Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add container security audit? #6

Open
Temikus opened this issue Apr 26, 2020 · 7 comments
Open

Add container security audit? #6

Temikus opened this issue Apr 26, 2020 · 7 comments
Labels
A-build Area: CI build infrastructure. A-security Area: Security vulnerabilities and unsoundness issues.

Comments

@Temikus
Copy link
Contributor

Temikus commented Apr 26, 2020

I'm thinking of adding a container security audit to the CI process, e.g.: https://github.com/aquasecurity/trivy

WDYT?

@lopopolo
Copy link
Member

Sounds good. I've typically named workflows of this shape into an "audit" GitHub Actions workflow so it can be set to run periodically as well as on PRs + master pushes.

See https://github.com/artichoke/artichoke/blob/6648914ecc5687b9b8187b0f06b19d4fa749f462/.github/workflows/audit.yaml for an example

@lopopolo lopopolo added the A-build Area: CI build infrastructure. label Apr 26, 2020
@Temikus
Copy link
Contributor Author

Temikus commented Apr 26, 2020

@lopopolo Shouldn't we make it a part of the image workflow though?

I'm thinking of the scenario if we have a critical vulnerability in the image - we would want to gate the push in that case, no?

Or are you thinking of something else here?

@lopopolo
Copy link
Member

Oh I see. Isn't it likely that many past nightly builds will also be vulnerable to the same defects?

What value is there in blocking nightlies only once a vuln has been discovered?

@lopopolo lopopolo added the A-security Area: Security vulnerabilities and unsoundness issues. label Apr 26, 2020
@Temikus
Copy link
Contributor Author

Temikus commented Apr 26, 2020

There is, of course, a scenario where there would be a vulnerability that affects all the images in the past, but I think there's value in not letting out nightlies if we managed to introduce one (e.g. building on a new target that ends up insecure, adding a runtime dep that's insecure, etc.)

Or do you think the benefit is marginal? (which is fair)

@lopopolo
Copy link
Member

Oh I see. Gating builds on detected vulns is kinda like being a good citizen and not spewing out more vulnerable software.

In that case, this seems like a good build step to add 🙂

@lopopolo
Copy link
Member

lopopolo commented Oct 2, 2021

I took a peek at this, and it looks like this is not practical to run in CI. This is the results of running trivy on the latest container images. Only alpine comes back clean:

$ trivy image artichokeruby/artichoke
2021-10-02T10:31:59.203-0700	INFO	Detected OS: ubuntu
2021-10-02T10:31:59.203-0700	INFO	Detecting Ubuntu vulnerabilities...
2021-10-02T10:31:59.204-0700	INFO	Number of language-specific files: 0

