |          |                       |                       | in schema_init.c                                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36228                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36229      |          |                       |                       | openldap: Type confusion                                     |
|                   |                     |          |                       |                       | in ad_keystring in ad.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36229                        |
+                   +---------------------+          +                       +                       +--------------------------------------------------------------+
|                   | CVE-2020-36230      |          |                       |                       | openldap: Assertion failure in                               |
|                   |                     |          |                       |                       | ber_next_element in decode.c                                 |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36230                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2015-3276       | LOW      |                       |                       | openldap: incorrect multi-keyword                            |
|                   |                     |          |                       |                       | mode cipherstring parsing                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2015-3276                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-14159      |          |                       |                       | openldap: Privilege escalation                               |
|                   |                     |          |                       |                       | via PID file manipulation                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-14159                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-17740      |          |                       |                       | openldap:                                                    |
|                   |                     |          |                       |                       | contrib/slapd-modules/nops/nops.c                            |
|                   |                     |          |                       |                       | attempts to free stack buffer                                |
|                   |                     |          |                       |                       | allowing remote attackers to cause...                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-17740                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-15719      |          |                       |                       | openldap: Certificate                                        |
|                   |                     |          |                       |                       | validation incorrectly                                       |
|                   |                     |          |                       |                       | matches name against CN-ID                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-15719                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| liblz4-1          | CVE-2019-17543      |          | 1.8.3-1               |                       | lz4: heap-based buffer                                       |
|                   |                     |          |                       |                       | overflow in LZ4_write32                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17543                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libnghttp2-14     | TEMP-0000000-A4EF31 |          | 1.36.0-2+deb10u1      |                       | -->security-tracker.debian.org/tracker/TEMP-0000000-A4EF31   |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libpcre2-8-0      | CVE-2019-20454      | HIGH     | 10.32-5               |                       | pcre: Out of bounds read in                                  |
|                   |                     |          |                       |                       | JIT mode when \X is used...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20454                        |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libpcre3          | CVE-2020-14155      | MEDIUM   | 2:8.39-12             |                       | pcre: integer overflow in libpcre                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-14155                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-11164      | LOW      |                       |                       | pcre: OP_KETRMAX feature in the                              |
|                   |                     |          |                       |                       | match function in pcre_exec.c                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-11164                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-16231      |          |                       |                       | pcre: self-recursive call                                    |
|                   |                     |          |                       |                       | in match() in pcre_exec.c                                    |
|                   |                     |          |                       |                       | leads to denial of service...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-16231                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-7245       |          |                       |                       | pcre: stack-based buffer overflow                            |
|                   |                     |          |                       |                       | write in pcre32_copy_substring                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-7245                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2017-7246       |          |                       |                       | pcre: stack-based buffer overflow                            |
|                   |                     |          |                       |                       | write in pcre32_copy_substring                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2017-7246                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-20838      |          |                       |                       | pcre: buffer over-read in                                    |
|                   |                     |          |                       |                       | JIT when UTF is disabled                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20838                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libperl5.28       | CVE-2011-4116       |          | 5.28.1-6+deb10u1      |                       | perl: File::Temp insecure                                    |
|                   |                     |          |                       |                       | temporary file handling                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2011-4116                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libseccomp2       | CVE-2019-9893       |          | 2.3.3-4               |                       | libseccomp: incorrect generation                             |
|                   |                     |          |                       |                       | of syscall filters in libseccomp                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-9893                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libssh2-1         | CVE-2019-13115      | HIGH     | 1.8.0-2.1             |                       | libssh2: integer overflow in                                 |
|                   |                     |          |                       |                       | kex_method_diffie_hellman_group_exchange_sha256_key_exchange |
|                   |                     |          |                       |                       | in kex.c leads to out-of-bounds write                        |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-13115                        |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-17498      | LOW      |                       |                       | libssh2: integer overflow in                                 |
|                   |                     |          |                       |                       | SSH_MSG_DISCONNECT logic in packet.c                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-17498                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libssl1.1         | CVE-2007-6755       |          | 1.1.1d-0+deb10u4      |                       | Dual_EC_DRBG: weak pseudo                                    |
|                   |                     |          |                       |                       | random number generator                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-6755                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-0928       |          |                       |                       | openssl: RSA authentication weakness                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-0928                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1551       |          |                       |                       | openssl: Integer overflow in RSAZ                            |
|                   |                     |          |                       |                       | modular exponentiation on x86_64                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1551                         |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libstdc++6        | CVE-2018-12886      | HIGH     | 8.3.0-6               |                       | gcc: spilling of stack                                       |
|                   |                     |          |                       |                       | protection address in cfgexpand.c                            |
|                   |                     |          |                       |                       | and function.c leads to...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-12886                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-15847      |          |                       |                       | gcc: POWER9 "DARN" RNG intrinsic                             |
|                   |                     |          |                       |                       | produces repeated output                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-15847                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libsystemd0       | CVE-2019-3843       |          | 241-7~deb10u5         |                       | systemd: services with DynamicUser                           |
