search

uditgaurav / notes

0 stars 2 forks source link

Image Vulnerability #3

Open uditgaurav opened 3 years ago

uditgaurav commented 3 years ago

uditgaurav/go-runner:apt


udit@ubuntu20 ~/g/s/g/l/litmus-go (scratch_dev)> trivy image uditgaurav/go-runner:apt
2021-09-07T11:06:18.784+0530    INFO    Need to update DB
2021-09-07T11:06:18.784+0530    INFO    Downloading DB...
23.46 MiB / 23.46 MiB [--------------------------------------------------------------------------------] 100.00% 2.74 MiB p/s 8s
2021-09-07T11:07:08.517+0530    INFO    Detected OS: debian
2021-09-07T11:07:08.517+0530    INFO    Detecting Debian vulnerabilities...
2021-09-07T11:07:08.525+0530    INFO    Number of language-specific files: 6
2021-09-07T11:07:08.525+0530    INFO    Detecting gobinary vulnerabilities...

uditgaurav/go-runner:apt (debian 10.10)
=======================================
Total: 25 (UNKNOWN: 0, LOW: 17, MEDIUM: 3, HIGH: 3, CRITICAL: 2)

+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+
|  LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libc6     | CVE-2021-33574   | CRITICAL | 2.28-10           |               | glibc: mq_notify does                   |
|           |                  |          |                   |               | not handle separately                   |
|           |                  |          |                   |               | allocated thread attributes             |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2021-35942   |          |                   |               | glibc: Arbitrary read in wordexp()      |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-35942   |
+           +------------------+----------+                   +---------------+-----------------------------------------+
|           | CVE-2020-1751    | HIGH     |                   |               | glibc: array overflow in                |
|           |                  |          |                   |               | backtrace functions for powerpc         |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1751    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2020-1752    |          |                   |               | glibc: use-after-free in glob()         |
|           |                  |          |                   |               | function when expanding ~user           |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1752    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2021-3326    |          |                   |               | glibc: Assertion failure in             |
|           |                  |          |                   |               | ISO-2022-JP-3 gconv module              |
|           |                  |          |                   |               | related to combining characters         |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3326    |
+           +------------------+----------+                   +---------------+-----------------------------------------+
|           | CVE-2019-25013   | MEDIUM   |                   |               | glibc: buffer over-read in              |
|           |                  |          |                   |               | iconv when processing invalid           |
|           |                  |          |                   |               | multi-byte input sequences in...        |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2020-10029   |          |                   |               | glibc: stack corruption                 |
|           |                  |          |                   |               | from crafted input in cosl,             |
|           |                  |          |                   |               | sinl, sincosl, and tanl...              |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-10029   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2020-27618   |          |                   |               | glibc: iconv when processing            |
|           |                  |          |                   |               | invalid multi-byte input                |
|           |                  |          |                   |               | sequences fails to advance the...       |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+           +------------------+----------+                   +---------------+-----------------------------------------+
|           | CVE-2010-4051    | LOW      |                   |               | CVE-2010-4052 glibc: De-recursivise     |
|           |                  |          |                   |               | regular expression engine               |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4051    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2010-4052    |          |                   |               | CVE-2010-4051 CVE-2010-4052             |
|           |                  |          |                   |               | glibc: De-recursivise                   |
|           |                  |          |                   |               | regular expression engine               |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4052    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2010-4756    |          |                   |               | glibc: glob implementation              |
|           |                  |          |                   |               | can cause excessive CPU and             |
|           |                  |          |                   |               | memory consumption due to...            |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4756    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2016-10228   |          |                   |               | glibc: iconv program can hang           |
|           |                  |          |                   |               | when invoked with the -c option         |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2018-20796   |          |                   |               | glibc: uncontrolled recursion in        |
|           |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|           |                  |          |                   |               | in posix/regexec.c                      |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20796   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-1010022 |          |                   |               | glibc: stack guard protection bypass    |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-1010023 |          |                   |               | glibc: running ldd on malicious ELF     |
|           |                  |          |                   |               | leads to code execution because of...   |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using                |
|           |                  |          |                   |               | cache of thread stack and heap          |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-1010025 |          |                   |               | glibc: information disclosure of heap   |
|           |                  |          |                   |               | addresses of pthread_created thread     |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-19126   |          |                   |               | glibc: LD_PREFER_MAP_32BIT_EXEC         |
|           |                  |          |                   |               | not ignored in setuid binaries          |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19126   |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2019-9192    |          |                   |               | glibc: uncontrolled recursion in        |
|           |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|           |                  |          |                   |               | in posix/regexec.c                      |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-9192    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2020-6096    |          |                   |               | glibc: signed comparison                |
|           |                  |          |                   |               | vulnerability in the                    |
|           |                  |          |                   |               | ARMv7 memcpy function                   |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2021-27645   |          |                   |               | glibc: Use-after-free in                |
|           |                  |          |                   |               | addgetnetgrentX function                |
|           |                  |          |                   |               | in netgroupcache.c                      |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+-----------+------------------+          +-------------------+---------------+-----------------------------------------+
| libssl1.1 | CVE-2007-6755    |          | 1.1.1d-0+deb10u7  |               | Dual_EC_DRBG: weak pseudo               |
|           |                  |          |                   |               | random number generator                 |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-6755    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2010-0928    |          |                   |               | openssl: RSA authentication weakness    |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-0928    |
+-----------+------------------+          +                   +---------------+-----------------------------------------+
| openssl   | CVE-2007-6755    |          |                   |               | Dual_EC_DRBG: weak pseudo               |
|           |                  |          |                   |               | random number generator                 |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-6755    |
+           +------------------+          +                   +---------------+-----------------------------------------+
|           | CVE-2010-0928    |          |                   |               | openssl: RSA authentication weakness    |
|           |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-0928    |
+-----------+------------------+----------+-------------------+---------------+-----------------------------------------+

