Gitlab runner helper base image vulnerabilities
FROM gitlab/gitlab-runner-helper:alpine3.13-x86_64-v14.10.1. the security scanning identified following vulnerabilities
Click to expand
Vulnerabilities
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-42915 | critical | 9.80 | curl | 7.79.1-r1 | fixed in 7.87.0-r2 | > 3 months | < 1 hour | curl before 7.86.0 has a double free. If curl is |
| | | | | | > 3 months ago | | | told to use an HTTP proxy for a transfer with a |
| | | | | | | | | non-HTTP(S) URL, it sets up the connection to the |
| | | | | | | | | rem... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41903 | critical | 9.80 | git | 2.30.3-r0 | fixed in 2.32.6-r0 | 35 days | < 1 hour | Git is distributed revision control system. |
| | | | | | 28 days ago | | | `git log` can display commits in an arbitrary |
| | | | | | | | | format using its `--format` specifiers. This |
| | | | | | | | | functionality i... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-37434 | critical | 9.80 | zlib | 1.2.11-r3 | fixed in 1.2.12-r2 | > 6 months | < 1 hour | zlib through 1.2.12 has a heap-based buffer |
| | | | | | > 6 months ago | | | over-read or buffer overflow in inflate in |
| | | | | | | | | inflate.c via a large gzip header extra field. |
| | | | | | | | | NOTE: only appli... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32221 | critical | 9.80 | curl | 7.79.1-r1 | fixed in 7.87.0-r2 | 78 days | < 1 hour | When doing HTTP(S) transfers, libcurl |
| | | | | | 75 days ago | | | might erroneously use the read callback |
| | | | | | | | | (`CURLOPT_READFUNCTION`) to ask for data to send, |
| | | | | | | | | even when the `CURLOPT... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32207 | critical | 9.80 | curl | 7.79.1-r1 | fixed in 7.79.1-r2 | > 7 months | < 1 hour | When curl < 7.84.0 saves cookies, alt-svc and hsts |
| | | | | | > 7 months ago | | | data to local files, it makes the operation atomic |
| | | | | | | | | by finalizing the operation with a rename from |
| | | | | | | | | a... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23521 | critical | 9.80 | git | 2.30.3-r0 | fixed in 2.32.6-r0 | 35 days | < 1 hour | Git is distributed revision control system. |
| | | | | | 27 days ago | | | gitattributes are a mechanism to allow defining |
| | | | | | | | | attributes for paths. These attributes can be |
| | | | | | | | | defined by a... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-38297 | critical | 9.80 | go | 1.15.6 | fixed in 1.17.2, 1.16.9 | > 1 years | < 1 hour | Go before 1.16.9 and 1.17.x before 1.17.2 has a |
| | | | | | > 1 years ago | | | Buffer Overflow via large arguments in a function |
| | | | | | | | | invocation from a WASM module, when GOARCH=wasm |
| | | | | | | | | GOOS... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23806 | critical | 9.10 | go | 1.15.6 | fixed in 1.17.7, 1.16.14 | > 1 years | < 1 hour | Curve.IsOnCurve in crypto/elliptic in Go before |
| | | | | | > 1 years ago | | | 1.16.14 and 1.17.x before 1.17.7 can incorrectly |
| | | | | | | | | return true in situations with a big.Int value |
| | | | | | | | | that i... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-1587 | critical | 9.10 | pcre2 | 10.36-r0 | fixed in 10.36-r1 | > 9 months | < 1 hour | An out-of-bounds read vulnerability was |
| | | | | | > 9 months ago | | | discovered in the PCRE2 library in the |
| | | | | | | | | get_recurse_data_length() function of the |
| | | | | | | | | pcre2_jit_compile.c file. Thi... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-1586 | critical | 9.10 | pcre2 | 10.36-r0 | fixed in 10.36-r1 | > 9 months | < 1 hour | An out-of-bounds read vulnerability was |
| | | | | | > 9 months ago | | | discovered in the PCRE2 library in the |
| | | | | | | | | compile_xclass_matchingpath() function of the |
| | | | | | | | | pcre2_jit_compile.c file.... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-39260 | high | 8.80 | git | 2.30.3-r0 | fixed in 2.30.6-r0 | > 4 months | < 1 hour | Git is an open source, scalable, distributed |
| | | | | | > 4 months ago | | | revision control system. `git shell` is a |
| | | | | | | | | restricted login shell that can be used to |
| | | | | | | | | implement Git\'s pus... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28391 | high | 8.80 | busybox | 1.32.1-r6 | fixed in 1.32.1-r8 | > 10 months | < 1 hour | BusyBox through 1.35.0 allows remote attackers |
