Running with gitlab-runner 13.11.0 (7f7a4bb0)  on gitlab-runners-bigbang-gitlab-runner-gitlab-runner-797d46cxptjg WntjV97x  feature flags: FF_GITLAB_REGISTRY_HELPER_IMAGE:true section_start:1620322926:resolve_secrets Resolving secrets section_end:1620322926:resolve_secrets section_start:1620322926:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: gitlab-runners Using Kubernetes executor with image aquasec/trivy:0.9.0 ... section_end:1620322926:prepare_executor section_start:1620322926:prepare_script Preparing environment Waiting for pod gitlab-runners/runner-wntjv97x-project-2327-concurrent-0n4wll to be running, status is Pending Running on runner-wntjv97x-project-2327-concurrent-0n4wll via gitlab-runners-bigbang-gitlab-runner-gitlab-runner-797d46cxptjg... section_end:1620322929:prepare_script section_start:1620322929:get_sources Getting source from Git repository Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/platform-one/big-bang/pipeline-templates/pipeline-templates/.git/ Created fresh repository. Checking out c314f798 as chart-test-lib... Skipping Git submodules setup section_end:1620322930:get_sources section_start:1620322930:step_script Executing "step_script" stage of the job script $ apk add skopeo fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz (1/26) Installing device-mapper-libs (2.02.186-r0) (2/26) Installing libgpg-error (1.36-r2) (3/26) Installing libassuan (2.5.3-r0) (4/26) Installing libffi (3.2.1-r6) (5/26) Installing libblkid (2.34-r1) (6/26) Installing libmount (2.34-r1) (7/26) Installing pcre (8.43-r1) (8/26) Installing glib (2.62.6-r0) (9/26) Installing ncurses-terminfo-base (6.1_p20200118-r4) (10/26) Installing ncurses-libs (6.1_p20200118-r4) (11/26) Installing libgcrypt (1.8.5-r0) (12/26) Installing libsecret (0.19.1-r0) (13/26) Installing pinentry (1.1.0-r2) Executing pinentry-1.1.0-r2.post-install (14/26) Installing gmp (6.1.2-r1) (15/26) Installing nettle (3.5.1-r0) (16/26) Installing p11-kit (0.23.18.1-r1) (17/26) Installing libtasn1 (4.15.0-r0) (18/26) Installing libunistring (0.9.10-r0) (19/26) Installing gnutls (3.6.15-r1) (20/26) Installing libksba (1.3.5-r0) (21/26) Installing libsasl (2.1.27-r5) (22/26) Installing libldap (2.4.48-r3) (23/26) Installing npth (1.6-r0) (24/26) Installing gnupg (2.2.19-r0) (25/26) Installing gpgme (1.13.1-r1) (26/26) Installing skopeo (0.1.40-r1) Executing busybox-1.31.1-r9.trigger OK: 79 MiB in 64 packages $ skopeo copy --screds $CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD docker://$IMAGE:$CI_COMMIT_SHORT_SHA oci:/image Getting image source signatures Copying blob sha256:4b21dcdd136d133a4df0840e656af2f488c226dd384a98b89ced79064a4081b4 Copying blob sha256:55eda774346862e410811e3fa91cefe805bc11ff46fad425dd1b712709c05bbc Copying blob sha256:437f50a78208dc10e4fc36c8690addef07635a33c81b4ca53ab27b9fde610a7b Copying blob sha256:a637171e1381681cdda6417bd6cb9d5b296dc658d0ce768a3bb0a0016e944c7c Copying blob sha256:16265ba0a423076fb6699109a0973209c48966eead659c0700516cb84ec43c7e Copying blob sha256:c907cbfdfb165eeab417a67fcbea5feadfa2d1cb66abf0d84764a65fe539e06a Copying blob sha256:e05dc5f0718bb78ecc06e2b0b7c40adcb256ad542f5210af5d9d7f0e6b795294 Copying blob sha256:3e23e8f01ef75db3fd044b1a4b3403119b167bb6f2de07635a28dcb70d6ce4b7 Copying blob sha256:9472552a6c42c937c9eedd259f778f25fef988271d8f2e4e3beb2e935e5ff74a Copying blob sha256:3f7e4fe55d32245705686b1e5c738d1acfe0aac23e2b010a3d0dc1cc80955f8b Copying blob sha256:06c67cc968b26427924a3a9ee546ba7eec1215c729dbe915e644abedb89b84c7 Copying blob sha256:dd5c887473dd6b1cc0da962538146aa5af3607f4daf004bacab4dff84aead973 Copying blob sha256:e2d6815c054ac4bf543d96fb7f75a1c0635b0e27497d42a698340f2549eb532c Copying blob sha256:c88be3c654ef8cbf4c10861a9016d7c8e73980f4186274f20eb5c1d343459af6 Copying blob sha256:b0bbcbb33e76108e5458df83fca70bcd7d85c95b633e363844e106fa27235e8b Copying blob sha256:ab6848c166f28215ff2d9004bf7d99fb87f0a85c140f83a238ac5302aafe0bb7 Copying blob sha256:7cf078b02c51168f5ebb46fa941db51dcdc917909171eabd64d11ccc38656337 Copying blob sha256:468afb95d97cc991c9d9b6cf3f10cf7d1315e4a7f988f2eb5638041a38379051 Copying blob sha256:2ca20ad5c7e5f24253d789197699d79e78fa9dbff67f89a0965562230ecadd0b Copying blob sha256:9fa1271fa852422aa8902f9b23d0dd2bf0f7be1e5e8768ae1f8f6cbf62f2d3f2 Copying blob sha256:b6b847de2e2b06878fbd03a76b3ef2a7081875e852627ba5d1c50e97f08022dd Copying blob sha256:16f7d535f36689dd806e694184219576ac69378df01ee33574c619038d7e403a Copying blob sha256:88e28b57aa0f06f336d0f3cdaa21b338e10bb79d7322aa27c555b67444842d3b Copying blob sha256:42219659eb6df8c689a9e0b12e65f96e88b6863bdb942693dbd180174348add1 Copying blob sha256:6fb728f9b57be3ae6da69b8d992503aa29d0d37bb481b26bfb3bde51a368d2b6 Copying blob sha256:6d612ab60b02127f29ae5cd0e01ff66df5565556d5e089a34ec15495315ca4b9 Copying blob sha256:4321b9b7889c81ed5607ba899554a51503bf4e113024836ed05fe1d59f5030b9 Copying blob sha256:797c36f5df49a7c653c2425f30f96566ad0ab1661ddd1880dc5198d60eef1e50 Copying blob sha256:81264be24da4b51510da4a7bcd7072161399affaba444a27ea163898f832f4dd Copying blob sha256:0b3c3e671249008491557378bcb3393b4115f6233fc03fcf7b35a2db942a3507 Copying blob sha256:a1e98f6b8268906e0296bb5b961223c511f45064a3718efff3b57ca0fe9ea53e Copying blob sha256:10263e7064ea594b56332981811d90c99f3fb5d6dea6bccad81c5e147c0e2ee9 Copying blob sha256:6fc725ab8a80e7cf5202269aebef916ac5dd02df4a03a79e1e9d07e716e6c36d