|                   |                     |          |                       |                       | can create SUID/SGID binaries                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-3843                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-3844       |          |                       |                       | systemd: services with DynamicUser                           |
|                   |                     |          |                       |                       | can get new privileges and                                   |
|                   |                     |          |                       |                       | create SGID binaries...                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-3844                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2013-4392       | LOW      |                       |                       | systemd: TOCTOU race condition                               |
|                   |                     |          |                       |                       | when updating file permissions                               |
|                   |                     |          |                       |                       | and SELinux security contexts...                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2013-4392                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-20386      |          |                       |                       | systemd: memory leak in button_open()                        |
|                   |                     |          |                       |                       | in login/logind-button.c when                                |
|                   |                     |          |                       |                       | udev events are received...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20386                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-13776      |          |                       |                       | systemd: mishandles numerical                                |
|                   |                     |          |                       |                       | usernames beginning with decimal                             |
|                   |                     |          |                       |                       | digits or 0x followed by...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-13776                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| libtasn1-6        | CVE-2018-1000654    |          | 4.13-3                |                       | libtasn1: Infinite loop in                                   |
|                   |                     |          |                       |                       | _asn1_expand_object_id(ptree)                                |
|                   |                     |          |                       |                       | leads to memory exhaustion                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-1000654                      |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+
| libudev1          | CVE-2019-3843       | HIGH     | 241-7~deb10u5         |                       | systemd: services with DynamicUser                           |
|                   |                     |          |                       |                       | can create SUID/SGID binaries                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-3843                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-3844       |          |                       |                       | systemd: services with DynamicUser                           |
|                   |                     |          |                       |                       | can get new privileges and                                   |
|                   |                     |          |                       |                       | create SGID binaries...                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-3844                         |
+                   +---------------------+----------+                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2013-4392       | LOW      |                       |                       | systemd: TOCTOU race condition                               |
|                   |                     |          |                       |                       | when updating file permissions                               |
|                   |                     |          |                       |                       | and SELinux security contexts...                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2013-4392                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-20386      |          |                       |                       | systemd: memory leak in button_open()                        |
|                   |                     |          |                       |                       | in login/logind-button.c when                                |
|                   |                     |          |                       |                       | udev events are received...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-20386                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-13776      |          |                       |                       | systemd: mishandles numerical                                |
|                   |                     |          |                       |                       | usernames beginning with decimal                             |
|                   |                     |          |                       |                       | digits or 0x followed by...                                  |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-13776                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| login             | CVE-2007-5686       |          | 1:4.5-1.1             |                       | initscripts in rPath Linux 1                                 |
|                   |                     |          |                       |                       | sets insecure permissions for                                |
|                   |                     |          |                       |                       | the /var/log/btmp file,...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-5686                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2013-4235       |          |                       |                       | shadow-utils: TOCTOU race                                    |
|                   |                     |          |                       |                       | conditions by copying and                                    |
|                   |                     |          |                       |                       | removing directory trees                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2013-4235                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-7169       |          |                       |                       | shadow-utils: newgidmap                                      |
|                   |                     |          |                       |                       | allows unprivileged user to                                  |
|                   |                     |          |                       |                       | drop supplementary groups                                    |
|                   |                     |          |                       |                       | potentially allowing privilege...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-7169                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-19882      |          |                       |                       | shadow-utils: local users can                                |
|                   |                     |          |                       |                       | obtain root access because setuid                            |
|                   |                     |          |                       |                       | programs are misconfigured...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-19882                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | TEMP-0628843-DBAD28 |          |                       |                       | -->security-tracker.debian.org/tracker/TEMP-0628843-DBAD28   |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| openssh-client    | CVE-2007-2243       |          | 1:7.9p1-10+deb10u2    |                       | OpenSSH 4.6 and earlier, when                                |
|                   |                     |          |                       |                       | ChallengeResponseAuthentication                              |
|                   |                     |          |                       |                       | is enabled, allows                                           |
|                   |                     |          |                       |                       | remote attackers to...                                       |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-2243                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2007-2768       |          |                       |                       | OpenSSH, when using OPIE                                     |
|                   |                     |          |                       |                       | (One-Time Passwords in Everything)                           |
|                   |                     |          |                       |                       | for PAM, allows remote...                                    |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-2768                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2008-3234       |          |                       |                       | sshd in OpenSSH 4 on Debian                                  |
|                   |                     |          |                       |                       | GNU/Linux, and the 20070303                                  |
|                   |                     |          |                       |                       | OpenSSH snapshot,...                                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2008-3234                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-15919      |          |                       |                       | openssh: User enumeration                                    |
|                   |                     |          |                       |                       | via malformed packets in                                     |
|                   |                     |          |                       |                       | authentication requests                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-15919                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-16905      |          |                       |                       | openssh: an integer overflow in the                          |