litmus/experiments (gobinary)
=============================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |  FIXED VERSION  |                 TITLE                 |
+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| k8s.io/client-go  | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0         | kubernetes: Bearer tokens             |
|                   |                  |          |                                    |                 | written to logs at high               |
|                   |                  |          |                                    |                 | verbosity levels (>= 7)...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2019-11250 |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                   |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                   |                  |          |                                    |                 | token leak in logs when...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+-------------------+------------------+          +------------------------------------+-----------------+---------------------------------------+
| k8s.io/kubernetes | CVE-2020-8554    |          | v1.17.3                            |                 | kubernetes: MITM using                |
|                   |                  |          |                                    |                 | LoadBalancer or ExternalIPs           |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8554  |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8564    |          |                                    | v1.20.0-alpha.1 | kubernetes: Docker config             |
|                   |                  |          |                                    |                 | secrets leaked when file is           |
|                   |                  |          |                                    |                 | malformed and loglevel >=...          |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8564  |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8565    |          |                                    | v1.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                   |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                   |                  |          |                                    |                 | token leak in logs when...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+

litmus/helpers (gobinary)
=========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |  FIXED VERSION  |                 TITLE                 |
+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| k8s.io/client-go | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0         | kubernetes: Bearer tokens             |
|                  |                  |          |                                    |                 | written to logs at high               |
|                  |                  |          |                                    |                 | verbosity levels (>= 7)...            |
|                  |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2019-11250 |
+                  +------------------+          +                                    +-----------------+---------------------------------------+
|                  | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                  |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                  |                  |          |                                    |                 | token leak in logs when...            |
|                  |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+

usr/local/bin/dns_interceptor (gobinary)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/nsutil (gobinary)
===============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/promql (gobinary)
===============================
Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| gopkg.in/yaml.v2 | CVE-2019-11254   | MEDIUM   | v2.2.2            | v2.2.8        | kubernetes: Denial of                 |
|                  |                  |          |                   |               | service in API server via             |
|                  |                  |          |                   |               | crafted YAML payloads by...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11254 |
+                  +------------------+----------+                   +---------------+---------------------------------------+
|                  | GMS-2019-2       | UNKNOWN  |                   | v2.2.3        | XML Entity Expansion                  |
+                  +------------------+          +                   +               +---------------------------------------+
|                  | GO-2021-0061     |          |                   |               |                                       |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/local/bin/pumba (gobinary)
==============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|         LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121    | HIGH     | v1.3.1            | v1.3.2        | gogo/protobuf:                       |
|                          |                  |          |                   |               | plugin/unmarshal/unmarshal.go        |
|                          |                  |          |                   |               | lacks certain index validation       |
|                          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3121 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
uditgaurav commented 3 years ago

