Running with gitlab-runner 13.6.0 (8fa89735)  on bigbang-public-runner-gitlab-runner-848b4ffbcd-gxfzz pP4YiAQX section_start:1620846599:resolve_secrets Resolving secrets section_end:1620846599:resolve_secrets section_start:1620846599:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: private-bigbang-runner Using Kubernetes executor with image aquasec/trivy:0.9.0 ... section_end:1620846599:prepare_executor section_start:1620846599:prepare_script Preparing environment Waiting for pod private-bigbang-runner/runner-pp4yiaqx-project-2327-concurrent-0lv4q8 to be running, status is Pending Running on runner-pp4yiaqx-project-2327-concurrent-0lv4q8 via bigbang-public-runner-gitlab-runner-848b4ffbcd-gxfzz... section_end:1620846602:prepare_script section_start:1620846602:get_sources Getting source from Git repository Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/platform-one/big-bang/pipeline-templates/pipeline-templates/.git/ Created fresh repository. Checking out df7adcd3 as compression... Skipping Git submodules setup section_end:1620846603:get_sources section_start:1620846603:step_script Executing "step_script" stage of the job script $ apk add skopeo fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz (1/26) Installing device-mapper-libs (2.02.186-r0) (2/26) Installing libgpg-error (1.36-r2) (3/26) Installing libassuan (2.5.3-r0) (4/26) Installing libffi (3.2.1-r6) (5/26) Installing libblkid (2.34-r1) (6/26) Installing libmount (2.34-r1) (7/26) Installing pcre (8.43-r1) (8/26) Installing glib (2.62.6-r0) (9/26) Installing ncurses-terminfo-base (6.1_p20200118-r4) (10/26) Installing ncurses-libs (6.1_p20200118-r4) (11/26) Installing libgcrypt (1.8.5-r0) (12/26) Installing libsecret (0.19.1-r0) (13/26) Installing pinentry (1.1.0-r2) Executing pinentry-1.1.0-r2.post-install (14/26) Installing gmp (6.1.2-r1) (15/26) Installing nettle (3.5.1-r0) (16/26) Installing p11-kit (0.23.18.1-r1) (17/26) Installing libtasn1 (4.15.0-r0) (18/26) Installing libunistring (0.9.10-r0) (19/26) Installing gnutls (3.6.15-r1) (20/26) Installing libksba (1.3.5-r0) (21/26) Installing libsasl (2.1.27-r5) (22/26) Installing libldap (2.4.48-r3) (23/26) Installing npth (1.6-r0) (24/26) Installing gnupg (2.2.19-r0) (25/26) Installing gpgme (1.13.1-r1) (26/26) Installing skopeo (0.1.40-r1) Executing busybox-1.31.1-r9.trigger OK: 79 MiB in 64 packages $ skopeo copy --screds $CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD docker://$IMAGE:$CI_COMMIT_SHORT_SHA oci:/image Getting image source signatures Copying blob sha256:4b21dcdd136d133a4df0840e656af2f488c226dd384a98b89ced79064a4081b4 Copying blob sha256:55eda774346862e410811e3fa91cefe805bc11ff46fad425dd1b712709c05bbc Copying blob sha256:7b1dc3c1a845675edb65d95f897bd9be4f30699a30ffaba29975bfa11a056d58 Copying blob sha256:9a3bdf4a1eaa9798ceff51502e1125129914280e2e695d290a90f97787ae23f0 Copying blob sha256:c9e482c60de961d66c00c47bfcc67d6470384304331c8a44eeff16d531ffc58d Copying blob sha256:ec1043225c383203fa9c69be4365bc51f2c6a502926d858d6cfec7ba7c52abaf Copying blob sha256:f4a5ff3120f142a96ec8c7bfec786cf5b753e9e64e065ac2ca111400ee66ec6f Copying blob sha256:b82c3486fad862f114cf5ad55bf43b1ffa528fa32c72da20f7cc7bb47c1294fe Copying blob sha256:8219fe929cea25cab4f933c38a08c4911d38f5f35a9b26c514fcf5ed1eb4b0c3 Copying blob sha256:fa16972afd26524eeb68c4a3a7126f92bf5c07e2e7bf285782478c6999c1aa0b Copying blob sha256:a1ded97b2f97b8fe33b140a59cc5dc233b5360973801276b91a8fd5a268bb629 Copying blob sha256:f59b8835dc26817471972269584631867656a3d013cb64b1244fc63cdf9d5cc1 Copying blob sha256:4271f7fc8a2e536cc95f22ba56524b72ba2df816ce412eed32727173bb6ab3ba Copying blob sha256:c9ad88e6362321f3c80ca5080c13577b16c17efb2d8edd176d15396911a16f2a Copying blob sha256:6a06af6103882f2326e73350d4dc69f7208c1609990b95b4e29d8b385f715326 Copying blob sha256:a694a5086ae38329c6e940ea4b804e9669bbd32bffd9866e4a26ffbf61b597eb Copying blob sha256:913572a6f65f6ad729d3b130fdbe15e3f9fb4cf2193426b26126c0726ad77d4c Copying blob sha256:1e3da4919622dc198c7d9df1e3dd065b56c7fbb7b6d9b12db86278eeaca78e06 Copying blob sha256:245946f5c96ea77965d3a23797b45ca56bcb024b3d7991f9ca5ce77b22341e83 Copying blob sha256:24e7439601ffc34d0e2cc9945ba65d9f465d980288a98cc37e97f77fd6720b45 Copying blob sha256:dc17f93209afea5d33f93536bbf5bfa602e6e6d5d0655c41fe04492e09aa365d Copying blob sha256:6945b764c5d30453f05ca258985d1012f463d8584a5c52801d4ef5aff8fa3bc4 Copying blob sha256:085e7efd28f40dd877ded44177596ab1b2e2134cb7157fbc69c34ea434f88a90 Copying blob sha256:c9034bb351886b0c3d8260c45de51b2164ff9dd82b783c3312da1484cd9a326e Copying blob sha256:298407b7256bb45aaa801968d685978edef5fbfd22b242be90d3cc96aa8b4475 Copying blob sha256:b66bb35c7f234220519560d4b282334f796dd93449691e6a9b98fda1b2e6e42d Copying blob sha256:b92644e36e53de2aa222bacd8d55e290315da5b8eb799ab9894032f49f790d3b Copying blob sha256:b24f034a66e5b7e67e912c75bf1b23fea0838c990cba514b57c8d69d9ea61f7b Copying blob sha256:a8175dc613df14d4541087b7720493ca9dd015c5863fc48048cdcac4ff884cc4 Copying blob sha256:7e5bd103db5ddf3574482744f1c17b90000dfa03be48dc576e12c0a21807a6a6 Copying blob sha256:54b74727d063d664fcee137ecd264d758a30d059b048492890e8c216165c5f03 Copying blob sha256:7992cffe4aa1acc33aa47346a7fa0c0e6ec4c596ebc6deb291ef446b8e2c5d8d Copying blob sha256:0e1ec1a5eaebe4a1b57b5a4151fe7bc0890e0d2c39a3594f6da948500d065eaf Copying blob sha256:0ccf46f2e9c785ed93aa6c853b5747c75ae0afb7d490227660d47a64073758cc Copying blob sha256:563b0feb665514185fee8021474c2724c4e22f929f1a081b6444ae13ff10f8c7 Copying blob sha256:eef6c865d6860ab770a5b1cdddf120943c2d304724cc25aa4f609d43741471c4 Copying blob sha256:dee0dc2808c5d30ff43f5bf8f5198589af29c154c9f5bbe5196e05f9d211e9d8 Copying blob sha256:66fb26c9a0f9bb94cb54f67223992fca4eb460c225427462986ef139e8c93e43 Copying blob sha256:1a191df9d614233745fd91891fb91f828dbeacf534c324af4e4f827695ac0579 Copying blob sha256:811ff3f7e23f088327fd3df59398dd4b49d2b74eaf0f32202f83e8ba3a563dbe Copying blob sha256:b8c8f185f4e4a8452510f7fa431044059b45031f67dc9142ab39b27163d07c41 Copying config sha256:1c1d7bd509935ccba8a77117cb157eb1679c9b03f85801e7c63dfea6af725f06 Writing manifest to image destination Storing signatures $ trivy --no-progress --input /image 2021-05-12T19:10:29.059Z INFO Need to update DB 2021-05-12T19:10:29.059Z INFO Downloading DB... 2021-05-12T19:10:44.843Z INFO Detecting RHEL/CentOS vulnerabilities... 