|                   |                     |          |                       |                       | private key parsing code for the...                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-16905                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-6110       |          |                       |                       | openssh: Acceptance and                                      |
|                   |                     |          |                       |                       | display of arbitrary stderr                                  |
|                   |                     |          |                       |                       | allows for spoofing of scp...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-6110                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-12062      |          |                       |                       | openssh: scp can send                                        |
|                   |                     |          |                       |                       | duplicate responses to the                                   |
|                   |                     |          |                       |                       | server upon a utimes...                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-12062                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-14145      |          |                       |                       | openssh: Observable Discrepancy                              |
|                   |                     |          |                       |                       | leading to an information leak                               |
|                   |                     |          |                       |                       | in the algorithm negotiation...                              |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-14145                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2020-15778      |          |                       |                       | openssh: scp allows command                                  |
|                   |                     |          |                       |                       | injection when using backtick                                |
|                   |                     |          |                       |                       | characters in the destination...                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-15778                        |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| openssl           | CVE-2007-6755       |          | 1.1.1d-0+deb10u4      |                       | Dual_EC_DRBG: weak pseudo                                    |
|                   |                     |          |                       |                       | random number generator                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-6755                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2010-0928       |          |                       |                       | openssl: RSA authentication weakness                         |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-0928                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-1551       |          |                       |                       | openssl: Integer overflow in RSAZ                            |
|                   |                     |          |                       |                       | modular exponentiation on x86_64                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-1551                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| passwd            | CVE-2007-5686       |          | 1:4.5-1.1             |                       | initscripts in rPath Linux 1                                 |
|                   |                     |          |                       |                       | sets insecure permissions for                                |
|                   |                     |          |                       |                       | the /var/log/btmp file,...                                   |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2007-5686                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2013-4235       |          |                       |                       | shadow-utils: TOCTOU race                                    |
|                   |                     |          |                       |                       | conditions by copying and                                    |
|                   |                     |          |                       |                       | removing directory trees                                     |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2013-4235                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-7169       |          |                       |                       | shadow-utils: newgidmap                                      |
|                   |                     |          |                       |                       | allows unprivileged user to                                  |
|                   |                     |          |                       |                       | drop supplementary groups                                    |
|                   |                     |          |                       |                       | potentially allowing privilege...                            |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-7169                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-19882      |          |                       |                       | shadow-utils: local users can                                |
|                   |                     |          |                       |                       | obtain root access because setuid                            |
|                   |                     |          |                       |                       | programs are misconfigured...                                |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-19882                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | TEMP-0628843-DBAD28 |          |                       |                       | -->security-tracker.debian.org/tracker/TEMP-0628843-DBAD28   |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| patch             | CVE-2010-4651       |          | 2.7.6-3+deb10u1       |                       | patch: directory traversal flaw                              |
|                   |                     |          |                       |                       | allows for arbitrary file creation                           |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2010-4651                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-6951       |          |                       |                       | patch: NULL pointer dereference                              |
|                   |                     |          |                       |                       | in pch.c:intuit_diff_type()                                  |
|                   |                     |          |                       |                       | causes a crash                                               |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-6951                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2018-6952       |          |                       |                       | patch: Double free of memory in                              |
|                   |                     |          |                       |                       | pch.c:another_hunk() causes a crash                          |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2018-6952                         |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| perl              | CVE-2011-4116       |          | 5.28.1-6+deb10u1      |                       | perl: File::Temp insecure                                    |
|                   |                     |          |                       |                       | temporary file handling                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2011-4116                         |
+-------------------+                     +          +                       +-----------------------+                                                              +
| perl-base         |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
+-------------------+                     +          +                       +-----------------------+                                                              +
| perl-modules-5.28 |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
|                   |                     |          |                       |                       |                                                              |
+-------------------+---------------------+          +-----------------------+-----------------------+--------------------------------------------------------------+
| tar               | CVE-2005-2541       |          | 1.30+dfsg-6           |                       | Tar 1.15.1 does not                                          |
|                   |                     |          |                       |                       | properly warn the user when                                  |
|                   |                     |          |                       |                       | extracting setuid or...                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2005-2541                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2019-9923       |          |                       |                       | tar: null-pointer dereference                                |
|                   |                     |          |                       |                       | in pax_decode_header in sparse.c                             |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2019-9923                         |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | CVE-2021-20193      |          |                       |                       | tar: Memory leak in                                          |
|                   |                     |          |                       |                       | read_header() in list.c                                      |
|                   |                     |          |                       |                       | -->avd.aquasec.com/nvd/cve-2021-20193                        |
+                   +---------------------+          +                       +-----------------------+--------------------------------------------------------------+
|                   | TEMP-0290435-0B57B5 |          |                       |                       | -->security-tracker.debian.org/tracker/TEMP-0290435-0B57B5   |
+-------------------+---------------------+----------+-----------------------+-----------------------+--------------------------------------------------------------+

A year ago a similar issue was raised for version 3.1.4 (https://github.com/kubernetes/git-sync/issues/229), then the solution was to update the base image to a newer version. At the moment the 'debian-base' image that is used again contains a lot of vulnarabilities. Why is this base image used? Could git-sync use alpine as base image, since these images contain far less vulnarabilities?

thockin commented 3 years ago

TL;DR for Debian is that most/all k8s components switched to it because it is easier to manage, has more packages available, and doesn't use busybox (Google the legal history). At some point there were not cross-platform images, but that seems better now.

I also seem to recall an issue with the git version in Alpine, but we switched a while back.

Building fresh right now still shows 143 vulnerabilities, all of them from Debian.

@tallclair has historically been quite involved in this topic. It's not one that git-sync alone can decide.

thockin commented 3 years ago

Lots of discussion with folks who know this area better than me.

Some main points:

I know that the Debian team looks at vulnerability reports and fixes them when they are real.

Ergo, I must also believe that most of the listed vulnerabilities are not particularly relevant or are actually just bogus reports from tools.

I'm not super happy with that as the state of things (noise), but I don't think there's anything to do here right now.

I will look into how to better alert on REAL vulnerabilities.

raesene commented 3 years ago

So an important piece here is the --ignore-unfixed option on Trivy. What most container scanning engines do by default is report issues that the debian/ubuntu projects have decided not to fix yet. This is in contrast to "traditional" scanning options like Nessus and Nexpose, which will , by default, not report the unfixed issues.

This leads to a very high level of reported issues in container VA. Whilst these are real CVEs, they tend to be less serious ones.

For most purposes, I generally recommend running with --ignore-unfixed by default. For this image running with that option returns the below, which is rather easier to analyze.

Looking at that the vulnerable packages are apt , libapt-pkg5.0 , libldap-2.4.2 and libldap-common . Whether any of those are exploitable, would depend primarily on whether containers based on this image do LDAP operations, or possibly if they install packages via apt that come from untrusted sources.

