Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-bounds Read
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-bounds Read
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><3.16.2-5+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream sqlite3
package.
See How to fix?
for Debian:9
relevant versions.
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
References
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- Apple Security Advisory
- CVE Details
- Debian Security Announcement
- Debian Security Tracker
- HP Security Bulletin
- MISC
- MISC
- MISC
- MISC
- OpenSuse Security Announcement
- Oracle Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><5.24.1-3+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream perl
package.
See How to fix?
for Debian:9
relevant versions.
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
References
- Apple Security Advisory
- Bugtraq Mailing List
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Tracker
- Fedora Security Update
- Gentoo Security Advisory
- GitHub Commit
- MISC
- Netapp Security Advisory
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Seclists Full Disclosure
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream nss
package.
See How to fix?
for Debian:9
relevant versions.
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
References
- Bugtraq Mailing List
- Bugtraq Mailing List
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Announcement
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- MISC
- MISC
- MISC
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- OSS security Advisory
- RedHat Bugzilla Bug
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.56.0-2+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libsoup2.4
package.
See How to fix?
for Debian:9
relevant versions.
The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.
References
- CONFIRM
- CONFIRM
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- OpenSuse Security Announcement
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u6
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.
References
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
References
- Bugtraq Mailing List
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- MISC
- MISC
- MLIST
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- RedHat Bugzilla Bug
- SUSE
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
References
- Bugtraq Mailing List
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- MISC
- MISC
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- REDHAT
- RedHat Bugzilla Bug
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u8
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
References
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- GitHub Commit
- MISC
- MISC
- RedHat Bugzilla Bug
- RHSA Security Advisory
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
References
- Bugtraq Mailing List
- Bugtraq Mailing List
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- MISC
- MISC
- MISC
- MISC
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- OSS security Advisory
- REDHAT
- RedHat Bugzilla Bug
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.7.0-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libssh2
package.
See How to fix?
for Debian:9
relevant versions.
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
References
- Bugtraq Mailing List
- Bugtraq Mailing List
- CONFIRM
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- MISC
- MISC
- MISC
- Netapp Security Advisory
- OpenSuse Security Announcement
- OpenSuse Security Announcement
- OSS security Advisory
- REDHAT
- RedHat Bugzilla Bug
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><0.8.3-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libbsd
package.
See How to fix?
for Debian:9
relevant versions.
nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).
References
- Debian Security Tracker
- MISC
- MISC
- MLIST
- MLIST
- MLIST
- SUSE
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.9.4+dfsg1-2.2+deb9u3
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libxml2
package.
See How to fix?
for Debian:9
relevant versions.
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u3
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.
References
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
References
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- Oracle Security Advisory
- REDHAT
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like :
to the target buffer, while this was recently changed to :
(a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
References
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Tracker
- GitHub PR
- RHSA Security Advisory
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream sqlite3
package.
SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
References
- CVE Details
- Debian Security Tracker
- Fedora Security Update
- Fedora Security Update
- MISC
- MISC
- MISC
- MISC
- N/A
- Netapp Security Advisory
- OpenSuse Security Announcement
- Oracle Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream glibc
package.
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
References
- CONFIRM
- CONFIRM
- Debian Security Tracker
- GENTOO
- MISC
- MISC
- MISC
- MISC
- Netapp Security Advisory
- Security Focus
- UBUNTU
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active