artichokeruby/artichoke (ubuntu 20.04)
======================================
Total: 22 (UNKNOWN: 0, LOW: 22, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY |    INSTALLED VERSION     | FIXED VERSION |                  TITLE                  |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
| bash       | CVE-2019-18276   | LOW      | 5.0-6ubuntu1.1           |               | bash: when effective UID is not         |
|            |                  |          |                          |               | equal to its real UID the...            |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2019-18276   |
+------------+------------------+          +--------------------------+---------------+-----------------------------------------+
| coreutils  | CVE-2016-2781    |          | 8.30-3ubuntu2            |               | coreutils: Non-privileged               |
|            |                  |          |                          |               | session can escape to the               |
|            |                  |          |                          |               | parent session in chroot                |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2016-2781    |
+------------+------------------+          +--------------------------+---------------+-----------------------------------------+
| libc-bin   | CVE-2016-10228   |          | 2.31-0ubuntu9.2          |               | glibc: iconv program can hang           |
|            |                  |          |                          |               | when invoked with the -c option         |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2019-25013   |          |                          |               | glibc: buffer over-read in              |
|            |                  |          |                          |               | iconv when processing invalid           |
|            |                  |          |                          |               | multi-byte input sequences in...        |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-27618   |          |                          |               | glibc: iconv when processing            |
|            |                  |          |                          |               | invalid multi-byte input                |
|            |                  |          |                          |               | sequences fails to advance the...       |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-29562   |          |                          |               | glibc: assertion failure in iconv       |
|            |                  |          |                          |               | when converting invalid UCS4            |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-29562   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-6096    |          |                          |               | glibc: signed comparison                |
|            |                  |          |                          |               | vulnerability in the                    |
|            |                  |          |                          |               | ARMv7 memcpy function                   |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2021-27645   |          |                          |               | glibc: Use-after-free in                |
|            |                  |          |                          |               | addgetnetgrentX function                |
|            |                  |          |                          |               | in netgroupcache.c                      |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2021-3326    |          |                          |               | glibc: Assertion failure in             |
|            |                  |          |                          |               | ISO-2022-JP-3 gconv module              |
|            |                  |          |                          |               | related to combining characters         |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------+------------------+          +                          +---------------+-----------------------------------------+
| libc6      | CVE-2016-10228   |          |                          |               | glibc: iconv program can hang           |
|            |                  |          |                          |               | when invoked with the -c option         |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2019-25013   |          |                          |               | glibc: buffer over-read in              |
|            |                  |          |                          |               | iconv when processing invalid           |
|            |                  |          |                          |               | multi-byte input sequences in...        |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-27618   |          |                          |               | glibc: iconv when processing            |
|            |                  |          |                          |               | invalid multi-byte input                |
|            |                  |          |                          |               | sequences fails to advance the...       |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-29562   |          |                          |               | glibc: assertion failure in iconv       |
|            |                  |          |                          |               | when converting invalid UCS4            |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-29562   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-6096    |          |                          |               | glibc: signed comparison                |
|            |                  |          |                          |               | vulnerability in the                    |
|            |                  |          |                          |               | ARMv7 memcpy function                   |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2021-27645   |          |                          |               | glibc: Use-after-free in                |
|            |                  |          |                          |               | addgetnetgrentX function                |
|            |                  |          |                          |               | in netgroupcache.c                      |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2021-3326    |          |                          |               | glibc: Assertion failure in             |
|            |                  |          |                          |               | ISO-2022-JP-3 gconv module              |
|            |                  |          |                          |               | related to combining characters         |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2021-3326    |
+------------+------------------+          +--------------------------+---------------+-----------------------------------------+
| libpcre3   | CVE-2017-11164   |          | 2:8.39-12build1          |               | pcre: OP_KETRMAX feature in the         |
|            |                  |          |                          |               | match function in pcre_exec.c           |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2017-11164   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2019-20838   |          |                          |               | pcre: buffer over-read in               |
|            |                  |          |                          |               | JIT when UTF is disabled                |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2019-20838   |
+            +------------------+          +                          +---------------+-----------------------------------------+
|            | CVE-2020-14155   |          |                          |               | pcre: integer overflow in libpcre       |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2020-14155   |
+------------+------------------+          +--------------------------+---------------+-----------------------------------------+
| libtasn1-6 | CVE-2018-1000654 |          | 4.16.0-2                 |               | libtasn1: Infinite loop in              |
|            |                  |          |                          |               | _asn1_expand_object_id(ptree)           |
|            |                  |          |                          |               | leads to memory exhaustion              |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------+------------------+          +--------------------------+---------------+-----------------------------------------+
| login      | CVE-2013-4235    |          | 1:4.8.1-1ubuntu5.20.04.1 |               | shadow-utils: TOCTOU race               |
|            |                  |          |                          |               | conditions by copying and               |
|            |                  |          |                          |               | removing directory trees                |
|            |                  |          |                          |               | -->avd.aquasec.com/nvd/cve-2013-4235    |
+------------+                  +          +                          +---------------+                                         +
| passwd     |                  |          |                          |               |                                         |
|            |                  |          |                          |               |                                         |
|            |                  |          |                          |               |                                         |
|            |                  |          |                          |               |                                         |
+------------+------------------+----------+--------------------------+---------------+-----------------------------------------+
$ trivy image artichokeruby/artichoke:alpine-nightly
2021-10-02T10:32:43.308-0700	INFO	Detected OS: alpine
2021-10-02T10:32:43.308-0700	INFO	Detecting Alpine vulnerabilities...
2021-10-02T10:32:43.309-0700	INFO	Number of language-specific files: 0

artichokeruby/artichoke:alpine-nightly (alpine 3.14.2)
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

$ trivy image artichokeruby/artichoke:slim-nightly
2021-10-02T10:32:51.869-0700	INFO	Detected OS: debian
2021-10-02T10:32:51.870-0700	INFO	Detecting Debian vulnerabilities...
2021-10-02T10:32:51.880-0700	INFO	Number of language-specific files: 0

artichokeruby/artichoke:slim-nightly (debian 11.0)
==================================================
Total: 65 (UNKNOWN: 0, LOW: 12, MEDIUM: 27, HIGH: 22, CRITICAL: 4)

+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                  |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| apt              | CVE-2011-3374    | LOW      | 2.2.4             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| coreutils        | CVE-2016-2781    | MEDIUM   | 8.32-4            |               | coreutils: Non-privileged               |
|                  |                  |          |                   |               | session can escape to the               |
|                  |                  |          |                   |               | parent session in chroot                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2016-2781    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-18018   |          |                   |               | coreutils: race condition               |
|                  |                  |          |                   |               | vulnerability in chown and chgrp        |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-18018   |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libapt-pkg6.0    | CVE-2011-3374    | LOW      | 2.2.4             |               | It was found that apt-key in apt,       |
|                  |                  |          |                   |               | all versions, do not correctly...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3374    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libc-bin         | CVE-2019-1010022 | CRITICAL | 2.31-13           |               | glibc: stack guard protection bypass    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2021-33574   |          |                   |               | glibc: mq_notify does                   |
|                  |                  |          |                   |               | not handle separately                   |
|                  |                  |          |                   |               | allocated thread attributes             |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2018-20796   | HIGH     |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20796   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010023 |          |                   |               | glibc: running ldd on malicious ELF     |
|                  |                  |          |                   |               | leads to code execution because of...   |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-9192    |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-9192    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2010-4051    | MEDIUM   |                   |               | CVE-2010-4052 glibc: De-recursivise     |
|                  |                  |          |                   |               | regular expression engine               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4051    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-4052    |          |                   |               | CVE-2010-4051 CVE-2010-4052             |
|                  |                  |          |                   |               | glibc: De-recursivise                   |
|                  |                  |          |                   |               | regular expression engine               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4052    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-4756    |          |                   |               | glibc: glob implementation              |
|                  |                  |          |                   |               | can cause excessive CPU and             |
|                  |                  |          |                   |               | memory consumption due to...            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4756    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using                |
|                  |                  |          |                   |               | cache of thread stack and heap          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010025 |          |                   |               | glibc: information disclosure of heap   |
|                  |                  |          |                   |               | addresses of pthread_created thread     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+                   +---------------+-----------------------------------------+
| libc6            | CVE-2019-1010022 | CRITICAL |                   |               | glibc: stack guard protection bypass    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2021-33574   |          |                   |               | glibc: mq_notify does                   |
|                  |                  |          |                   |               | not handle separately                   |
|                  |                  |          |                   |               | allocated thread attributes             |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2018-20796   | HIGH     |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-20796   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010023 |          |                   |               | glibc: running ldd on malicious ELF     |
|                  |                  |          |                   |               | leads to code execution because of...   |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-9192    |          |                   |               | glibc: uncontrolled recursion in        |
|                  |                  |          |                   |               | function check_dst_limits_calc_pos_1    |
|                  |                  |          |                   |               | in posix/regexec.c                      |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-9192    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2010-4051    | MEDIUM   |                   |               | CVE-2010-4052 glibc: De-recursivise     |
|                  |                  |          |                   |               | regular expression engine               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4051    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-4052    |          |                   |               | CVE-2010-4051 CVE-2010-4052             |
|                  |                  |          |                   |               | glibc: De-recursivise                   |
|                  |                  |          |                   |               | regular expression engine               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4052    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-4756    |          |                   |               | glibc: glob implementation              |
|                  |                  |          |                   |               | can cause excessive CPU and             |
|                  |                  |          |                   |               | memory consumption due to...            |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-4756    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010024 |          |                   |               | glibc: ASLR bypass using                |
|                  |                  |          |                   |               | cache of thread stack and heap          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010024 |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-1010025 |          |                   |               | glibc: information disclosure of heap   |
