trivy/integration/testdata/alpine-310-medium-high.json.golden

[
  {
    "Target": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2019-1549",
        "PkgName": "openssl",
        "InstalledVersion": "1.1.1c-r0",
        "FixedVersion": "1.1.1d-r0",
        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
        "Title": "openssl: information disclosure in fork()",
        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
        "Severity": "MEDIUM",
        "References": [
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
          "https://security.netapp.com/advisory/ntap-20190919-0002/",
          "https://support.f5.com/csp/article/K44070243",
          "https://www.openssl.org/news/secadv/20190910.txt"
        ]
      },
      {
        "VulnerabilityID": "CVE-2019-1563",
        "PkgName": "openssl",
        "InstalledVersion": "1.1.1c-r0",
        "FixedVersion": "1.1.1d-r0",
        "LayerID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
        "Severity": "MEDIUM",
        "References": [
          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
          "https://seclists.org/bugtraq/2019/Sep/25",
          "https://security.netapp.com/advisory/ntap-20190919-0002/",
          "https://www.openssl.org/news/secadv/20190910.txt"
        ]
      }
    ]
  }
]