| | | | | | > 10 months ago | | | to execute arbitrary code if netstat is used to |
| | | | | | | | | print a DNS PTR record\'s value to a VT compatible |
| | | | | | | | | term... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-40674 | high | 8.10 | expat | 2.2.10-r6 | fixed in 2.2.10-r7 | > 5 months | < 1 hour | libexpat before 2.4.9 has a use-after-free in the |
| | | | | | > 5 months ago | | | doContent function in xmlparse.c. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30580 | high | 7.80 | go | 1.17.7 | fixed in 1.18.3, 1.17.11 | > 6 months | < 1 hour | Code injection in Cmd.Start in os/exec before |
| | | | | | > 6 months ago | | | Go 1.17.11 and Go 1.18.3 allows execution of any |
| | | | | | | | | binaries in the working directory named either |
| | | | | | | | | \"..com\... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30580 | high | 7.80 | go | 1.15.6 | fixed in 1.18.3, 1.17.11 | > 6 months | < 1 hour | Code injection in Cmd.Start in os/exec before |
| | | | | | > 6 months ago | | | Go 1.17.11 and Go 1.18.3 allows execution of any |
| | | | | | | | | binaries in the working directory named either |
| | | | | | | | | \"..com\... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30065 | high | 7.80 | busybox | 1.32.1-r6 | fixed in 1.32.1-r9 | > 9 months | < 1 hour | A use-after-free in Busybox 1.35-x\'s awk applet |
| | | | | | > 9 months ago | | | leads to denial of service and possibly code |
| | | | | | | | | execution when processing a crafted awk pattern in |
| | | | | | | | | the c... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-29187 | high | 7.80 | git | 2.30.3-r0 | fixed in 2.30.5-r0 | > 7 months | < 1 hour | Git is a distributed revision control system. Git |
| | | | | | > 7 months ago | | | prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, |
| | | | | | | | | 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable |
| | | | | | | | | ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-0215 | high | 7.50 | openssl | 1.1.1l-r0 | fixed in 1.1.1t-r0 | 14 days | < 1 hour | The public API function BIO_new_NDEF is a helper |
| | | | | | 3 days ago | | | function used for streaming ASN.1 data via a BIO. |
| | | | | | | | | It is primarily used internally to OpenSSL to |
| | | | | | | | | suppo... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-4450 | high | 7.50 | openssl | 1.1.1l-r0 | fixed in 1.1.1t-r0 | 14 days | < 1 hour | The function PEM_read_bio_ex() reads a PEM file |
| | | | | | 3 days ago | | | from a BIO and parses and decodes the \"name\" |
| | | | | | | | | (e.g. \"CERTIFICATE\"), any header data and the |
| | | | | | | | | payload... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-43680 | high | 7.50 | expat | 2.2.10-r6 | fixed in 2.2.10-r8 | > 4 months | < 1 hour | In libexpat through 2.4.9, there is a use-after |
| | | | | | > 4 months ago | | | free caused by overeager destruction of a |
| | | | | | | | | shared DTD in XML_ExternalEntityParserCreate in |
| | | | | | | | | out-of-memor... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-43551 | high | 7.50 | curl | 7.79.1-r1 | fixed in 7.87.0-r2 | 61 days | < 1 hour | A vulnerability exists in curl <7.87.0 HSTS |
| | | | | | 48 days ago | | | check that could be bypassed to trick it to keep |
| | | | | | | | | using HTTP. Using its HSTS support, curl can be |
| | | | | | | | | instructe... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-42916 | high | 7.50 | curl | 7.79.1-r1 | fixed in 7.87.0-r2 | > 3 months | < 1 hour | In curl before 7.86.0, the HSTS check could be |
| | | | | | > 3 months ago | | | bypassed to trick it into staying with HTTP. Using |
| | | | | | | | | its HSTS support, curl can be instructed to use |
| | | | | | | | | HTTP... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41715 | high | 7.50 | go | 1.17.7 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Programs which compile regular expressions from |
| | | | | | > 4 months ago | | | untrusted sources may be vulnerable to memory |
| | | | | | | | | exhaustion or denial of service. The parsed regexp |
| | | | | | | | | repre... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41715 | high | 7.50 | go | 1.15.6 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Programs which compile regular expressions from |