Copying blob sha256:a2e5cb9cd9313ae0c5956c06097a73ca597477de280a455a1ed2d5a708168359 Copying blob sha256:b5b25edfe1b83413042555b6147acb5159ffa244b212c7c2b976a79d90597073 Copying blob sha256:45b71cc6717620b344b2bb4493080edff90eac041ac22230ef4bee4f29c844c0 Copying blob sha256:d29c06ec8b1ce2ad67474d083344115076c9ecef92d85f3602c6ce4180f643fc Copying blob sha256:f68d55a8df2b4d505a476bc14b89b7c701636c496c8c7d9298f02d99ffcbea21 Copying blob sha256:bbcc99ba1da4f5b981d6fcf2fccdcd2208097b4977e73e1df1c953ca8b0279c1 Copying blob sha256:1c18c0647a1f863026cd7fbdcace914e2fcc68999652c7d1423d902ac8b2aa9e Copying blob sha256:08809cb751bea94ab61e8cf68546451c50ea11c7f74188391f3063dd1fc22f49 Copying config sha256:d0792012c1af34eec1a83d9aaf66177a02a8eeae98540dc18eae2427c1a8d554 Writing manifest to image destination Storing signatures $ trivy --no-progress --input /image 2021-05-06T17:42:32.956Z INFO Need to update DB 2021-05-06T17:42:32.956Z INFO Downloading DB... 2021-05-06T17:42:44.885Z INFO Detecting RHEL/CentOS vulnerabilities... 2021-05-06T17:42:44.891Z INFO Detecting npm vulnerabilities... /image (redhat 8.3) =================== Total: 339 (UNKNOWN: 0, LOW: 127, MEDIUM: 190, HIGH: 22, CRITICAL: 0) +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-19.el8 | | avahi: Local DoS by | | | | | | | event-busy-loop from | | | | | | | writing long lines to | | | | | | | /run/avahi-daemon/socket | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-6519 | LOW | | | avahi: Multicast DNS responds | | | | | | | to unicast queries outside of | | | | | | | local network | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | bash | CVE-2019-18276 | | 4.4.19-12.el8 | | bash: when effective UID is | | | | | | | not equal to its real UID | | | | | | | the... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | brotli | CVE-2020-8927 | MEDIUM | 1.0.6-2.el8 | | brotli: buffer overflow when | | | | | | | input chunk is larger than | | | | | | | 2GiB | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | bzip2-devel | CVE-2019-12900 | LOW | 1.0.6-26.el8 | | bzip2: out-of-bounds write in | | | | | | | function BZ2_decompress | +------------------------+ + + +---------------+ + | bzip2-libs | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | cairo | CVE-2018-18064 | MEDIUM | 1.15.12-3.el8 | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-devel | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-gobject | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-gobject-devel | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | coreutils-single | CVE-2017-18018 | MEDIUM | 8.30-8.el8 | | coreutils: race condition | | | | | | | vulnerability in chown and | | | | | | | chgrp | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | cups-libs | CVE-2020-10001 | | 1:2.2.6-38.el8 | | cups: access to uninitialized | | | | | | | buffer in ipp.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-25317 | LOW | | | cups: insecure permissions | | | | | | | of /var/log/cups allows for | | | | | | | symlink attacks | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | curl | CVE-2020-8284 | MEDIUM | 7.61.1-14.el8_3.1 | | curl: FTP PASV command | | | | | | | response can cause curl to | | | | | | | connect to arbitrary... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8285 | | | | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION is | | | | | | | used... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP | | | | | | | verification | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-22876 | | | | curl: Leak of authentication | | | | | | | credentials in URL via | | | | | | | automatic Referer | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | CURLOPT_CONNECT_ONLY option | | | | | | | set | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | dbus | CVE-2020-35512 | | 1:1.12.8-12.el8_3 | | dbus: users with the same | | | | | | | numeric UID could lead to | | | | | | | use-after-free and... | +------------------------+ + + +---------------+ + | dbus-common | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-daemon | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-devel | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-libs | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-tools | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | file-libs | CVE-2019-18218 | MEDIUM | 5.33-16.el8_3.1 | | file: heap-based | | | | | | | buffer overflow in | | | | | | | cdf_read_property_info in | | | | | | | cdf.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-8905 | LOW | | | file: stack-based buffer | | | | | | | over-read in do_core_note in | | | | | | | readelf.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-8906 | | | | file: out-of-bounds read in | | | | | | | do_core_note in readelf.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | git | CVE-2018-1000021 | MEDIUM | 2.27.0-1.el8 | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ + +---------------+-------------------------------------+ | git-core | CVE-2018-1000021 | | | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ + +---------------+-------------------------------------+ | git-core-doc | CVE-2018-1000021 | | | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | glib-networking | CVE-2020-13645 | | 2.56.1-1.1.el8 | | glib-networking: | | | | | | | GTlsClientConnection silently | | | | | | | ignores unset server identity | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | glib2 | CVE-2021-27218 | | 2.56.4-8.el8 | | glib: integer overflow in | | | | | | | g_byte_array_new_take function | | | | | | | when called with a buffer | | | | | | | of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27219 | | | | glib: integer overflow in | | | | | | | g_bytes_new function on 64-bit | | | | | | | platforms due to an... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-16428 | LOW | | | glib2: NULL pointer dereference in | | | | | | | g_markup_parse_context_end_parse() | | | | | | | function in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-16429 | | | | glib2: Out-of-bounds read in | | | | | | | g_markup_parse_context_parse() | | | | | | | in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13012 | | | | glib2: insecure permissions | | | | | | | for files and directories | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-28153 | | | | glib: g_file_replace() with | | | | | | | G_FILE_CREATE_REPLACE_DESTINATION | | | | | | | creates empty target for dangling | | | | | | | symlink | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glib2-devel | CVE-2021-27218 | MEDIUM | | | glib: integer overflow in | | | | | | | g_byte_array_new_take function | | | | | | | when called with a buffer | | | | | | | of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27219 | | | | glib: integer overflow in | | | | | | | g_bytes_new function on 64-bit | | | | | | | platforms due to an... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-16428 | LOW | | | glib2: NULL pointer dereference in | | | | | | | g_markup_parse_context_end_parse() | | | | | | | function in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-16429 | | | | glib2: Out-of-bounds read in | | | | | | | g_markup_parse_context_parse() | | | | | | | in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13012 | | | | glib2: insecure permissions | | | | | | | for files and directories | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-28153 | | | | glib: g_file_replace() with | | | | | | | G_FILE_CREATE_REPLACE_DESTINATION | | | | | | | creates empty target for dangling | | | | | | | symlink | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | glibc | CVE-2019-25013 | HIGH | 2.28-127.el8_3.2 | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-1010022 | MEDIUM | | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glibc-common | CVE-2019-25013 | HIGH | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-1010022 | MEDIUM | | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glibc-minimal-langpack | CVE-2019-25013 | HIGH | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-1010022 | MEDIUM | | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | gnupg2 | CVE-2018-1000858 | MEDIUM | 2.2.20-2.el8 | | gnupg2: Cross site | | | | | | | request forgery in dirmngr | | | | | | | resulting in an information | | | | | | | disclosure... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | gnutls | CVE-2021-20231 | | 3.6.14-8.el8_3 | | gnutls: Use after free in | | | | | | | client key_share extension | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-20232 | | | | gnutls: Use after free | | | | | | | in client_send_params in | | | | | | | lib/ext/pre_shared_key.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | jasper-libs | CVE-2017-5503 | | 2.0.14-4.el8 | | jasper: invalid memory write | | | | | | | in dec_clnpass() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5504 | | | | jasper: Invalid memory read in | | | | | | | jpc_undo_roi | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5505 | | | | jasper: Invalid memory read in | | | | | | | jas_matrix_asl | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27828 | | | | jasper: Heap-based buffer | | | | | | | overflow in cp_create() in | | | | | | | jpc_enc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-26926 | | | | jasper: Out of bounds read in | | | | | | | jp2_decode() in jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-26927 | | | | jasper: NULL pointer | | | | | | | dereference in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3272 | | | | jasper: Heap-based buffer | | | | | | | over-read in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3443 | | | | jasper: NULL pointer | | | | | | | dereference in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+ + | | CVE-2021-3467 | | | | | | | | | | | | | | | | | | | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-13745 | LOW | | | jasper: reachable abort in | | | | | | | jpc_dec_process_sot() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5499 | | | | jasper: Signed integer | | | | | | | overflow in jpc_dequantize() | | | | | | | in jpc_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-9782 | | | | jasper: cdef.ents[] | | | | | | | heap-based buffer over-read in | | | | | | | jp2_decode() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-18873 | | | | jasper: NULL pointer | | | | | | | dereference in | | | | | | | ras_putdatastd() in ras_enc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19139 | | | | jasper: memory leak | | | | | | | of data allocated in | | | | | | | jpc_unk_getparms() after abort | | | | | | | in jpc_dec_process_sot()... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19539 | | | | jasper: access violation | | | | | | | in jas_image_readcmpt() in | | | | | | | jas_image.