Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE Report]: messagebird/sachet:0.2.6 #117

Closed
eliyamlevy opened this issue Apr 6, 2022 · 2 comments
Closed

[CVE Report]: messagebird/sachet:0.2.6 #117

eliyamlevy opened this issue Apr 6, 2022 · 2 comments

Comments

@eliyamlevy
Copy link

Hello,
Can you publish a new docker image to address these CVEs?

Issues found using aquasec/trivy:0.20.2.

Thank you!

For reference it this is a similar request to this issue.

Vulnerability ID Title Package Name Fixed Version Severity URL Target
CVE-2021-42378 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42378 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42379 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42379 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42380 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42380 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42381 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42381 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42382 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42382 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42383 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42383 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42384 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42384 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42385 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42385 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42386 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc() busybox 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42386 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates libcrypto1.1 1.1.1n-r0 HIGH https://avd.aquasec.com/nvd/cve-2022-0778 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates libretls 3.3.3p1-r3 HIGH https://avd.aquasec.com/nvd/cve-2022-0778 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates libssl1.1 1.1.1n-r0 HIGH https://avd.aquasec.com/nvd/cve-2022-0778 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42378 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42378 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42379 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42379 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42380 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42380 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42381 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42381 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42382 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42382 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42383 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42383 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42384 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42384 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42385 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42385 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2021-42386 busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc() ssl_client 1.33.1-r6 HIGH https://avd.aquasec.com/nvd/cve-2021-42386 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
CVE-2018-25032 zlib: A flaw in zlib-1.2.11 when compressing (not decompressing!) certain inputs. zlib 1.2.12-r0 HIGH https://avd.aquasec.com/nvd/cve-2018-25032 rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2)
@marcelcorso marcelcorso mentioned this issue Apr 7, 2022
Merged
@marcelcorso
Copy link
Contributor

Thank you for the issue!

Please use new releases. Just released 0.3.1 and tested with trivy:

> trivy image messagebird/sachet:0.3.1
2022-04-07T11:02:58.059+0200	INFO	Detected OS: alpine
2022-04-07T11:02:58.059+0200	INFO	Detecting Alpine vulnerabilities...
2022-04-07T11:02:58.062+0200	INFO	Number of language-specific files: 1
2022-04-07T11:02:58.062+0200	INFO	Detecting gobinary vulnerabilities...

messagebird/sachet:0.3.1 (alpine 3.15.4)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/sachet (gobinary)
===============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@eliyamlevy
Copy link
Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcelcorso @eliyamlevy