2021-05-12T19:10:44.852Z INFO Detecting npm vulnerabilities... /image (redhat 8.3) =================== Total: 339 (UNKNOWN: 0, LOW: 127, MEDIUM: 193, HIGH: 19, CRITICAL: 0) +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | avahi-libs | CVE-2021-3468 | MEDIUM | 0.7-19.el8 | | avahi: Local DoS by | | | | | | | event-busy-loop from | | | | | | | writing long lines to | | | | | | | /run/avahi-daemon/socket | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-6519 | LOW | | | avahi: Multicast DNS responds | | | | | | | to unicast queries outside of | | | | | | | local network | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | bash | CVE-2019-18276 | | 4.4.19-12.el8 | | bash: when effective UID is | | | | | | | not equal to its real UID | | | | | | | the... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | brotli | CVE-2020-8927 | MEDIUM | 1.0.6-2.el8 | | brotli: buffer overflow when | | | | | | | input chunk is larger than | | | | | | | 2GiB | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | bzip2-devel | CVE-2019-12900 | LOW | 1.0.6-26.el8 | | bzip2: out-of-bounds write in | | | | | | | function BZ2_decompress | +------------------------+ + + +---------------+ + | bzip2-libs | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | cairo | CVE-2018-18064 | MEDIUM | 1.15.12-3.el8 | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-devel | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-gobject | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | cairo-gobject-devel | CVE-2018-18064 | MEDIUM | | | cairo: Stack-based buffer | | | | | | | overflow via parsing of | | | | | | | crafted WebKitGTK+ document | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35492 | | | | cairo: libreoffice slideshow | | | | | | | aborts with stack smashing in | | | | | | | cairo's composite_boxes | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19876 | LOW | | | cairo: Invalid free in | | | | | | | cairo_ft_apply_variations() | | | | | | | resulting in a denial of | | | | | | | service | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6461 | | | | cairo: assertion problem in | | | | | | | _cairo_arc_in_direction in | | | | | | | cairo-arc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6462 | | | | cairo: infinite loop in the | | | | | | | function _arc_error_normalized | | | | | | | in the file cairo-arc.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | coreutils-single | CVE-2017-18018 | MEDIUM | 8.30-8.el8 | | coreutils: race condition | | | | | | | vulnerability in chown and | | | | | | | chgrp | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | cups-libs | CVE-2020-10001 | | 1:2.2.6-38.el8 | | cups: access to uninitialized | | | | | | | buffer in ipp.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-25317 | LOW | | | cups: insecure permissions | | | | | | | of /var/log/cups allows for | | | | | | | symlink attacks | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | curl | CVE-2020-8284 | MEDIUM | 7.61.1-14.el8_3.1 | | curl: FTP PASV command | | | | | | | response can cause curl to | | | | | | | connect to arbitrary... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8285 | | | | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION is | | | | | | | used... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP | | | | | | | verification | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-22876 | | | | curl: Leak of authentication | | | | | | | credentials in URL via | | | | | | | automatic Referer | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | CURLOPT_CONNECT_ONLY option | | | | | | | set | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | dbus | CVE-2020-35512 | | 1:1.12.8-12.el8_3 | | dbus: users with the same | | | | | | | numeric UID could lead to | | | | | | | use-after-free and... | +------------------------+ + + +---------------+ + | dbus-common | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-daemon | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-devel | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-libs | | | | | | | | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | dbus-tools | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | file-libs | CVE-2019-18218 | MEDIUM | 5.33-16.el8_3.1 | | file: heap-based | | | | | | | buffer overflow in | | | | | | | cdf_read_property_info in | | | | | | | cdf.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-8905 | LOW | | | file: stack-based buffer | | | | | | | over-read in do_core_note in | | | | | | | readelf.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-8906 | | | | file: out-of-bounds read in | | | | | | | do_core_note in readelf.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | git | CVE-2018-1000021 | MEDIUM | 2.27.0-1.el8 | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ + +---------------+-------------------------------------+ | git-core | CVE-2018-1000021 | | | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ + +---------------+-------------------------------------+ | git-core-doc | CVE-2018-1000021 | | | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | glib-networking | CVE-2020-13645 | | 2.56.1-1.1.el8 | | glib-networking: | | | | | | | GTlsClientConnection silently | | | | | | | ignores unset server identity | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | glib2 | CVE-2021-27218 | | 2.56.4-8.el8 | | glib: integer overflow in | | | | | | | g_byte_array_new_take function | | | | | | | when called with a buffer | | | | | | | of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27219 | | | | glib: integer overflow in | | | | | | | g_bytes_new function on 64-bit | | | | | | | platforms due to an... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-16428 | LOW | | | glib2: NULL pointer dereference in | | | | | | | g_markup_parse_context_end_parse() | | | | | | | function in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-16429 | | | | glib2: Out-of-bounds read in | | | | | | | g_markup_parse_context_parse() | | | | | | | in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13012 | | | | glib2: insecure permissions | | | | | | | for files and directories | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-28153 | | | | glib: g_file_replace() with | | | | | | | G_FILE_CREATE_REPLACE_DESTINATION | | | | | | | creates empty target for dangling | | | | | | | symlink | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glib2-devel | CVE-2021-27218 | MEDIUM | | | glib: integer overflow in | | | | | | | g_byte_array_new_take function | | | | | | | when called with a buffer | | | | | | | of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27219 | | | | glib: integer overflow in | | | | | | | g_bytes_new function on 64-bit | | | | | | | platforms due to an... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-16428 | LOW | | | glib2: NULL pointer dereference in | | | | | | | g_markup_parse_context_end_parse() | | | | | | | function in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-16429 | | | | glib2: Out-of-bounds read in | | | | | | | g_markup_parse_context_parse() | | | | | | | in gmarkup.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13012 | | | | glib2: insecure permissions | | | | | | | for files and directories | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-28153 | | | | glib: g_file_replace() with | | | | | | | G_FILE_CREATE_REPLACE_DESTINATION | | | | | | | creates empty target for dangling | | | | | | | symlink | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | glibc | CVE-2019-1010022 | MEDIUM | 2.28-127.el8_3.2 | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-25013 | | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glibc-common | CVE-2019-1010022 | MEDIUM | | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-25013 | | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | glibc-minimal-langpack | CVE-2019-1010022 | MEDIUM | | | glibc: stack guard protection | | | | | | | bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-25013 | | | | glibc: buffer over-read in | | | | | | | iconv when processing invalid | | | | | | | multi-byte input sequences | | | | | | | in... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9169 | | | | glibc: regular-expression | | | | | | | match via proceed_next_node | | | | | | | in posix/regexec.c leads to | | | | | | | heap-based buffer over-read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3326 | | | | glibc: Assertion failure | | | | | | | in ISO-2022-JP-3 gconv | | | | | | | module related to combining | | | | | | | characters | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2016-10228 | LOW | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27618 | | | | glibc: iconv when processing | | | | | | | invalid multi-byte input | | | | | | | sequences fails to advance | | | | | | | the... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-27645 | | | | glibc: Use-after-free in | | | | | | | addgetnetgrentX function in | | | | | | | netgroupcache.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | gnupg2 | CVE-2018-1000858 | MEDIUM | 2.2.20-2.el8 | | gnupg2: Cross site | | | | | | | request forgery in dirmngr | | | | | | | resulting in an information | | | | | | | disclosure... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | gnutls | CVE-2021-20231 | | 3.6.14-8.el8_3 | | gnutls: Use after free in | | | | | | | client key_share extension | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-20232 | | | | gnutls: Use after free | | | | | | | in client_send_params in | | | | | | | lib/ext/pre_shared_key.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | jasper-libs | CVE-2017-5503 | | 2.0.14-4.el8 | | jasper: invalid memory write | | | | | | | in dec_clnpass() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5504 | | | | jasper: Invalid memory read in | | | | | | | jpc_undo_roi | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5505 | | | | jasper: Invalid memory read in | | | | | | | jas_matrix_asl | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27828 | | | | jasper: Heap-based buffer | | | | | | | overflow in cp_create() in | | | | | | | jpc_enc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-26926 | | | | jasper: Out of bounds read in | | | | | | | jp2_decode() in jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-26927 | | | | jasper: NULL pointer | | | | | | | dereference in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3272 | | | | jasper: Heap-based buffer | | | | | | | over-read in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3443 | | | | jasper: NULL pointer | | | | | | | dereference in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+ + | | CVE-2021-3467 | | | | | | | | | | | | | | | | | | | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-13745 | LOW | | | jasper: reachable abort in | | | | | | | jpc_dec_process_sot() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-5499 | | | | jasper: Signed integer | | | | | | | overflow in jpc_dequantize() | | | | | | | in jpc_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-9782 | | | | jasper: cdef.ents[] | | | | | | | heap-based buffer over-read in | | | | | | | jp2_decode() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-18873 | | | | jasper: NULL pointer | | | | | | | dereference in | | | | | | | ras_putdatastd() in ras_enc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19139 | | | | jasper: memory leak | | | | | | | of data allocated in | | | | | | | jpc_unk_getparms() after abort | | | | | | | in jpc_dec_process_sot()... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19539 | | | | jasper: access violation | | | | | | | in jas_image_readcmpt() in | | | | | | | jas_image.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19540 | | | | jasper: heap-based buffer | | | | | | | overflow of size 1 in | | | | | | | jas_icctxtdesc_input in | | | | | | | libjasper/base/jas_icc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19541 | | | | jasper: heap-based buffer | | | | | | | over-read of size 8 in | | | | | | | jas_image_depalettize in | | | | | | | libjasper/base/jas_image.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19542 | | | | jasper: invalid access | | | | | | | in jp2_decode in | | | | | | | libjasper/jp2/jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19543 | | | | jasper: heap-based buffer | | | | | | | over-read in jp2_decode() in | | | | | | | jp2_dec.