mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-12 15:50:15 -08:00
aca31dffb3
* detector/alpine: Add LayerID to detect vulns Signed-off-by: Simarpreet Singh <simar@linux.com> * amazon: Add LayerID to DetectedVulns Signed-off-by: Simarpreet Singh <simar@linux.com> * debian: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * oracle: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * photon: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * redhat: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * suse: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * ubuntu: Add LayerID to DetectVulns + tests Signed-off-by: Simarpreet Singh <simar@linux.com> * integration: Fix integration tests to include LayerID Signed-off-by: Simarpreet Singh <simar@linux.com> * fix(rpc): add layer_id * fix(rpc): insert layer_id to the struct * fix(extractor): add cleanup function * fix(library): add layer ID to detected vulnerabilities * test: update mocks * chore(mod): point to the feature branch of fanal * mod: Point to fanal/master Signed-off-by: Simarpreet Singh <simar@linux.com> * scan_test: Include LayerID as part of the assertion Signed-off-by: Simarpreet Singh <simar@linux.com> * docker_engine_test.go: Update an error message to conform with fanal/master. Signed-off-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
239 lines
16 KiB
Plaintext
239 lines
16 KiB
Plaintext
[
|
|
{
|
|
"Target": "testdata/fixtures/photon-20.tar.gz (photon 2.0)",
|
|
"Vulnerabilities": [
|
|
{
|
|
"VulnerabilityID": "CVE-2019-5481",
|
|
"PkgName": "curl",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-9.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: double free due to subsequent call of realloc()",
|
|
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
|
|
"Severity": "HIGH",
|
|
"References": [
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
|
|
"https://curl.haxx.se/docs/CVE-2019-5481.html",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-5482",
|
|
"PkgName": "curl",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-9.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
|
|
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
|
|
"Severity": "HIGH",
|
|
"References": [
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
|
|
"https://curl.haxx.se/docs/CVE-2019-5482.html",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2018-16890",
|
|
"PkgName": "curl",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-8.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
|
|
"Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"http://www.securityfocus.com/bid/106947",
|
|
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890",
|
|
"https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf",
|
|
"https://curl.haxx.se/docs/CVE-2018-16890.html",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890",
|
|
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
|
|
"https://security.netapp.com/advisory/ntap-20190315-0001/",
|
|
"https://usn.ubuntu.com/3882-1/",
|
|
"https://www.debian.org/security/2019/dsa-4386",
|
|
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
|
|
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-5481",
|
|
"PkgName": "curl-libs",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-9.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: double free due to subsequent call of realloc()",
|
|
"Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
|
|
"Severity": "HIGH",
|
|
"References": [
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
|
|
"https://curl.haxx.se/docs/CVE-2019-5481.html",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-5482",
|
|
"PkgName": "curl-libs",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-9.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: heap buffer overflow in function tftp_receive_packet()",
|
|
"Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
|
|
"Severity": "HIGH",
|
|
"References": [
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
|
|
"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
|
|
"https://curl.haxx.se/docs/CVE-2019-5482.html",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2018-16890",
|
|
"PkgName": "curl-libs",
|
|
"InstalledVersion": "7.59.0-7.ph2",
|
|
"FixedVersion": "7.59.0-8.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
|
|
"Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"http://www.securityfocus.com/bid/106947",
|
|
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890",
|
|
"https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf",
|
|
"https://curl.haxx.se/docs/CVE-2018-16890.html",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890",
|
|
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
|
|
"https://security.netapp.com/advisory/ntap-20190315-0001/",
|
|
"https://usn.ubuntu.com/3882-1/",
|
|
"https://www.debian.org/security/2019/dsa-4386",
|
|
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
|
|
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-5094",
|
|
"PkgName": "e2fsprogs-libs",
|
|
"InstalledVersion": "1.43.4-2.ph2",
|
|
"FixedVersion": "1.43.4-3.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
|
|
"https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
|
|
"https://seclists.org/bugtraq/2019/Sep/58",
|
|
"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
|
|
"https://usn.ubuntu.com/4142-2/",
|
|
"https://www.debian.org/security/2019/dsa-4535"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2018-20843",
|
|
"PkgName": "expat-libs",
|
|
"InstalledVersion": "2.2.4-1.ph2",
|
|
"FixedVersion": "2.2.4-2.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS",
|
|
"Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
|
|
"Severity": "HIGH",
|
|
"References": [
|
|
"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226",
|
|
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843",
|
|
"https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes",
|
|
"https://github.com/libexpat/libexpat/issues/186",
|
|
"https://github.com/libexpat/libexpat/pull/262",
|
|
"https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6",
|
|
"https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html",
|
|
"https://seclists.org/bugtraq/2019/Jun/39",
|
|
"https://security.netapp.com/advisory/ntap-20190703-0001/",
|
|
"https://usn.ubuntu.com/4040-1/",
|
|
"https://usn.ubuntu.com/4040-2/",
|
|
"https://www.debian.org/security/2019/dsa-4472"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-13115",
|
|
"PkgName": "libssh2",
|
|
"InstalledVersion": "1.8.2-1.ph2",
|
|
"FixedVersion": "1.9.0-1.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write",
|
|
"Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"https://blog.semmle.com/libssh2-integer-overflow/",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115",
|
|
"https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa",
|
|
"https://github.com/libssh2/libssh2/pull/350",
|
|
"https://libssh2.org/changes.html",
|
|
"https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-1563",
|
|
"PkgName": "openssl",
|
|
"InstalledVersion": "1.0.2s-1.ph2",
|
|
"FixedVersion": "1.0.2t-1.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
|
|
"Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
|
|
"https://seclists.org/bugtraq/2019/Sep/25",
|
|
"https://security.netapp.com/advisory/ntap-20190919-0002/",
|
|
"https://www.openssl.org/news/secadv/20190910.txt"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-1547",
|
|
"PkgName": "openssl",
|
|
"InstalledVersion": "1.0.2s-1.ph2",
|
|
"FixedVersion": "1.0.2t-1.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Title": "openssl: side-channel weak encryption vulnerability",
|
|
"Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
|
|
"Severity": "LOW",
|
|
"References": [
|
|
"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
|
|
"https://arxiv.org/abs/1909.01785",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
|
|
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
|
|
"https://seclists.org/bugtraq/2019/Sep/25",
|
|
"https://security.netapp.com/advisory/ntap-20190919-0002/",
|
|
"https://www.openssl.org/news/secadv/20190910.txt"
|
|
]
|
|
},
|
|
{
|
|
"VulnerabilityID": "CVE-2019-16168",
|
|
"PkgName": "sqlite-libs",
|
|
"InstalledVersion": "3.27.2-3.ph2",
|
|
"FixedVersion": "3.27.2-5.ph2",
|
|
"LayerID": "sha256:41cdb0d109d6a7cf33d6a439c3d6e586d7dba0be84606066693ea4573a4a9b66",
|
|
"Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
|
|
"Severity": "MEDIUM",
|
|
"References": [
|
|
"https://security.netapp.com/advisory/ntap-20190926-0003/",
|
|
"https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html",
|
|
"https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62",
|
|
"https://www.sqlite.org/src/timeline?c=98357d8c1263920b"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
] |