Findings for Container Security, Low, [TheRedHatter/javagoof:Dockerfile]:Improper Input Validation

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream sqlite3 package.

The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream systemd package.

systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream systemd package.

It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream gnutls28 package.

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream cups package.

The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to execute arbitrary code via a crafted printer name.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream coreutils package.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream systemd package.

systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
  NVD Description
  
  Note: Versions mentioned in the description apply to the upstream glibc package.

The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

teerth04 / ticket