|                  |                  |          |                   |               | addresses of pthread_created thread     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1010025 |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgcrypt20      | CVE-2018-6829    | HIGH     | 1.8.7-6           |               | libgcrypt: ElGamal implementation       |
|                  |                  |          |                   |               | doesn't have semantic security due      |
|                  |                  |          |                   |               | to incorrectly encoded plaintexts...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-6829    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2021-40528   | MEDIUM   |                   |               | libgcrypt: ElGamal implementation       |
|                  |                  |          |                   |               | allows plaintext recovery               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-40528   |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libgnutls30      | CVE-2011-3389    |          | 3.7.1-5           |               | HTTPS: block-wise chosen-plaintext      |
|                  |                  |          |                   |               | attack against SSL/TLS (BEAST)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-3389    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2018-5709    | HIGH     | 1.18.3-6          |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2021-37750   | MEDIUM   |                   |               | krb5: NULL pointer dereference          |
|                  |                  |          |                   |               | in process_tgs_req() in                 |
|                  |                  |          |                   |               | kdc/do_tgs_req.c via a FAST inner...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-37750   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2004-0971    | LOW      |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+------------------+------------------+----------+                   +---------------+-----------------------------------------+
| libk5crypto3     | CVE-2018-5709    | HIGH     |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2021-37750   | MEDIUM   |                   |               | krb5: NULL pointer dereference          |
|                  |                  |          |                   |               | in process_tgs_req() in                 |
|                  |                  |          |                   |               | kdc/do_tgs_req.c via a FAST inner...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-37750   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2004-0971    | LOW      |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+------------------+------------------+----------+                   +---------------+-----------------------------------------+
| libkrb5-3        | CVE-2018-5709    | HIGH     |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2021-37750   | MEDIUM   |                   |               | krb5: NULL pointer dereference          |
|                  |                  |          |                   |               | in process_tgs_req() in                 |
|                  |                  |          |                   |               | kdc/do_tgs_req.c via a FAST inner...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-37750   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2004-0971    | LOW      |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+------------------+------------------+----------+                   +---------------+-----------------------------------------+
| libkrb5support0  | CVE-2018-5709    | HIGH     |                   |               | krb5: integer overflow                  |
|                  |                  |          |                   |               | in dbentry->n_key_data                  |
|                  |                  |          |                   |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2021-37750   | MEDIUM   |                   |               | krb5: NULL pointer dereference          |
|                  |                  |          |                   |               | in process_tgs_req() in                 |
|                  |                  |          |                   |               | kdc/do_tgs_req.c via a FAST inner...    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-37750   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2004-0971    | LOW      |                   |               | security flaw                           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2004-0971    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libpcre3         | CVE-2017-11164   | HIGH     | 2:8.39-13         |               | pcre: OP_KETRMAX feature in the         |
|                  |                  |          |                   |               | match function in pcre_exec.c           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-11164   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-7245    |          |                   |               | pcre: stack-based buffer overflow       |
|                  |                  |          |                   |               | write in pcre32_copy_substring          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-7245    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2017-7246    |          |                   |               | pcre: stack-based buffer overflow       |
|                  |                  |          |                   |               | write in pcre32_copy_substring          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-7246    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2019-20838   |          |                   |               | pcre: buffer over-read in               |
|                  |                  |          |                   |               | JIT when UTF is disabled                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-20838   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2017-16231   | MEDIUM   |                   |               | pcre: self-recursive call               |
|                  |                  |          |                   |               | in match() in pcre_exec.c               |
|                  |                  |          |                   |               | leads to denial of service...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-16231   |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libsepol1        | CVE-2021-36084   | LOW      | 3.1-1             |               | libsepol: use-after-free in             |
|                  |                  |          |                   |               | __cil_verify_classperms()               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36084   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2021-36085   |          |                   |               | libsepol: use-after-free in             |
|                  |                  |          |                   |               | __cil_verify_classperms()               |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36085   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2021-36086   |          |                   |               | libsepol: use-after-free in             |
|                  |                  |          |                   |               | cil_reset_classpermission()             |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36086   |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2021-36087   |          |                   |               | libsepol: heap-based buffer             |
|                  |                  |          |                   |               | overflow in ebitmap_match_any()         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36087   |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libssl1.1        | CVE-2007-6755    | MEDIUM   | 1.1.1k-1+deb11u1  |               | Dual_EC_DRBG: weak pseudo               |