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19540 | | | | jasper: heap-based buffer | | | | | | | overflow of size 1 in | | | | | | | jas_icctxtdesc_input in | | | | | | | libjasper/base/jas_icc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19541 | | | | jasper: heap-based buffer | | | | | | | over-read of size 8 in | | | | | | | jas_image_depalettize in | | | | | | | libjasper/base/jas_image.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19542 | | | | jasper: invalid access | | | | | | | in jp2_decode in | | | | | | | libjasper/jp2/jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19543 | | | | jasper: heap-based buffer | | | | | | | over-read in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-20570 | | | | jasper: heap-based buffer | | | | | | | over-read in jp2_encode() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-20622 | | | | jasper: memory leak in | | | | | | | jpc_dec_decodepkt() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-9055 | | | | jasper: reachable assertion in | | | | | | | jpc_firstone() in jpc_math.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-9252 | | | | jasper: reachable assertion | | | | | | | in jpc_abstorelstepsize() in | | | | | | | jpc_enc.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | jq | CVE-2016-4074 | | 1.5-12.el8 | | jq: stack exhaustion via | | | | | | | jv_dump_term() function | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | json-c | CVE-2020-12762 | MEDIUM | 0.13.1-0.2.el8 | | json-c: integer overflow and | | | | | | | out-of-bounds write via a | | | | | | | large JSON file | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | krb5-libs | CVE-2020-28196 | | 1.18.2-5.el8 | | krb5: unbounded recursion | | | | | | | via an ASN.1-encoded | | | | | | | Kerberos message in | | | | | | | lib/krb5/asn.1/asn1_encode.c | | | | | | | may lead... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow | | | | | | | in AllocateDataSet() in | | | | | | | cmscgats.c leading to | | | | | | | heap-based buffer overflow... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libX11 | CVE-2020-14363 | HIGH | 1.6.8-3.el8 | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-common | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-devel | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-xcb | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libarchive | CVE-2017-14502 | | 3.3.2-9.el8 | | libarchive: Off-by-one error | | | | | | | in the read_header function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-21674 | | | | libarchive: heap-based | | | | | | | buffer overflow in | | | | | | | archive_string_append_from_wcs | | | | | | | function in archive_string.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-14166 | LOW | | | libarchive: Heap-based | | | | | | | buffer over-read in the atol8 | | | | | | | function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-14501 | | | | libarchive: Out-of-bounds read | | | | | | | in parse_file_info | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-1000879 | | | | libarchive: NULL pointer | | | | | | | dereference in ACL parser | | | | | | | resulting in a denial of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-1000880 | | | | libarchive: Improper input | | | | | | | validation in WARC parser | | | | | | | resulting in a denial of... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libcurl | CVE-2020-8284 | MEDIUM | 7.61.1-14.el8_3.1 | | curl: FTP PASV command | | | | | | | response can cause curl to | | | | | | | connect to arbitrary... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8285 | | | | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION is | | | | | | | used... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP | | | | | | | verification | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-22876 | | | | curl: Leak of authentication | | | | | | | credentials in URL via | | | | | | | automatic Referer | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | CURLOPT_CONNECT_ONLY option | | | | | | | set | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libdb | CVE-2019-2708 | | 5.3.28-39.el8 | | libdb: Denial of service in | | | | | | | the Data Store component | +------------------------+ + + +---------------+ + | libdb-utils | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libdnf | CVE-2021-3445 | MEDIUM | 0.48.0-5.el8 | | libdnf: libdnf does its own | | | | | | | signature verification, but | | | | | | | this can be tricked... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libgcc | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-4.el8 | | Libgcrypt: physical addresses | | | | | | | being available to other | | | | | | | processes leads to a | | | | | | | flush-and-reload... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libgomp | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libjpeg-turbo | CVE-2019-2201 | MEDIUM | 1.5.3-10.el8 | | libjpeg-turbo: several integer | | | | | | | overflows and subsequent | | | | | | | segfaults when attempting | | | | | | | to compress/decompress | | | | | | | gigapixel... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13790 | | | | libjpeg-turbo: heap-based | | | | | | | buffer over-read in | | | | | | | get_rgb_row() in rdppm.