Some more on this topic here

k8s.gcr.io/git-sync/git-sync:v3.2.2 (debian 10.7)
=================================================
Total: 24 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 20, CRITICAL: 0)

+----------------+------------------+----------+-----------------------+-----------------------+---------------------------------------+
|    LIBRARY     | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION   |     FIXED VERSION     |                 TITLE                 |
+----------------+------------------+----------+-----------------------+-----------------------+---------------------------------------+
| apt            | CVE-2020-27350   | MEDIUM   | 1.8.2                 | 1.8.2.2               | APT had several integer               |
|                |                  |          |                       |                       | overflows and underflows while        |
|                |                  |          |                       |                       | parsing .deb packages, aka...         |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27350 |
+                +------------------+          +                       +-----------------------+---------------------------------------+
|                | CVE-2020-3810    |          |                       | 1.8.2.1               | Missing input validation in           |
|                |                  |          |                       |                       | the ar/tar implementations of         |
|                |                  |          |                       |                       | APT before version 2.1.2...           |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-3810  |
+----------------+------------------+          +                       +-----------------------+---------------------------------------+
| libapt-pkg5.0  | CVE-2020-27350   |          |                       | 1.8.2.2               | APT had several integer               |
|                |                  |          |                       |                       | overflows and underflows while        |
|                |                  |          |                       |                       | parsing .deb packages, aka...         |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-27350 |
+                +------------------+          +                       +-----------------------+---------------------------------------+
|                | CVE-2020-3810    |          |                       | 1.8.2.1               | Missing input validation in           |
|                |                  |          |                       |                       | the ar/tar implementations of         |
|                |                  |          |                       |                       | APT before version 2.1.2...           |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-3810  |
+----------------+------------------+----------+-----------------------+-----------------------+---------------------------------------+
| libldap-2.4-2  | CVE-2020-36221   | HIGH     | 2.4.47+dfsg-3+deb10u4 | 2.4.47+dfsg-3+deb10u5 | openldap: Integer underflow           |
|                |                  |          |                       |                       | in serialNumberAndIssuerCheck         |
|                |                  |          |                       |                       | in schema_init.c                      |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36221 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36222   |          |                       |                       | openldap: Assertion failure in        |
|                |                  |          |                       |                       | slapd in the saslAuthzTo validation   |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36222 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36223   |          |                       |                       | openldap: Out-of-bounds               |
|                |                  |          |                       |                       | read in Values Return Filter          |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36223 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36224   |          |                       |                       | openldap: Invalid pointer free        |
|                |                  |          |                       |                       | in the saslAuthzTo processing         |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36224 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36225   |          |                       |                       | openldap: Double free in              |
|                |                  |          |                       |                       | the saslAuthzTo processing            |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36225 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36226   |          |                       |                       | openldap: Denial of service           |
|                |                  |          |                       |                       | via length miscalculation             |
|                |                  |          |                       |                       | in slap_parse_user                    |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36226 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36227   |          |                       |                       | openldap: Infinite loop in slapd with |
|                |                  |          |                       |                       | the cancel_extop Cancel operation     |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36227 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36228   |          |                       |                       | openldap: Integer underflow           |
|                |                  |          |                       |                       | in issuerAndThisUpdateCheck           |
|                |                  |          |                       |                       | in schema_init.c                      |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36228 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36229   |          |                       |                       | openldap: Type confusion              |
|                |                  |          |                       |                       | in ad_keystring in ad.c               |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36229 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36230   |          |                       |                       | openldap: Assertion failure in        |
|                |                  |          |                       |                       | ber_next_element in decode.c          |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36230 |
+----------------+------------------+          +                       +                       +---------------------------------------+
| libldap-common | CVE-2020-36221   |          |                       |                       | openldap: Integer underflow           |
|                |                  |          |                       |                       | in serialNumberAndIssuerCheck         |
|                |                  |          |                       |                       | in schema_init.c                      |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36221 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36222   |          |                       |                       | openldap: Assertion failure in        |
|                |                  |          |                       |                       | slapd in the saslAuthzTo validation   |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36222 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36223   |          |                       |                       | openldap: Out-of-bounds               |
|                |                  |          |                       |                       | read in Values Return Filter          |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36223 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36224   |          |                       |                       | openldap: Invalid pointer free        |
|                |                  |          |                       |                       | in the saslAuthzTo processing         |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36224 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36225   |          |                       |                       | openldap: Double free in              |
|                |                  |          |                       |                       | the saslAuthzTo processing            |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36225 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36226   |          |                       |                       | openldap: Denial of service           |
|                |                  |          |                       |                       | via length miscalculation             |
|                |                  |          |                       |                       | in slap_parse_user                    |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36226 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36227   |          |                       |                       | openldap: Infinite loop in slapd with |
|                |                  |          |                       |                       | the cancel_extop Cancel operation     |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36227 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36228   |          |                       |                       | openldap: Integer underflow           |
|                |                  |          |                       |                       | in issuerAndThisUpdateCheck           |
|                |                  |          |                       |                       | in schema_init.c                      |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36228 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36229   |          |                       |                       | openldap: Type confusion              |
|                |                  |          |                       |                       | in ad_keystring in ad.c               |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36229 |
+                +------------------+          +                       +                       +---------------------------------------+
|                | CVE-2020-36230   |          |                       |                       | openldap: Assertion failure in        |
|                |                  |          |                       |                       | ber_next_element in decode.c          |
|                |                  |          |                       |                       | -->avd.aquasec.com/nvd/cve-2020-36230 |
+----------------+------------------+----------+-----------------------+-----------------------+---------------------------------------+
thockin commented 3 years ago