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-20570 | | | | jasper: heap-based buffer | | | | | | | over-read in jp2_encode() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-20622 | | | | jasper: memory leak in | | | | | | | jpc_dec_decodepkt() | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-9055 | | | | jasper: reachable assertion in | | | | | | | jpc_firstone() in jpc_math.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-9252 | | | | jasper: reachable assertion | | | | | | | in jpc_abstorelstepsize() in | | | | | | | jpc_enc.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | jq | CVE-2016-4074 | | 1.5-12.el8 | | jq: stack exhaustion via | | | | | | | jv_dump_term() function | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | json-c | CVE-2020-12762 | MEDIUM | 0.13.1-0.2.el8 | | json-c: integer overflow and | | | | | | | out-of-bounds write via a | | | | | | | large JSON file | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | krb5-libs | CVE-2020-28196 | | 1.18.2-5.el8 | | krb5: unbounded recursion | | | | | | | via an ASN.1-encoded | | | | | | | Kerberos message in | | | | | | | lib/krb5/asn.1/asn1_encode.c | | | | | | | may lead... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | lcms2 | CVE-2018-16435 | | 2.9-2.el8 | | lcms2: Integer overflow | | | | | | | in AllocateDataSet() in | | | | | | | cmscgats.c leading to | | | | | | | heap-based buffer overflow... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libX11 | CVE-2020-14363 | HIGH | 1.6.8-3.el8 | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-common | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-devel | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | libX11-xcb | CVE-2020-14363 | HIGH | | | libX11: integer overflow | | | | | | | leads to double free in locale | | | | | | | handling | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14344 | MEDIUM | | | libX11: Heap overflow in the X | | | | | | | input method client | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libarchive | CVE-2017-14502 | | 3.3.2-9.el8 | | libarchive: Off-by-one error | | | | | | | in the read_header function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-21674 | | | | libarchive: heap-based | | | | | | | buffer overflow in | | | | | | | archive_string_append_from_wcs | | | | | | | function in archive_string.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2017-14166 | LOW | | | libarchive: Heap-based | | | | | | | buffer over-read in the atol8 | | | | | | | function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2017-14501 | | | | libarchive: Out-of-bounds read | | | | | | | in parse_file_info | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-1000879 | | | | libarchive: NULL pointer | | | | | | | dereference in ACL parser | | | | | | | resulting in a denial of... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-1000880 | | | | libarchive: Improper input | | | | | | | validation in WARC parser | | | | | | | resulting in a denial of... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libcurl | CVE-2020-8284 | MEDIUM | 7.61.1-14.el8_3.1 | | curl: FTP PASV command | | | | | | | response can cause curl to | | | | | | | connect to arbitrary... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8285 | | | | curl: Malicious FTP server can | | | | | | | trigger stack overflow when | | | | | | | CURLOPT_CHUNK_BGN_FUNCTION is | | | | | | | used... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-8286 | | | | curl: Inferior OCSP | | | | | | | verification | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-22876 | | | | curl: Leak of authentication | | | | | | | credentials in URL via | | | | | | | automatic Referer | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | CURLOPT_CONNECT_ONLY option | | | | | | | set | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libdb | CVE-2019-2708 | | 5.3.28-39.el8 | | libdb: Denial of service in | | | | | | | the Data Store component | +------------------------+ + + +---------------+ + | libdb-utils | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libdnf | CVE-2021-3445 | MEDIUM | 0.48.0-5.el8 | | libdnf: libdnf does its own | | | | | | | signature verification, but | | | | | | | this can be tricked... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libgcc | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libgcrypt | CVE-2019-12904 | MEDIUM | 1.8.5-4.el8 | | Libgcrypt: physical addresses | | | | | | | being available to other | | | | | | | processes leads to a | | | | | | | flush-and-reload... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libgomp | CVE-2018-20673 | | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libjpeg-turbo | CVE-2019-2201 | MEDIUM | 1.5.3-10.el8 | | libjpeg-turbo: several integer | | | | | | | overflows and subsequent | | | | | | | segfaults when attempting | | | | | | | to compress/decompress | | | | | | | gigapixel... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13790 | | | | libjpeg-turbo: heap-based | | | | | | | buffer over-read in | | | | | | | get_rgb_row() in rdppm.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libpng | CVE-2019-7317 | LOW | 2:1.6.34-5.el8 | | libpng: use-after-free in | | | | | | | png_image_free in png.c | +------------------------+ + + +---------------+ + | libpng-devel | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libproxy | CVE-2020-25219 | MEDIUM | 0.4.15-5.2.el8 | | libproxy: uncontrolled | | | | | | | recursion via an infinite | | | | | | | stream response leading to | | | | | | | stack exhaustion... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-26154 | | | | libproxy: sending more than | | | | | | | 102400 bytes in PAC without a | | | | | | | Content-Length present... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libssh | CVE-2020-16135 | LOW | 0.9.4-2.el8 | | libssh: NULL pointer | | | | | | | dereference in sftpserver.c if | | | | | | | ssh_buffer_new returns NULL | +------------------------+ + + +---------------+ + | libssh-config | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libstdc++ | CVE-2018-20673 | MEDIUM | 8.3.1-5.1.el8 | | libiberty: Integer overflow in | | | | | | | demangle_template() function | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-20657 | LOW | | | libiberty: Memory leak in | | | | | | | demangle_template function | | | | | | | resulting in a denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-14250 | | | | binutils: integer overflow in | | | | | | | simple-object-elf.c leads to a | | | | | | | heap-based buffer overflow | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | libtasn1 | CVE-2018-1000654 | | 4.13-3.el8 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libtiff | CVE-2017-17095 | MEDIUM | 4.0.9-18.el8 | | libtiff: Heap-based buffer | | | | | | | overflow in tools/pal2rgb.c | | | | | | | can lead to denial of | | | | | | | service... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-15209 | | | | libtiff: Heap-based | | | | | | | buffer overflow in | | | | | | | ChopUpSingleUncompressedStrip | | | | | | | in tif_dirread.c | + +------------------+ + +---------------+ + | | CVE-2018-16335 | | | | | | | | | | | | | | | | | | | | | | | | | | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35523 | | | | libtiff: Integer overflow in | | | | | | | tif_getimage.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35524 | | | | libtiff: Heap-based buffer | | | | | | | overflow in TIFF2PDF tool | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-10779 | LOW | | | libtiff: heap-based buffer | | | | | | | over-read in TIFFWriteScanline | | | | | | | function in tif_write.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-10801 | | | | libtiff: memory leak in | | | | | | | bmp2tiff tool | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-17101 | | | | libtiff: Two out-of-bounds | | | | | | | writes in cpTags in | | | | | | | tools/tiff2bw.c and | | | | | | | tools/pal2rgb.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19210 | | | | libtiff: NULL pointer | | | | | | | dereference in | | | | | | | TIFFWriteDirectorySec function | | | | | | | in tif_dirwrite.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-5360 | | | | LibTIFF: heap-based buffer | | | | | | | over-read in the ReadTIFFImage | | | | | | | function in coders/tiff.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6128 | | | | libtiff: memory leak in | | | | | | | TIFFFdOpen function in | | | | | | | tif_unix.c when using pal2rgb | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-35521 | | | | libtiff: Memory allocation | | | | | | | failure in tiff2rgba | + +------------------+ + +---------------+ + | | CVE-2020-35522 | | | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libxml2 | CVE-2020-24977 | MEDIUM | 2.9.7-8.el8 | | libxml2: Buffer overflow | | | | | | | vulnerability in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3516 | | | | libxml2: use-after-free in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3517 | | | | libxml2: heap-based | | | | | | | buffer overflow in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3518 | | | | libxml2: use-after-free in | | | | | | | xmlXIncludeDoProcess() in | | | | | | | xinclude.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3537 | | | | libxml2: NULL pointer | | | | | | | dereference when | | | | | | | post-validating mix content | | | | | | | parsed in recovery mode... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | libzstd | CVE-2021-24032 | LOW | 1.4.4-1.el8 | | zstd: Race condition | | | | | | | allows attacker to access | | | | | | | world-readable destination | | | | | | | file | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | lua-libs | CVE-2020-15945 | MEDIUM | 5.3.4-11.el8 | | lua: segmentation fault in | | | | | | | changedline in ldebug.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-24370 | LOW | | | lua: segmentation fault | | | | | | | in getlocal and setlocal | | | | | | | functions in ldebug.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | lz4-libs | CVE-2019-17543 | MEDIUM | 1.8.3-2.el8 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3520 | | | | lz4: memory corruption due to | | | | | | | an integer overflow bug caused | | | | | | | by memmove... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | mesa-libEGL | CVE-2019-5068 | | 20.1.4-1.el8 | | mesa: security bypass in 3D | | | | | | | library graphics | +------------------------+ + + +---------------+ + | mesa-libGL | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-libgbm | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-libglapi | | | | | | | | | | | | | +------------------------+ + + +---------------+ + | mesa-vulkan-drivers | | | | | | | | | | | | | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | ncurses | CVE-2019-17594 | | 6.1-7.20180224.el8 | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | ncurses-base | CVE-2019-17594 | MEDIUM | | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | ncurses-libs | CVE-2019-17594 | MEDIUM | | | ncurses: heap-based buffer | | | | | | | overflow in the _nc_find_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-17595 | | | | ncurses: heap-based buffer | | | | | | | overflow in the fmt_entry | | | | | | | function in tinfo/comp_hash.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-19211 | LOW | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_parse_entry in | | | | | | | parse_entry.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2018-19217 | | | | ncurses: Null pointer | | | | | | | dereference at function | | | | | | | _nc_name_match | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | nodejs | CVE-2017-15897 | | 1:10.24.0-1.module+el8.3.0+10166+b07ac28e | | nodejs: Unitialized buffer due | | | | | | | to incorrect encoding | +------------------------+ + + +---------------+ + | nodejs-full-i18n | | | | | | | | | | | | | +------------------------+ + +-----------------------------------------------------+---------------+ + | npm | | | 1:6.14.11-1.10.24.0.1.module+el8.3.0+10166+b07ac28e | | | | | | | | | | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | nss | CVE-2020-12399 | MEDIUM | 3.53.1-17.el8_3 | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-softokn | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-softokn-freebl | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-sysinit | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | nss-util | CVE-2020-12399 | MEDIUM | | | nss: Timing attack on DSA | | | | | | | signature generation | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-12401 | | | | nss: ECDSA timing attack | | | | | | | mitigation bypass | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25648 | | | | nss: TLS 1.3 CCS flood remote | | | | | | | DoS Attack | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-12413 | LOW | | | nss: Information exposure when | | | | | | | DH secret are reused across | | | | | | | multiple TLS connections... