Findings for Container Security, Low, [TheRedHatter/javagoof:exploits/tomcat-rce/Dockerfile]:Improper Validation of Integrity Check Value
Created by: armorcodegithubpreprod[bot]
Findings for Container Security, Low, [TheRedHatter/javagoof:exploits/tomcat-rce/Dockerfile]:Improper Validation of Integrity Check Value
Component Details
- Exploit Maturity: no-known-exploit
- Vulnerable Package: -
- Current Version: -
- Vulnerable Version(s): >*
- Vulnerable Path: >null
NVD Description
Note:
Versions mentioned in the description apply to the upstream curl
package.
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
References
Origin : null Type : null Image Id : null
Snyk Project Status: Active