We scanned some images with Jfrog’s xray image scanner. We found several critical vulnerabilities. Here are the critical vulnerabilities, let us know your feedback about this:
| Issue id | CVES | CVSS3 score | Vulnerable Component | Summary | Fixed versions | Package type | Severity | Published | Provider | Impacted Artifact | Path | Impact Path | Artifact Scan Time | References | Description |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:curl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. |
7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 |
2023-01-26 |
HackerOne https://security.gentoo.org/glsa/202212-01 |
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. |
| XRAY-263045 | CVE-2022-32221 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. |
7.80.0-r4 | alpine | Critical | 2022-12-06 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 |
2023-01-26 |
HackerOne https://security.gentoo.org/glsa/202212-01 |
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. |
| XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:curl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:curl:7.80.0-r3 |
2023-01-26 |
curl - HTTP proxy double-free - CVE-2022-42915 https://security.gentoo.org/glsa/202212-01 [SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists [SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists [SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security |
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. |
| XRAY-260175 | CVE-2022-42915 | 9.8 | alpine://3.15:libcurl:7.80.0-r3 | curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | 7.80.0-r4 | alpine | Critical | 2022-10-30 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz alpine://3.15:libcurl:7.80.0-r3 |
2023-01-26 |
curl - HTTP proxy double-free - CVE-2022-42915 https://security.gentoo.org/glsa/202212-01 [SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists [SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists [SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security |
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. |
| XRAY-187759 | CVE-2021-38297 | 9.8 | go://github.com/golang/go:1.10.3 | Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. | 1.16.9 1.17.2 |
go | Critical | 2021-10-19 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 |
2023-01-26 |
[SECURITY] Fedora 35 Update: golang-1.16.11-1.fc35 - package-announce - Fedora Mailing-Lists Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security Redirecting to Google Groups https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A CVE-2021-38297 Golang Vulnerability in NetApp Products | NetApp Product Security [SECURITY] Fedora 34 Update: golang-1.16.11-1.fc34 - package-announce - Fedora Mailing-Lists |
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. |
| XRAY-85927 | CVE-2019-14809 | 9.8 | go://github.com/golang/go:1.10.3 | net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. | 1.11.13 1.12.8 |
go | Critical | 2019-08-16 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 |
2023-01-26 |
Debian -- Security Information -- DSA-4503-1 golang-1.11 [SECURITY] Fedora 30 Update: golang-1.12.9-1.fc30 - package-announce - Fedora Mailing-Lists [SECURITY] Fedora 29 Update: golang-1.11.13-1.fc29 - package-announce - Fedora Mailing-Lists Redirecting to Google Groups Red Hat Customer Portal - Access to 24x7 support and knowledge [security-announce] openSUSE-SU-2019:2000-1: important: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists [security-announce] openSUSE-SU-2019:2056-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists [security-announce] openSUSE-SU-2019:2072-1: moderate: Security update for go1.11 - openSUSE Security Announce - openSUSE Mailing Lists [security-announce] openSUSE-SU-2019:2085-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists [security-announce] openSUSE-SU-2019:2130-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists Redirecting to Google Groups Bugtraq: [SECURITY] [DSA 4503-1] golang-1.11 security update https://github.com/golang/go/issues/29098 |
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. |
| XRAY-82071 | CVE-2019-11888 | 9.8 | go://github.com/golang/go:1.10.3 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. | 1.12.6 1.13beta1 |
go | Critical | 2019-05-20 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 |
2023-01-26 | https://go-review.googlesource.com/c/go/+/176619 | Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. |
| XRAY-124116 | 9.8 | alpine://3.15:openssl:1.1.1q-r0 | OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow | 3.0.0-r0 | alpine | Critical | 2020-09-10 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 generic://sha256:a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0/sha256__a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0.tar.gz alpine://3.15:openssl:1.1.1q-r0 |
2023-01-26 | 17173 - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail | OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. | |
| XRAY-198036 | CVE-2022-23806 | 9.1 | go://github.com/golang/go:1.10.3 | Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. | 1.16.14 1.17.7 |
go | Critical | 2022-02-14 | JFrog | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 | klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ | docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server go://github.com/golang/go:1.10.3 |
2023-01-26 |
[SECURITY] [DLA 2986-1] golang-1.8 security update Oracle Critical Patch Update Advisory - July 2022 Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ [SECURITY] [DLA 2985-1] golang-1.7 security update February 2022 Golang Vulnerabilities in NetApp Products | NetApp Product Security |
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. |