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in | | | | | | | png_image_free in png.c | +------------------------+ + + +---------------+ + | libpng-devel | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libproxy | CVE-2020-25219 | MEDIUM | 0.4.15-5.2.el8 | | libproxy: uncontrolled | | | | | | | recursion via an infinite | | | | | | | stream response leading to | | | | | | | stack exhaustion... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-26154 | | | | libproxy: sending more than | | | | | | | 102400 bytes in PAC without a | | | | | | | Content-Length present... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libssh | CVE-2020-16135 | LOW | 0.9.4-2.el8 | | libssh: NULL pointer | | | | | | | dereference in sftpserver.c if | | | | | | | ssh_buffer_new returns NULL | +------------------------+ + + +---------------+ + | libssh-config | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libstdc++ | CVE-2018-20673 | MEDIUM | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libtiff | CVE-2017-17095 | MEDIUM | 4.0.9-18.el8 | | libtiff: Heap-based buffer | | | | | | | overflow in tools/pal2rgb.c | | | | | | | can lead to denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-15209 | | | | libtiff: Heap-based | | | | | | | buffer overflow in | | | | | | | ChopUpSingleUncompressedStrip | | | | | | | in tif_dirread.c | + +------------------+ + +---------------+ + | | CVE-2018-16335 | | | | | | | | | | | | | | | | | | | | | | | | | | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35523 | | | | libtiff: Integer overflow in | | | | | | | tif_getimage.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35524 | | | | libtiff: Heap-based buffer | | | | | | | overflow in TIFF2PDF tool | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-10779 | LOW | | | libtiff: heap-based buffer | | | | | | | over-read in TIFFWriteScanline | | | | | | | function in tif_write.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-10801 | | | | libtiff: memory leak in | | | | | | | bmp2tiff tool | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-17101 | | | | libtiff: Two out-of-bounds | | | | | | | writes in cpTags in | | | | | | | tools/tiff2bw.c and | | | | | | | tools/pal2rgb.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19210 | | | | libtiff: NULL pointer | | | | | | | dereference in | | | | | | | TIFFWriteDirectorySec function | | | | | | | in tif_dirwrite.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-5360 | | | | LibTIFF: heap-based buffer | | | | | | | over-read in the ReadTIFFImage | | | | | | | function in coders/tiff.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6128 | | | | libtiff: memory leak in | | | | | | | TIFFFdOpen function in | | | | | | | tif_unix.c when using pal2rgb | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35521 | | | | libtiff: Memory allocation | | | | | | | failure in tiff2rgba | + +------------------+ + +---------------+ + | | CVE-2020-35522 | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libxml2 | CVE-2020-24977 | MEDIUM | 2.9.7-8.el8 | | libxml2: Buffer overflow | | | | | | | vulnerability in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3516 | | | | libxml2: use-after-free in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3517 | | | | libxml2: heap-based | | | | | | | buffer overflow in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3518 | | | | libxml2: use-after-free in | | | | | | | xmlXIncludeDoProcess() in | | | | | | | xinclude.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3537 | | | | libxml2: NULL pointer | | | | | | | dereference in valid.c in | | | | | | | xmlValidBuildAContentModel | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition | | | | | | | allows attacker to access | | | | | | | world-readable destination | | | | | | | file | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | lua-libs | CVE-2020-15945 | MEDIUM | 5.3.4-11.el8 | | lua: segmentation fault in | | | | | | | changedline in ldebug.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-24370 | LOW | | | lua: segmentation fault | | | | | | | in getlocal and setlocal | | | | | | | functions in ldebug.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-2.el8 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3520 | | | | lz4: memory corruption due to | | | | | | | an integer overflow bug caused | | | | | | | by memmove... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | mesa-libEGL | CVE-2019-5068 | | 20.1.4-1.el8 | | mesa: security bypass in 3D | | | | | | | library graphics | +------------------------+ + + +---------------+ + | mesa-libGL | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-libgbm | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-libglapi | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-vulkan-drivers | | | | | | | | | | | | | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | ncurses | CVE-2019-17594 | | 6.1-7.20180224.el8 | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | ncurses-base | CVE-2019-17594 | MEDIUM | | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | ncurses-libs | CVE-2019-17594 | MEDIUM | | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | nodejs | CVE-2017-15897 | | 1:10.24.0-1.module+el8.3.0+10166+b07ac28e | | nodejs: Unitialized buffer due | | | | | | | to incorrect encoding | +------------------------+ + + +---------------+ + | nodejs-full-i18n | | | | | | | | | | | | | +------------------------+ + +-----------------------------------------------------+---------------+ + | npm | | | 1:6.14.11-1.10.24.0.1.module+el8.3.0+10166+b07ac28e | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | nss | CVE-2020-12399 | MEDIUM | 3.53.1-17.el8_3 | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-softokn | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-softokn-freebl | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-sysinit | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-util | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | oniguruma | CVE-2019-13224 | MEDIUM | 6.8.2-2.el8 | | oniguruma: Use-after-free in | | | | | | | onig_new_deluxe() in regext.