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | oniguruma | CVE-2019-13224 | MEDIUM | 6.8.2-2.el8 | | oniguruma: Use-after-free in | | | | | | | onig_new_deluxe() in regext.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-16163 | | | | oniguruma: Stack exhaustion in | | | | | | | regcomp.c because of recursion | | | | | | | in regparse.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19012 | | | | oniguruma: integer overflow | | | | | | | in search_in_range function | | | | | | | in regexec.c leads to | | | | | | | out-of-bounds read... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19203 | | | | oniguruma: Heap-based | | | | | | | buffer over-read in function | | | | | | | gb18030_mbc_enc_len in file | | | | | | | gb18030.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19204 | | | | oniguruma: Heap-based | | | | | | | buffer over-read in function | | | | | | | fetch_interval_quantifier in | | | | | | | regparse.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-19246 | LOW | | | oniguruma: Heap-based | | | | | | | buffer overflow in | | | | | | | str_lower_case_match in | | | | | | | regexec.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | openssh | CVE-2020-14145 | MEDIUM | 8.0p1-5.el8 | | openssh: Observable | | | | | | | Discrepancy leading to an | | | | | | | information leak in the | | | | | | | algorithm negotiation... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15778 | | | | openssh: scp allows command | | | | | | | injection when using | | | | | | | backtick characters in the | | | | | | | destination... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-15919 | LOW | | | openssh: User enumeration | | | | | | | via malformed packets in | | | | | | | authentication requests | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6110 | | | | openssh: Acceptance and | | | | | | | display of arbitrary stderr | | | | | | | allows for spoofing of scp... | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | openssh-clients | CVE-2020-14145 | MEDIUM | | | openssh: Observable | | | | | | | Discrepancy leading to an | | | | | | | information leak in the | | | | | | | algorithm negotiation... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15778 | | | | openssh: scp allows command | | | | | | | injection when using | | | | | | | backtick characters in the | | | | | | | destination... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2018-15919 | LOW | | | openssh: User enumeration | | | | | | | via malformed packets in | | | | | | | authentication requests | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-6110 | | | | openssh: Acceptance and | | | | | | | display of arbitrary stderr | | | | | | | allows for spoofing of scp... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | openssl | CVE-2021-23840 | MEDIUM | 1:1.1.1g-15.el8_3 | | openssl: integer overflow in | | | | | | | CipherUpdate | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23841 | | | | openssl: NULL pointer | | | | | | | dereference in | | | | | | | X509_issuer_and_serial_hash() | +------------------------+------------------+ + +---------------+-------------------------------------+ | openssl-libs | CVE-2021-23840 | | | | openssl: integer overflow in | | | | | | | CipherUpdate | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23841 | | | | openssl: NULL pointer | | | | | | | dereference in | | | | | | | X509_issuer_and_serial_hash() | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | p11-kit | CVE-2020-29361 | | 0.23.14-5.el8_0 | | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | +------------------------+------------------+ + +---------------+-------------------------------------+ | p11-kit-trust | CVE-2020-29361 | | | | p11-kit: integer overflow when | | | | | | | allocating memory for arrays | | | | | | | or attributes and object... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29362 | | | | p11-kit: out-of-bounds read in | | | | | | | p11_rpc_buffer_get_byte_array | | | | | | | function in rpc-message.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-29363 | | | | p11-kit: out-of-bounds write in | | | | | | | p11_rpc_buffer_get_byte_array_value | | | | | | | function in rpc-message.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | pcre | CVE-2019-20838 | LOW | 8.42-4.el8 | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-cpp | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-devel | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-utf16 | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+ + +---------------+-------------------------------------+ | pcre-utf32 | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14155 | | | | pcre: integer overflow in | | | | | | | libpcre | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | perl-Errno | CVE-2020-10543 | MEDIUM | 1.28-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-Git | CVE-2018-1000021 | | 2.27.0-1.el8 | | git: client prints server-sent | | | | | | | ANSI escape codes to the | | | | | | | terminal, allowing for... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-21300 | | | | git: remote code execution | | | | | | | during clone operation on | | | | | | | case-insensitive filesystems | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-IO | CVE-2020-10543 | | 1.38-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | perl-interpreter | CVE-2020-10543 | | 4:5.26.3-417.el8_3 | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ + +---------------+-------------------------------------+ | perl-libs | CVE-2020-10543 | | | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ + +---------------+-------------------------------------+ | perl-macros | CVE-2020-10543 | | | | perl: heap-based buffer | | | | | | | overflow in regular expression | | | | | | | compiler leads to DoS | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-10878 | | | | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | platform-python | CVE-2020-26116 | | 3.6.8-31.el8 | | python: CRLF injection | | | | | | | via HTTP request method in | | | | | | | httplib/http.client | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27619 | | | | python: Python 3 eval of http | | | | | | | resources during test suite | | | | | | | runs | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23336 | | | | python: Web Cache Poisoning | | | | | | | via urllib.parse.parse_qsl and | | | | | | | urllib.parse.parse_qs by using | | | | | | | a semicolon... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3177 | | | | python: Stack-based buffer | | | | | | | overflow in PyCArg_repr in | | | | | | | _ctypes/callproc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3426 | | | | python: information disclosure | | | | | | | via pydoc | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9674 | LOW | | | python: Nested zip file | | | | | | | (Zip bomb) vulnerability in | | | | | | | Lib/zipfile.py | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-hawkey | CVE-2021-3445 | MEDIUM | 0.48.0-5.el8 | | libdnf: libdnf does its own | | | | | | | signature verification, but | | | | | | | this can be tricked... | +------------------------+ + + +---------------+ + | python3-libdnf | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | python3-libs | CVE-2020-26116 | | 3.6.8-31.el8 | | python: CRLF injection | | | | | | | via HTTP request method in | | | | | | | httplib/http.client | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-27619 | | | | python: Python 3 eval of http | | | | | | | resources during test suite | | | | | | | runs | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-23336 | | | | python: Web Cache Poisoning | | | | | | | via urllib.parse.parse_qsl and | | | | | | | urllib.parse.parse_qs by using | | | | | | | a semicolon... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3177 | | | | python: Stack-based buffer | | | | | | | overflow in PyCArg_repr in | | | | | | | _ctypes/callproc.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3426 | | | | python: information disclosure | | | | | | | via pydoc | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9674 | LOW | | | python: Nested zip file | | | | | | | (Zip bomb) vulnerability in | | | | | | | Lib/zipfile.py | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-libxml2 | CVE-2020-24977 | MEDIUM | 2.9.7-8.el8 | | libxml2: Buffer overflow | | | | | | | vulnerability in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3516 | | | | libxml2: use-after-free in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3517 | | | | libxml2: heap-based | | | | | | | buffer overflow in | | | | | | | xmlEncodeEntitiesInternal() in | | | | | | | entities.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3518 | | | | libxml2: use-after-free in | | | | | | | xmlXIncludeDoProcess() in | | | | | | | xinclude.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3537 | | | | libxml2: NULL pointer | | | | | | | dereference when | | | | | | | post-validating mix content | | | | | | | parsed in recovery mode... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-pip-wheel | CVE-2018-20225 | LOW | 9.0.3-18.el8 | | python-pip: when | | | | | | | --extra-index-url option is | | | | | | | used and package does not | | | | | | | already exist... | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-rpm | CVE-2021-20271 | MEDIUM | 4.14.3-4.el8 | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | python3-urllib3 | CVE-2020-26137 | MEDIUM | 1.24.2-4.el8 | | python-urllib3: CRLF injection | | | | | | | via HTTP request method | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | rpm | CVE-2021-20271 | | 4.14.3-4.el8 | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | rpm-build-libs | CVE-2021-20271 | MEDIUM | | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | rpm-libs | CVE-2021-20271 | MEDIUM | | | rpm: Signature checks bypass | | | | | | | via corrupted rpm package | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3421 | | | | rpm: unsigned signature header | | | | | | | leads to string injection into | | | | | | | an rpm database... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2021-20266 | LOW | | | rpm: missing length checks in | | | | | | | hdrblobInit() | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | sqlite-libs | CVE-2019-5827 | HIGH | 3.26.0-11.el8 | | chromium-browser: | | | | | | | out-of-bounds access in SQLite | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-13750 | MEDIUM | | | sqlite: dropping of shadow | | | | | | | tables not restricted in | | | | | | | defensive mode | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-13751 | | | | sqlite: fts3: improve | | | | | | | detection of corrupted records | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19603 | | | | sqlite: mishandles certain | | | | | | | SELECT statements with a | | | | | | | nonexistent VIEW, leading to | | | | | | | DoS... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19645 | | | | sqlite: infinite recursion | | | | | | | via certain types of | | | | | | | self-referential views in | | | | | | | conjunction with... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-19880 | | | | sqlite: invalid | | | | | | | pointer dereference in | | | | | | | exprListAppendList in window.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13434 | | | | sqlite: integer overflow in | | | | | | | sqlite3_str_vappendf function | | | | | | | in printf.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13435 | | | | sqlite: NULL pointer | | | | | | | dereference leads to | | | | | | | segmentation fault in | | | | | | | sqlite3ExprCodeTarget in | | | | | | | expr.c... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-15358 | | | | sqlite: heap-based | | | | | | | buffer overflow in | | | | | | | multiSelectOrderBy due to | | | | | | | mishandling of query-flattener | | | | | | | optimization... | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-19244 | LOW | | | sqlite: allows a crash if a | | | | | | | sub-select uses both DISTINCT | | | | | | | and window... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9936 | | | | sqlite: heap-based buffer | | | | | | | over-read in function | | | | | | | fts5HashEntrySort in sqlite3.c | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-9937 | | | | sqlite: null-pointer | | | | | | | dereference in function | | | | | | | fts5ChunkIterate in sqlite3.c | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | systemd | CVE-2018-20839 | MEDIUM | 239-41.el8_3.2 | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ + +---------------+-------------------------------------+ | systemd-libs | CVE-2018-20839 | | | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ + +---------------+-------------------------------------+ | systemd-pam | CVE-2018-20839 | | | | systemd: mishandling of the | | | | | | | current keyboard mode check | | | | | | | leading to passwords being... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2019-3842 | | | | systemd: Spoofing of | | | | | | | XDG_SEAT allows for actions | | | | | | | to be checked against | | | | | | | "allow_active"... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-13776 | | | | systemd: Mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | tar | CVE-2021-20193 | | 2:1.30-5.el8 | | tar: Memory leak in | | | | | | | read_header() in list.c | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2019-9923 | LOW | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in | | | | | | | sparse.c | +------------------------+------------------+ +-----------------------------------------------------+---------------+-------------------------------------+ | vim-minimal | CVE-2018-20786 | | 2:8.0.1763-15.el8 | | libvterm: NULL | | | | | | | pointer dereference in | | | | | | | vterm_screen_set_callbacks | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | xdg-utils | CVE-2020-27748 | MEDIUM | 1.1.2-5.el8 | | xdg-utils: local file | | | | | | | inclusion vulnerability | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ | xorg-x11-server-Xvfb | CVE-2020-14345 | HIGH | 1.20.8-6.1.el8_3 | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetNames function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14346 | | | | xorg-x11-server: Integer | | | | | | | underflow in the X input | | | | | | | extension protocol | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14360 | | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetMap function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14361 | | | | xorg-x11-server: | | | | | | | XkbSelectEvents integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14362 | | | | xorg-x11-server: | | | | | | | XRecordRegisterClients integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25712 | | | | xorg-x11-server: | | | | | | | XkbSetDeviceInfo heap-based | | | | | | | buffer overflow privilege | | | | | | | escalation vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3472 | | | | xorg-x11-server: | | | | | | | XChangeFeedbackControl integer | | | | | | | underflow leads to privilege | | | | | | | escalation | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14347 | MEDIUM | | | xorg-x11-server: Leak of | | | | | | | uninitialized heap memory from | | | | | | | the X server to clients... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25697 | | | | xorg-x11-server: local | | | | | | | privilege escalation | +------------------------+------------------+----------+ +---------------+-------------------------------------+ | xorg-x11-server-common | CVE-2020-14345 | HIGH | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetNames function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14346 | | | | xorg-x11-server: Integer | | | | | | | underflow in the X input | | | | | | | extension protocol | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14360 | | | | xorg-x11-server: Out-of-bounds | | | | | | | access in XkbSetMap function | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14361 | | | | xorg-x11-server: | | | | | | | XkbSelectEvents integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-14362 | | | | xorg-x11-server: | | | | | | | XRecordRegisterClients integer | | | | | | | underflow privilege escalation | | | | | | | vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25712 | | | | xorg-x11-server: | | | | | | | XkbSetDeviceInfo heap-based | | | | | | | buffer overflow privilege | | | | | | | escalation vulnerability | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2021-3472 | | | | xorg-x11-server: | | | | | | | XChangeFeedbackControl integer | | | | | | | underflow leads to privilege | | | | | | | escalation | + +------------------+----------+ +---------------+-------------------------------------+ | | CVE-2020-14347 | MEDIUM | | | xorg-x11-server: Leak of | | | | | | | uninitialized heap memory from | | | | | | | the X server to clients... | + +------------------+ + +---------------+-------------------------------------+ | | CVE-2020-25697 | | | | xorg-x11-server: local | | | | | | | privilege escalation | +------------------------+------------------+----------+-----------------------------------------------------+---------------+-------------------------------------+ package-lock.json ================= Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) $ trivy --no-progress -f json -o gl-container-scanning-report.json --input /image 2021-05-12T19:10:44.931Z INFO Detecting RHEL/CentOS vulnerabilities... 2021-05-12T19:10:44.943Z INFO Detecting npm vulnerabilities... $ echo "This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans" This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans section_end:1620846645:step_script section_start:1620846645:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... gl-container-scanning-report.json: found 1 matching files and directories Uploading artifacts as "container_scanning" to coordinator... ok id=3283113 responseStatus=201 Created token=4Fwc3t-K section_end:1620846646:upload_artifacts_on_success section_start:1620846646:cleanup_file_variables Cleaning up file based variables section_end:1620846646:cleanup_file_variables Job succeeded