|                  |                  |          |                   |               | random number generator                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-6755    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2010-0928    |          |                   |               | openssl: RSA authentication weakness    |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2010-0928    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| libsystemd0      | CVE-2020-13529   |          | 247.3-6           |               | systemd: DHCP FORCERENEW                |
|                  |                  |          |                   |               | authentication not implemented          |
|                  |                  |          |                   |               | can cause a system running the...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13529   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2013-4392    | LOW      |                   |               | systemd: TOCTOU race condition          |
|                  |                  |          |                   |               | when updating file permissions          |
|                  |                  |          |                   |               | and SELinux security contexts...        |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2013-4392    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libtinfo6        | CVE-2021-39537   | HIGH     | 6.2+20201114-2    |               | ncurses: heap-based buffer overflow     |
|                  |                  |          |                   |               | in _nc_captoinfo() in captoinfo.c       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-39537   |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| libudev1         | CVE-2020-13529   | MEDIUM   | 247.3-6           |               | systemd: DHCP FORCERENEW                |
|                  |                  |          |                   |               | authentication not implemented          |
|                  |                  |          |                   |               | can cause a system running the...       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-13529   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2013-4392    | LOW      |                   |               | systemd: TOCTOU race condition          |
|                  |                  |          |                   |               | when updating file permissions          |
|                  |                  |          |                   |               | and SELinux security contexts...        |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2013-4392    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| login            | CVE-2019-19882   | HIGH     | 1:4.8.1-1         |               | shadow-utils: local users can           |
|                  |                  |          |                   |               | obtain root access because setuid       |
|                  |                  |          |                   |               | programs are misconfigured...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19882   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2007-5686    | MEDIUM   |                   |               | initscripts in rPath Linux 1            |
|                  |                  |          |                   |               | sets insecure permissions for           |
|                  |                  |          |                   |               | the /var/log/btmp file,...              |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-5686    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2013-4235    |          |                   |               | shadow-utils: TOCTOU race               |
|                  |                  |          |                   |               | conditions by copying and               |
|                  |                  |          |                   |               | removing directory trees                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2013-4235    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| ncurses-base     | CVE-2021-39537   | HIGH     | 6.2+20201114-2    |               | ncurses: heap-based buffer overflow     |
|                  |                  |          |                   |               | in _nc_captoinfo() in captoinfo.c       |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-39537   |
+------------------+                  +          +                   +---------------+                                         +
| ncurses-bin      |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
|                  |                  |          |                   |               |                                         |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| passwd           | CVE-2019-19882   |          | 1:4.8.1-1         |               | shadow-utils: local users can           |
|                  |                  |          |                   |               | obtain root access because setuid       |
|                  |                  |          |                   |               | programs are misconfigured...           |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19882   |
+                  +------------------+----------+                   +---------------+-----------------------------------------+
|                  | CVE-2007-5686    | MEDIUM   |                   |               | initscripts in rPath Linux 1            |
|                  |                  |          |                   |               | sets insecure permissions for           |
|                  |                  |          |                   |               | the /var/log/btmp file,...              |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2007-5686    |
+                  +------------------+          +                   +---------------+-----------------------------------------+
|                  | CVE-2013-4235    |          |                   |               | shadow-utils: TOCTOU race               |
|                  |                  |          |                   |               | conditions by copying and               |
|                  |                  |          |                   |               | removing directory trees                |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2013-4235    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+
| perl-base        | CVE-2011-4116    | HIGH     | 5.32.1-4+deb11u1  |               | perl: File::Temp insecure               |
|                  |                  |          |                   |               | temporary file handling                 |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2011-4116    |
+------------------+------------------+          +-------------------+---------------+-----------------------------------------+
| tar              | CVE-2005-2541    |          | 1.34+dfsg-1       |               | tar: does not properly warn the user    |
|                  |                  |          |                   |               | when extracting setuid or setgid...     |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2005-2541    |
+------------------+------------------+----------+-------------------+---------------+-----------------------------------------+

@Temikus
Copy link
Contributor Author

Temikus commented Oct 3, 2021

@lopopolo FWIW this is not about all vulnerabilities. Usually one sets CI to critical or high depending on the requirements, but feel free to close out if you think this is not needed.

Thanks again for this awesome project ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-build Area: CI build infrastructure. A-security Area: Security vulnerabilities and unsoundness issues.
Development

No branches or pull requests

2 participants