We found security vulnerabilities on several images

We scanned some images with Jfrog’s xray image scanner. We found several critical vulnerabilities. Here are the critical vulnerabilities, let us know your feedback about this:

Issue id CVES CVSS3 score Vulnerable Component Summary Fixed versions Package type Severity Published Provider Impacted Artifact Path Impact Path Artifact Scan Time References Description
XRAY-263045 CVE-2022-32221 9.8 alpine://3.15:curl:7.80.0-r3 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. 7.80.0-r4 alpine Critical 2022-12-06 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0
generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz
alpine://3.15:curl:7.80.0-r3
2023-01-26 HackerOne
https://security.gentoo.org/glsa/202212-01
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
XRAY-263045 CVE-2022-32221 9.8 alpine://3.15:libcurl:7.80.0-r3 When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. 7.80.0-r4 alpine Critical 2022-12-06 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0
generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz
alpine://3.15:libcurl:7.80.0-r3
2023-01-26 HackerOne
https://security.gentoo.org/glsa/202212-01
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
XRAY-260175 CVE-2022-42915 9.8 alpine://3.15:curl:7.80.0-r3 curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. 7.80.0-r4 alpine Critical 2022-10-30 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0
generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz
alpine://3.15:curl:7.80.0-r3
2023-01-26 curl - HTTP proxy double-free - CVE-2022-42915
https://security.gentoo.org/glsa/202212-01
[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists
October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-260175 CVE-2022-42915 9.8 alpine://3.15:libcurl:7.80.0-r3 curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. 7.80.0-r4 alpine Critical 2022-10-30 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0
generic://sha256:7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87/sha256__7b23de58e966ba10139bb04d584c00013c89f361818bfe03d8514702488d9e87.tar.gz
alpine://3.15:libcurl:7.80.0-r3
2023-01-26 curl - HTTP proxy double-free - CVE-2022-42915
https://security.gentoo.org/glsa/202212-01
[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists
October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
XRAY-187759 CVE-2021-38297 9.8 go://github.com/golang/go:1.10.3 Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. 1.16.9
1.17.2
go Critical 2021-10-19 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5
generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz
generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server
go://github.com/golang/go:1.10.3
2023-01-26 [SECURITY] Fedora 35 Update: golang-1.16.11-1.fc35 - package-announce - Fedora Mailing-Lists
Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security
Redirecting to Google Groups
https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A
CVE-2021-38297 Golang Vulnerability in NetApp Products | NetApp Product Security
[SECURITY] Fedora 34 Update: golang-1.16.11-1.fc34 - package-announce - Fedora Mailing-Lists
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
XRAY-85927 CVE-2019-14809 9.8 go://github.com/golang/go:1.10.3 net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. 1.11.13
1.12.8
go Critical 2019-08-16 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5
generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz
generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server
go://github.com/golang/go:1.10.3
2023-01-26 Debian -- Security Information -- DSA-4503-1 golang-1.11
[SECURITY] Fedora 30 Update: golang-1.12.9-1.fc30 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 29 Update: golang-1.11.13-1.fc29 - package-announce - Fedora Mailing-Lists
Redirecting to Google Groups
Red Hat Customer Portal - Access to 24x7 support and knowledge
[security-announce] openSUSE-SU-2019:2000-1: important: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists
[security-announce] openSUSE-SU-2019:2056-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists
[security-announce] openSUSE-SU-2019:2072-1: moderate: Security update for go1.11 - openSUSE Security Announce - openSUSE Mailing Lists
[security-announce] openSUSE-SU-2019:2085-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists
[security-announce] openSUSE-SU-2019:2130-1: moderate: Security update for go1.12 - openSUSE Security Announce - openSUSE Mailing Lists
Redirecting to Google Groups
Bugtraq: [SECURITY] [DSA 4503-1] golang-1.11 security update
https://github.com/golang/go/issues/29098
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
XRAY-82071 CVE-2019-11888 9.8 go://github.com/golang/go:1.10.3 Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. 1.12.6
1.13beta1
go Critical 2019-05-20 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5
generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz
generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server
go://github.com/golang/go:1.10.3
2023-01-26 https://go-review.googlesource.com/c/go/+/176619 Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges.
XRAY-124116 9.8 alpine://3.15:openssl:1.1.1q-r0 OpenSSL crypto/rc5/rc5_skey.c RC5_32_set_key() Function Key Initialization Stack Buffer Overflow 3.0.0-r0 alpine Critical 2020-09-10 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress/1.9.0/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/haproxytech/kubernetes-ingress:1.9.0
generic://sha256:a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0/sha256__a68cf3d2a33072abb4411868b105b0872ab5d785f5da16af316ba5961e6e08b0.tar.gz
alpine://3.15:openssl:1.1.1q-r0
2023-01-26 17173 - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail OpenSSL contains an overflow condition in the RC5_32_set_key() function in crypto/rc5/rc5_skey.c that is triggered as certain input is not properly validated when initializing encryption or decryption keys. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
XRAY-198036 CVE-2022-23806 9.1 go://github.com/golang/go:1.10.3 Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. 1.16.14
1.17.7
go Critical 2022-02-14 JFrog docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5 klstg-docker-local/rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64/1.5/ docker://rakuten/cicd-deployment-images/katana-1.1.0/cloudbees/k8s.gcr.io/defaultbackend-amd64:1.5
generic://sha256:65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06/sha256__65f4220de95d2e3d12484679abe7bb33323b1fd3ef681d878f1d2bc5abc8ee06.tar.gz
generic://sha256:805cc9bffdd53dd04e65042d4df67cc7719682a8579b3ea09089958f2ac708de/server
go://github.com/golang/go:1.10.3
2023-01-26 [SECURITY] [DLA 2986-1] golang-1.8 security update
Oracle Critical Patch Update Advisory - July 2022
Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
[SECURITY] [DLA 2985-1] golang-1.7 security update
February 2022 Golang Vulnerabilities in NetApp Products | NetApp Product Security
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

The open source project haproxy is not directly related to the kubernetes ingress controlloer of haproxytech.

Please report this as Github issue here: