Skip to content

GitLab

Open
Created by Administrator@rootMaintainer

Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-bounds Read

Created by: armorcodegithubpreprod[bot]

Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-bounds Read

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><3.16.2-5+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package. See How to fix? for Debian:9 relevant versions.

The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><5.24.1-3+deb9u5
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream perl package. See How to fix? for Debian:9 relevant versions.

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><2:3.26.2-1.1+deb9u2
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See How to fix? for Debian:9 relevant versions.

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.0-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See How to fix? for Debian:9 relevant versions.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><2.56.0-2+deb9u2
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libsoup2.4 package. See How to fix? for Debian:9 relevant versions.

The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><7.52.1-5+deb9u6
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.0-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See How to fix? for Debian:9 relevant versions.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.0-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See How to fix? for Debian:9 relevant versions.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><7.52.1-5+deb9u8
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.0-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See How to fix? for Debian:9 relevant versions.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><1.7.0-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libssh2 package. See How to fix? for Debian:9 relevant versions.

An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><0.8.3-1+deb9u1
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libbsd package. See How to fix? for Debian:9 relevant versions.

nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><2.9.4+dfsg1-2.2+deb9u3
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See How to fix? for Debian:9 relevant versions.

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><7.52.1-5+deb9u3
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><7.52.1-5+deb9u5
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): ><7.52.1-5+deb9u4
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See How to fix? for Debian:9 relevant versions.

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like : to the target buffer, while this was recently changed to : (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): >*
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream sqlite3 package.

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active

Component Details

  • Exploit Maturity: no-known-exploit
  • Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): >*
  • Vulnerable Path: >null

NVD Description

Note: Versions mentioned in the description apply to the upstream glibc package.

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.

References

Origin : null Type : null Image Id : null

Snyk Project Status: Active