litmuschaos/go-runner:ci


litmuschaos/go-runner:ci (alpine 3.13.6)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

litmus/experiments (gobinary)
=============================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |  FIXED VERSION  |                 TITLE                 |
+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| k8s.io/client-go  | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0         | kubernetes: Bearer tokens             |
|                   |                  |          |                                    |                 | written to logs at high               |
|                   |                  |          |                                    |                 | verbosity levels (>= 7)...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2019-11250 |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                   |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                   |                  |          |                                    |                 | token leak in logs when...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+-------------------+------------------+          +------------------------------------+-----------------+---------------------------------------+
| k8s.io/kubernetes | CVE-2020-8554    |          | v1.17.3                            |                 | kubernetes: MITM using                |
|                   |                  |          |                                    |                 | LoadBalancer or ExternalIPs           |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8554  |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8564    |          |                                    | v1.20.0-alpha.1 | kubernetes: Docker config             |
|                   |                  |          |                                    |                 | secrets leaked when file is           |
|                   |                  |          |                                    |                 | malformed and loglevel >=...          |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8564  |
+                   +------------------+          +                                    +-----------------+---------------------------------------+
|                   | CVE-2020-8565    |          |                                    | v1.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                   |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                   |                  |          |                                    |                 | token leak in logs when...            |
|                   |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+-------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+

litmus/helpers (gobinary)
=========================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |  FIXED VERSION  |                 TITLE                 |
+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+
| k8s.io/client-go | CVE-2019-11250   | MEDIUM   | v0.0.0-20191016111102-bec269661e48 | v0.17.0         | kubernetes: Bearer tokens             |
|                  |                  |          |                                    |                 | written to logs at high               |
|                  |                  |          |                                    |                 | verbosity levels (>= 7)...            |
|                  |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2019-11250 |
+                  +------------------+          +                                    +-----------------+---------------------------------------+
|                  | CVE-2020-8565    |          |                                    | v0.20.0-alpha.2 | kubernetes: Incomplete fix            |
|                  |                  |          |                                    |                 | for CVE-2019-11250 allows for         |
|                  |                  |          |                                    |                 | token leak in logs when...            |
|                  |                  |          |                                    |                 | -->avd.aquasec.com/nvd/cve-2020-8565  |
+------------------+------------------+----------+------------------------------------+-----------------+---------------------------------------+

usr/local/bin/dns_interceptor (gobinary)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/nsutil (gobinary)
===============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

usr/local/bin/promql (gobinary)
===============================
Total: 3 (UNKNOWN: 2, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| gopkg.in/yaml.v2 | CVE-2019-11254   | MEDIUM   | v2.2.2            | v2.2.8        | kubernetes: Denial of                 |
|                  |                  |          |                   |               | service in API server via             |
|                  |                  |          |                   |               | crafted YAML payloads by...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-11254 |
+                  +------------------+----------+                   +---------------+---------------------------------------+
|                  | GMS-2019-2       | UNKNOWN  |                   | v2.2.3        | XML Entity Expansion                  |
+                  +------------------+          +                   +               +---------------------------------------+
|                  | GO-2021-0061     |          |                   |               |                                       |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+

usr/local/bin/pumba (gobinary)
==============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
|         LIBRARY          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+
| github.com/gogo/protobuf | CVE-2021-3121    | HIGH     | v1.3.1            | v1.3.2        | gogo/protobuf:                       |
|                          |                  |          |                   |               | plugin/unmarshal/unmarshal.go        |
|                          |                  |          |                   |               | lacks certain index validation       |
|                          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3121 |
+--------------------------+------------------+----------+-------------------+---------------+--------------------------------------+