Also, run trivy with --ignore-unfixed and it's a MUCH smaller list, none of which seem relevant.

ehashman commented 3 years ago

xref https://github.com/aquasecurity/trivy/issues/323

knqyf263 commented 3 years ago

Hi, I'm a maintainer of Trivy. I'm sorry to bother you with unfixed vulnerabilities😓 If you prefer to disable it by default, we can change the default behavior. We were actually talking about it in https://github.com/aquasecurity/trivy/issues/323 and it has been suspended. It might be a good time to discuss that again. I'd like to hear your vote.

justaugustus commented 3 years ago

@knqyf263 -- no worries! Liz is in the Kubernetes thread as well and she's already cross-linked that to the default behavior issue: https://github.com/aquasecurity/trivy/issues/323#issuecomment-778411413

knqyf263 commented 3 years ago

Thanks! As I posted in the Kubernetes Slack, unfixed vulnerabilities are detected by default since developers might be able to workaround the vulnerability by changing the configuration, updating firewall settings, or something else without updating the version. It is especially useful when the vulnerability is critical and the patch is being delayed. In that case, the organization should manage to mitigate the vulnerability until the patch is released. But showing unfixed vulnerabilities might be great only for security-sensitive organizations. Most organizations may not want to see them. We can change the default behavior to suppress unfixed vulnerabilities. Also, please feel free to ask me if you have any other questions about the result.

knqyf263 commented 3 years ago

Note: In addition to --ignore-unfixed, you can define CVE-IDs to ignore via .trivyignore and use OPA for applying Rego rules to detected vulnerabilities. You can accept the risk dynamically according to the package name, CVSS vector, CWE, etc. https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy

KYannick commented 3 years ago

Thanks for all the quick responses! I will definetly look into the OPA features of trivy.

knqyf263 commented 3 years ago

You can find more details here. https://static.sched.com/hosted_files/kccnceu20/e5/2020%3A08%20KubeCon%20Europe%202020.pdf

goyalrohit850 commented 3 years ago

i create a an image from dockerfile before some days..at that time it was free from vulnerbilities but yesterday when i again scan that image it gives me 314 vulnerbilities of bebian(11.0) what is this issue please help me fast

goyalrohit850 commented 3 years ago

Note: In addition to --ignore-unfixed, you can define CVE-IDs to ignore via .trivyignore and use OPA for applying Rego rules to detected vulnerabilities. You can accept the risk dynamically according to the package name, CVSS vector, CWE, etc. https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy

Is it right way to use --ignore-unfixed flag on live project

goyalrohit850 commented 3 years ago

Also, run trivy with --ignore-unfixed and it's a MUCH smaller list, none of which seem relevant. Is it right to igonre those vulnerbilities

raesene commented 3 years ago

@goyalrohit850 Whether to use --ignore-unfixed is kind of a risk decision a project/organization has to take.

In general these issues should be ones which the Debian projects has decided do not present (in the generic case) a significant vulnerability, which is why they are yet to release a fixed package.

The problem with reporting unfixed issues is that there is essentially no way to resolve them , without source compiling the affected packages with appropriate patches, which is often not something an individual organization would want to take on.

An additional strategy which can be used to mitigate this is to ensure that images have the smallest number of packages installed, to reduce the number of issues present and reported.

goyalrohit850 commented 3 years ago

@raesene thanks for your response