Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-Bounds
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, Critical, [TheRedHatter/javagoof:Dockerfile]:Out-of-Bounds
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><5.24.1-3+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream perl
package.
See How to fix?
for Debian:9
relevant versions.
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Tracker
- Fedora Security Update
- Gentoo Security Advisory
- GitHub Commit
- MISC
- Netapp Security Advisory
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><5.24.1-3+deb9u5
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream perl
package.
See How to fix?
for Debian:9
relevant versions.
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
References
- CONFIRM
- CONFIRM
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Tracker
- Fedora Security Update
- Gentoo Security Advisory
- MISC
- Netapp Security Advisory
- RedHat Bugzilla Bug
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1.3.5-4+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libvorbis
package.
See How to fix?
for Debian:9
relevant versions.
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
References
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- MISC
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.24-11+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream glibc
package.
See How to fix?
for Debian:9
relevant versions.
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
References
- CONFIRM
- Debian Security Tracker
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.24-11+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream glibc
package.
See How to fix?
for Debian:9
relevant versions.
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
References
- CONFIRM
- CONFIRM
- Debian Security Tracker
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><6.0+20161126-1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream ncurses
package.
See How to fix?
for Debian:9
relevant versions.
In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
References
- CVE Details
- Debian Security Tracker
- Gentoo Security Advisory
- MLIST
- MLIST
- RedHat Bugzilla Bug
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libsndfile
package.
Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><2.24-11+deb9u4
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream glibc
package.
See How to fix?
for Debian:9
relevant versions.
An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.
References
- Debian Security Tracker
- MISC
- MISC
- MISC
- Netapp Security Advisory
- Netapp Security Advisory
- UBUNTU
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
References
- CONFIRM
- CVE Details
- Debian Security Advisory
- Debian Security Tracker
- Gentoo Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><232-25+deb9u6
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream systemd
package.
See How to fix?
for Debian:9
relevant versions.
A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239.
References
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- GitHub PR
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- Security Focus
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1:1.1.14-1+deb9u2
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream libxcursor
package.
See How to fix?
for Debian:9
relevant versions.
_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow.
References
- Debian Security Announcement
- Debian Security Tracker
- MISC
- MISC
- RHSA Security Advisory
- RHSA Security Advisory
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><7.52.1-5+deb9u8
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
See How to fix?
for Debian:9
relevant versions.
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
References
- Apache Security Advisory
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Tracker
- Gentoo Security Advisory
- GitHub Commit
- MISC
- RedHat Bugzilla Bug
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
Origin : null Type : null Image Id : null
Snyk Project Status: Active
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): ><1:4.4-4.1+deb9u1
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream shadow
package.
See How to fix?
for Debian:9
relevant versions.
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
References
- CVE Details
- Debian Bug Report
- Debian Security Tracker
- Gentoo Security Advisory
- GitHub Commit
- https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675
- MLIST
- Ubuntu CVE Tracker
Origin : null Type : null Image Id : null
Snyk Project Status: Active