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-16163 | | | | oniguruma: Stack exhaustion in | | | | | | | regcomp.c because of recursion | | | | | | | in regparse.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19012 | | | | oniguruma: integer overflow | | | | | | | in search_in_range function | | | | | | | in regexec.c leads to | | | | | | | out-of-bounds read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19203 | | | | oniguruma: Heap-based | | | | | | | buffer over-read in function | | | | | | | gb18030_mbc_enc_len in file | | | | | | | gb18030.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19204 | | | | oniguruma: Heap-based | | | | | | | buffer over-read in function | | | | | | | fetch_interval_quantifier in | | | | | | | regparse.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-19246 | LOW | | | oniguruma: Heap-based | | | | | | | buffer overflow in | | | | | | | str_lower_case_match in | | | | | | | regexec.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | openssh | CVE-2020-14145 | MEDIUM | 8.0p1-5.el8 | | openssh: Observable | | | | | | | Discrepancy leading to an | | | | | | | information leak in the | | | | | | | algorithm negotiation... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15778 | | | | openssh: scp allows command | | | | | | | injection when using | | | | | | | backtick characters in the | | | | | | | destination... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-15919 | LOW | | | openssh: User enumeration | | | | | | | via malformed packets in | | | | | | | authentication requests | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6110 | | | | openssh: Acceptance and | | | | | | | display of arbitrary stderr | | | | | | | allows for spoofing of scp... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | openssh-clients | CVE-2020-14145 | MEDIUM | | | openssh: Observable | | | | | | | Discrepancy leading to an | | | | | | | information leak in the | | | | | | | algorithm negotiation... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15778 | | | | openssh: scp allows command | | | | | | | injection when using | | | | | | | backtick characters in the | | | | | | | destination... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-15919 | LOW | | | openssh: User enumeration | | | | | | | via malformed packets in | | | | | | | authentication requests | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6110 | | | | openssh: Acceptance and | | | | | | | display of arbitrary stderr | | | | | | | allows for spoofing of scp... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | openssl | CVE-2021-23840 | MEDIUM | 1:1.1.1g-15.el8_3 | | openssl: integer overflow in | | | | | | | CipherUpdate | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23841 | | | | openssl: NULL pointer | | | | | | | dereference in | | | | | | | X509_issuer_and_serial_hash() | +------------------------+------------------+ + +---------------+-------------------------------------+ | openssl-libs | CVE-2021-23840 | | | | openssl: integer overflow in | | | | | | | CipherUpdate | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23841 | | | | openssl: NULL pointer | | | | | | | dereference in | | | | | | | X509_issuer_and_serial_hash() | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | p11-kit | CVE-2020-29361 | | 0.23.14-5.el8_0 | | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | +------------------------+------------------+ + +---------------+-------------------------------------+ | p11-kit-trust | CVE-2020-29361 | | | | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | pcre | CVE-2019-20838 | LOW | 8.42-4.el8 | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-cpp | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-devel | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-utf16 | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-utf32 | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | perl-Errno | CVE-2020-10543 | MEDIUM | 1.28-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-Git | CVE-2018-1000021 | | 2.27.0-1.el8 | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-IO | CVE-2020-10543 | | 1.38-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-interpreter | CVE-2020-10543 | | 4:5.26.3-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ + +---------------+-------------------------------------+ | perl-libs | CVE-2020-10543 | | | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ + +---------------+-------------------------------------+ | perl-macros | CVE-2020-10543 | | | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | platform-python | CVE-2020-26116 | | 3.6.8-31.el8 | | python: CRLF injection | | | | | | | via HTTP request method in | | | | | | | httplib/http.client | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27619 | | | | python: Python 3 eval of http | | | | | | | resources during test suite | | | | | | | runs | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23336 | | | | python: Web Cache Poisoning | | | | | | | via urllib.parse.parse_qsl and | | | | | | | urllib.parse.parse_qs by using | | | | | | | a semicolon... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3177 | | | | python: Stack-based buffer | | | | | | | overflow in PyCArg_repr in | | | | | | | _ctypes/callproc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3426 | | | | python: information disclosure | | | | | | | via pydoc | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9674 | LOW | | | python: Nested zip file | | | | | | | (Zip bomb) vulnerability in | | | | | | | Lib/zipfile.py | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-hawkey | CVE-2021-3445 | MEDIUM | 0.48.0-5.el8 | | libdnf: libdnf does its own | | | | | | | signature verification, but | | | | | | | this can be tricked... | +------------------------+ + + +---------------+ + | python3-libdnf | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | python3-libs | CVE-2020-26116 | | 3.6.8-31.el8 | | python: CRLF injection | | | | | | | via HTTP request method in | | | | | | | httplib/http.client | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27619 | | | | python: Python 3 eval of http | | | | | | | resources during test suite | | | | | | | runs | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23336 | | | | python: Web Cache Poisoning | | | | | | | via urllib.parse.parse_qsl and | | | | | | | urllib.parse.parse_qs by using | | | | | | | a semicolon... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3177 | | | | python: Stack-based buffer | | | | | | | overflow in PyCArg_repr in | | | | | | | _ctypes/callproc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3426 | | | | python: information disclosure | | | | | | | via pydoc | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9674 | LOW | | | python: Nested zip file | | | | | | | (Zip bomb) vulnerability in | | | | | | | Lib/zipfile.py | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-libxml2 | CVE-2020-24977 | MEDIUM | 2.9.7-8.el8 | | libxml2: Buffer overflow | | | | | | | vulnerability in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3516 | | | | libxml2: use-after-free in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3517 | | | | libxml2: heap-based | | | | | | | buffer overflow in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3518 | | | | libxml2: use-after-free in | | | | | | | xmlXIncludeDoProcess() in | | | | | | | xinclude.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3537 | | | | libxml2: NULL pointer | | | | | | | dereference in valid.c in | | | | | | | xmlValidBuildAContentModel | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-pip-wheel | CVE-2018-20225 | LOW | 9.0.3-18.el8 | | python-pip: when | | | | | | | --extra-index-url option is | | | | | | | used and package does not | | | | | | | already exist... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-rpm | CVE-2021-20271 | MEDIUM | 4.14.3-4.el8 | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-urllib3 | CVE-2020-26137 | MEDIUM | 1.24.2-4.el8 | | python-urllib3: CRLF injection | | | | | | | via HTTP request method | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | rpm | CVE-2021-20271 | | 4.14.3-4.el8 | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | rpm-build-libs | CVE-2021-20271 | MEDIUM | | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | rpm-libs | CVE-2021-20271 | MEDIUM | | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | sqlite-libs | CVE-2019-5827 | HIGH | 3.26.0-11.el8 | | chromium-browser: | | | | | | | out-of-bounds access in SQLite | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-13750 | MEDIUM | | | sqlite: dropping of shadow | | | | | | | tables not restricted in | | | | | | | defensive mode | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13751 | | | | sqlite: fts3: improve | | | | | | | detection of corrupted records | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19603 | | | | sqlite: mishandles certain | | | | | | | SELECT statements with a | | | | | | | nonexistent VIEW, leading to | | | | | | | DoS... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19645 | | | | sqlite: infinite recursion | | | | | | | via certain types of | | | | | | | self-referential views in | | | | | | | conjunction with... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19880 | | | | sqlite: invalid | | | | | | | pointer dereference in | | | | | | | exprListAppendList in window.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13434 | | | | sqlite: integer overflow in | | | | | | | sqlite3_str_vappendf function | | | | | | | in printf.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13435 | | | | sqlite: NULL pointer | | | | | | | dereference leads to | | | | | | | segmentation fault in | | | | | | | sqlite3ExprCodeTarget in | | | | | | | expr.c... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15358 | | | | sqlite: heap-based | | | | | | | buffer overflow in | | | | | | | multiSelectOrderBy due to | | | | | | | mishandling of query-flattener | | | | | | | optimization... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-19244 | LOW | | | sqlite: allows a crash if a | | | | | | | sub-select uses both DISTINCT | | | | | | | and window... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9936 | | | | sqlite: heap-based buffer | | | | | | | over-read in function | | | | | | | fts5HashEntrySort in sqlite3.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9937 | | | | sqlite: null-pointer | | | | | | | dereference in function | | | | | | | fts5ChunkIterate in sqlite3.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | systemd | CVE-2018-20839 | MEDIUM | 239-41.el8_3.2 | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ + +---------------+-------------------------------------+ | systemd-libs | CVE-2018-20839 | | | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ + +---------------+-------------------------------------+ | systemd-pam | CVE-2018-20839 | | | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | tar | CVE-2021-20193 | | 2:1.30-5.el8 | | tar: Memory leak in | | | | | | | read_header() in list.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9923 | LOW | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in | | | | | | | sparse.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | vim-minimal | CVE-2018-20786 | | 2:8.0.1763-15.el8 | | libvterm: NULL | | | | | | | pointer dereference in | | | | | | | vterm_screen_set_callbacks | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | xdg-utils | CVE-2020-27748 | MEDIUM | 1.1.2-5.el8 | | xdg-utils: local file | | | | | | | inclusion vulnerability | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | xorg-x11-server-Xvfb | CVE-2020-14345 | HIGH | 1.20.8-6.1.el8_3 | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetNames function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14346 | | | | xorg-x11-server: Integer | | | | | | | underflow in the X input | | | | | | | extension protocol | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14360 | | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetMap function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14361 | | | | xorg-x11-server: | | | | | | | XkbSelectEvents integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14362 | | | | xorg-x11-server: | | | | | | | XRecordRegisterClients integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25712 | | | | xorg-x11-server: | | | | | | | XkbSetDeviceInfo heap-based | | | | | | | buffer overflow privilege | | | | | | | escalation vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3472 | | | | xorg-x11-server: | | | | | | | XChangeFeedbackControl integer | | | | | | | underflow leads to privilege | | | | | | | escalation | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14347 | MEDIUM | | | xorg-x11-server: Leak of | | | | | | | uninitialized heap memory from | | | | | | | the X server to clients... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25697 | | | | xorg-x11-server: local | | | | | | | privilege escalation | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | xorg-x11-server-common | CVE-2020-14345 | HIGH | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetNames function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14346 | | | | xorg-x11-server: Integer | | | | | | | underflow in the X input | | | | | | | extension protocol | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14360 | | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetMap function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14361 | | | | xorg-x11-server: | | | | | | | XkbSelectEvents integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14362 | | | | xorg-x11-server: | | | | | | | XRecordRegisterClients integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25712 | | | | xorg-x11-server: | | | | | | | XkbSetDeviceInfo heap-based | | | | | | | buffer overflow privilege | | | | | | | escalation vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3472 | | | | xorg-x11-server: | | | | | | | XChangeFeedbackControl integer | | | | | | | underflow leads to privilege | | | | | | | escalation | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14347 | MEDIUM | | | xorg-x11-server: Leak of | | | | | | | uninitialized heap memory from | | | | | | | the X server to clients... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25697 | | | | xorg-x11-server: local | | | | | | | privilege escalation | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ package-lock.json ================= Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) $ trivy --no-progress -f json -o gl-container-scanning-report.json --input /image 2021-05-06T17:42:44.944Z INFO Detecting RHEL/CentOS vulnerabilities... 2021-05-06T17:42:44.950Z INFO Detecting npm vulnerabilities... $ echo "This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans" This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans section_end:1620322965:step_script section_start:1620322965:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... gl-container-scanning-report.json: found 1 matching files and directories Uploading artifacts as "container_scanning" to coordinator... ok id=3153200 responseStatus=201 Created token=FMi4VKgf section_end:1620322966:upload_artifacts_on_success section_start:1620322966:cleanup_file_variables Cleaning up file based variables section_end:1620322966:cleanup_file_variables Job succeeded