armorcodegithubpreprod[bot]
commented
6 months ago Finding [47832939|https://preprod.armorcode.ai/#/findings/257/1167/47832939], [47833148|https://preprod.armorcode.ai/#/findings/257/1167/47833148], [47833141|https://preprod.armorcode.ai/#/findings/257/1167/47833141], [47833185|https://preprod.armorcode.ai/#/findings/257/1167/47833185], [47833165|https://preprod.armorcode.ai/#/findings/257/1167/47833165], [47833088|https://preprod.armorcode.ai/#/findings/257/1167/47833088], [47833076|https://preprod.armorcode.ai/#/findings/257/1167/47833076], [47833142|https://preprod.armorcode.ai/#/findings/257/1167/47833142], [47833057|https://preprod.armorcode.ai/#/findings/257/1167/47833057], [47833079|https://preprod.armorcode.ai/#/findings/257/1167/47833079], [47833045|https://preprod.armorcode.ai/#/findings/257/1167/47833045], [47833091|https://preprod.armorcode.ai/#/findings/257/1167/47833091], [47833084|https://preprod.armorcode.ai/#/findings/257/1167/47833084], [47833062|https://preprod.armorcode.ai/#/findings/257/1167/47833062] are Mitigated
by SYSTEM via ArmorCode Platform
Findings for Container Security, High, [TheRedHatter/javagoof:Dockerfile]:Integer Overflow or Wraparound
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
icupackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
perlpackage. SeeHow to fix?forDebian:9relevant versions.Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libssh2package. SeeHow to fix?forDebian:9relevant versions.In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
tiffpackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libxcursorpackage. SeeHow to fix?forDebian:9relevant versions.libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
opensslpackage. SeeHow to fix?forDebian:9relevant versions.Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
sqlite3package. SeeHow to fix?forDebian:9relevant versions.SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
openssl1.0package. SeeHow to fix?forDebian:9relevant versions.Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
tiffpackage. SeeHow to fix?forDebian:9relevant versions.An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
sqlite3package. SeeHow to fix?forDebian:9relevant versions.SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
libx11package. SeeHow to fix?forDebian:9relevant versions.An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
waylandpackage. SeeHow to fix?forDebian:9relevant versions.libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
p11-kitpackage. SeeHow to fix?forDebian:9relevant versions.An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
NVD Description
Note: Versions mentioned in the description apply to the upstream
gdk-pixbufpackage. SeeHow to fix?forDebian:9relevant versions.Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active