The AWS image scanner shows the following (44) vulnerabilities in the container image:
[CVE-2023-5981](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-5981) gnutls28:3.6.13-2ubuntu1.8 MEDIUM A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.
[CVE-2023-4813](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-4813) glibc:2.31-0ubuntu9.12 LOW A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
[CVE-2023-4806](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-4806) glibc:2.31-0ubuntu9.12 LOW A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
[CVE-2023-47038](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-47038) perl:5.30.0-9ubuntu0.4 MEDIUM [A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer]
[CVE-2023-46218](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-46218) curl:7.68.0-1ubuntu2.20 MEDIUM cookie mixed case PSL bypass
[CVE-2023-40217](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-40217) python3.8:3.8.10-0ubuntu1~20.04.8 MEDIUM An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
[CVE-2023-4016](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-4016) procps:2:3.3.16-1ubuntu2.3 LOW Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.
[CVE-2023-39804](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-39804) tar:1.30+dfsg-7ubuntu0.20.04.3 MEDIUM [A stack overflow vulnerability exists in GNU Tar up to including v1.34. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key.]
[CVE-2023-30571](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-30571) libarchive:3.4.0-2ubuntu1.2 MEDIUM Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
[CVE-2023-2953](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2953) openldap:2.4.49+dfsg-2ubuntu1.9 LOW A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
[CVE-2023-29383](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383) shadow:1:4.8.1-1ubuntu5.20.04.4 LOW In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
[CVE-2023-27043](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-27043) python3.8:3.8.10-0ubuntu1~20.04.8 MEDIUM The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
[CVE-2023-26604](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-26604) systemd:245.4-4ubuntu3.22 LOW systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.
[CVE-2022-48065](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48065) binutils:2.34-6ubuntu1.6 MEDIUM GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.
[CVE-2022-48064](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48064) binutils:2.34-6ubuntu1.6 INFORMATIONAL GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
[CVE-2022-48063](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48063) binutils:2.34-6ubuntu1.6 MEDIUM GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function load_separate_debug_files at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.
[CVE-2022-47695](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47695) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.
[CVE-2022-47011](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47011) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
[CVE-2022-47010](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47010) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
[CVE-2022-47008](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47008) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
[CVE-2022-47007](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47007) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.
[CVE-2022-45703](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-45703) binutils:2.34-6ubuntu1.6 MEDIUM Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.
[CVE-2022-44840](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-44840) binutils:2.34-6ubuntu1.6 MEDIUM Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.
[CVE-2022-36227](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-36227) libarchive:3.4.0-2ubuntu1.2 LOW In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."
[CVE-2022-35205](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-35205) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered in Binutils readelf 2.38.50, reachable assertion failure in function display_debug_names allows attackers to cause a denial of service.
[CVE-2022-3219](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219) gnupg2:2.2.19-3ubuntu2.2 LOW GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
[CVE-2021-46195](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-46195) binutils:2.34-6ubuntu1.6 LOW GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
[CVE-2021-46174](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-46174) binutils:2.34-6ubuntu1.6 MEDIUM Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.
[CVE-2021-45261](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-45261) patch:2.7.6-6 INFORMATIONAL An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
[CVE-2021-41617](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-41617) openssh:1:8.2p1-4ubuntu0.9 LOW sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
[CVE-2021-31879](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879) wget:1.20.3-1ubuntu2 MEDIUM GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.
[CVE-2020-22916](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-22916) xz-utils:5.2.4-1ubuntu1.1 MEDIUM ** DISPUTED ** An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.
[CVE-2020-19726](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-19726) binutils:2.34-6ubuntu1.6 MEDIUM An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.
[CVE-2020-14145](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-14145) openssh:1:8.2p1-4ubuntu0.9 LOW The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.
[CVE-2020-13844](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-13844) gcc-defaults:1.185.1ubuntu2 MEDIUM Arm Armv8-A core implementations utilizing speculative execution past unconditional changes in control flow may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka "straight-line speculation."
[CVE-2019-1010204](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1010204) binutils:2.34-6ubuntu1.6 LOW GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.
[CVE-2018-6952](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952) patch:2.7.6-6 INFORMATIONAL A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
[CVE-2018-20657](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20657) binutils:2.34-6ubuntu1.6 INFORMATIONAL The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.
[CVE-2018-1000021](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1000021) git:1:2.25.1-1ubuntu3.11 LOW GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).
[CVE-2017-13716](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13716) binutils:2.34-6ubuntu1.6 LOW The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).
[CVE-2017-11164](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164) pcre3:2:8.39-12ubuntu0.1 INFORMATIONAL In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
[CVE-2016-2781](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781) coreutils:8.30-3ubuntu2 LOW chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
[CVE-2016-20013](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013) glibc:2.31-0ubuntu9.12 INFORMATIONAL sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
[CVE-2013-4235](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2013-4235) shadow:1:4.8.1-1ubuntu5.20.04.4 LOW shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
Hello!
The AWS image scanner shows the following (44) vulnerabilities in the container image:
I would suggest hardening it, if possible.