Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Out-of-Bounds (#1739) · Issues · Administrator / ticket

Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Out-of-Bounds

Created by: armorcodegithubpreprod[bot]

Findings for Container Security, Medium, [TheRedHatter/javagoof:Dockerfile]:Out-of-Bounds

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): >*
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package.

The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><1.1.0f-3+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl package. See How to fix? for Debian:9 relevant versions.

While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><4.0.8-2+deb9u5
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream tiff package. See How to fix? for Debian:9 relevant versions.

An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><0.168-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream elfutils package. See How to fix? for Debian:9 relevant versions.

An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><1.0.2l-2+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream openssl1.0 package. See How to fix? for Debian:9 relevant versions.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): >*
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream giflib package.

Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><0.168-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream elfutils package. See How to fix? for Debian:9 relevant versions.

An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><7.52.1-5+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be http://ur%20[0-60000000000000000000.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><232-25+deb9u9
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream systemd package. See How to fix? for Debian:9 relevant versions.

An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

Exploit Maturity: no-known-exploit
Vulnerable Package: -
Current Version: -
Vulnerable Version(s): ><6.0+20161126-1+deb9u1
Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream ncurses package. See How to fix? for Debian:9 relevant versions.

There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active