armorcodegithubpreprod[bot]
commented
3 months ago Finding [47833324|https://preprod.armorcode.ai/#/findings/257/1167/47833324], [47833228|https://preprod.armorcode.ai/#/findings/257/1167/47833228], [47833359|https://preprod.armorcode.ai/#/findings/257/1167/47833359], [47832977|https://preprod.armorcode.ai/#/findings/257/1167/47832977], [47833328|https://preprod.armorcode.ai/#/findings/257/1167/47833328], [47833350|https://preprod.armorcode.ai/#/findings/257/1167/47833350], [47833360|https://preprod.armorcode.ai/#/findings/257/1167/47833360], [47833363|https://preprod.armorcode.ai/#/findings/257/1167/47833363], [47833365|https://preprod.armorcode.ai/#/findings/257/1167/47833365], [47833232|https://preprod.armorcode.ai/#/findings/257/1167/47833232], [47833320|https://preprod.armorcode.ai/#/findings/257/1167/47833320], [47833367|https://preprod.armorcode.ai/#/findings/257/1167/47833367], [47833323|https://preprod.armorcode.ai/#/findings/257/1167/47833323], [47833322|https://preprod.armorcode.ai/#/findings/257/1167/47833322], [47833366|https://preprod.armorcode.ai/#/findings/257/1167/47833366] are Mitigated
by SYSTEM via ArmorCode Platform
Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Out-of-bounds Read
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
cupspackage. SeeHow to fix?forDebian:9relevant versions.In ippSetValueTag of ipp.c in Android 8.0, 8.1 and 9, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure from the printer service with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
openssl1.0package. SeeHow to fix?forDebian:9relevant versions.OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
p11-kitpackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libsndfilepackage. SeeHow to fix?forDebian:9relevant versions.It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libjpeg-turbopackage. SeeHow to fix?forDebian:9relevant versions.get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
cupspackage. SeeHow to fix?forDebian:9relevant versions.In array_find of array.c, there is a possible out-of-bounds read due to an incorrect bounds check. This could lead to local information disclosure in the printer spooler with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-111210196
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libsndfilepackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libxml2package. SeeHow to fix?forDebian:9relevant versions.GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
elfutilspackage. SeeHow to fix?forDebian:9relevant versions.In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libsndfilepackage. SeeHow to fix?forDebian:9relevant versions.There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
glibcpackage.The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
elfutilspackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libvorbispackage. SeeHow to fix?forDebian:9relevant versions.In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis().
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
flacpackage. SeeHow to fix?forDebian:9relevant versions.In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156076070
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
elfutilspackage. SeeHow to fix?forDebian:9relevant versions.dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active