| | | | | | > 4 months ago | | | untrusted sources may be vulnerable to memory |
| | | | | | | | | exhaustion or denial of service. The parsed regexp |
| | | | | | | | | repre... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32189 | high | 7.50 | go | 1.15.6 | fixed in 1.18.5, 1.17.13 | > 6 months | < 1 hour | A too-short encoded message can cause a panic in |
| | | | | | > 6 months ago | | | Float.GobDecode and Rat GobDecode in math/big in |
| | | | | | | | | Go before 1.17.13 and 1.18.5, potentially allowing |
| | | | | | | | | a... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32189 | high | 7.50 | go | 1.17.7 | fixed in 1.18.5, 1.17.13 | > 6 months | < 1 hour | A too-short encoded message can cause a panic in |
| | | | | | > 6 months ago | | | Float.GobDecode and Rat GobDecode in math/big in |
| | | | | | | | | Go before 1.17.13 and 1.18.5, potentially allowing |
| | | | | | | | | a... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30635 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Decoder.Decode in |
| | | | | | > 6 months ago | | | encoding/gob before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion v... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30635 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Decoder.Decode in |
| | | | | | > 6 months ago | | | encoding/gob before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion v... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30633 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Unmarshal in |
| | | | | | > 6 months ago | | | encoding/xml before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via un... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30633 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Unmarshal in |
| | | | | | > 6 months ago | | | encoding/xml before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via un... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30632 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Glob in path/filepath |
| | | | | | > 6 months ago | | | before Go 1.17.12 and Go 1.18.4 allows an attacker |
| | | | | | | | | to cause a panic due to stack exhaustion via a |
| | | | | | | | | path... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30632 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Glob in path/filepath |
| | | | | | > 6 months ago | | | before Go 1.17.12 and Go 1.18.4 allows an attacker |
| | | | | | | | | to cause a panic due to stack exhaustion via a |
| | | | | | | | | path... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30631 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Reader.Read in |
| | | | | | > 6 months ago | | | compress/gzip before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30631 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Reader.Read in |
| | | | | | > 6 months ago | | | compress/gzip before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30630 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Glob in io/fs before Go |
| | | | | | > 6 months ago | | | 1.17.12 and Go 1.18.4 allows an attacker to cause |
| | | | | | | | | a panic due to stack exhaustion via a path which |
| | | | | | | | | c... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30630 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Glob in io/fs before Go |
| | | | | | > 6 months ago | | | 1.17.12 and Go 1.18.4 allows an attacker to cause |
| | | | | | | | | a panic due to stack exhaustion via a path which |
| | | | | | | | | c... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2880 | high | 7.50 | go | 1.15.6 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Requests forwarded by ReverseProxy include the |
| | | | | | > 4 months ago | | | raw query parameters from the inbound request, |
| | | | | | | | | including unparseable parameters rejected by |
| | | | | | | | | net/http. T... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2880 | high | 7.50 | go | 1.17.7 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Requests forwarded by ReverseProxy include the |
| | | | | | > 4 months ago | | | raw query parameters from the inbound request, |
| | | | | | | | | including unparseable parameters rejected by |
| | | | | | | | | net/http. T... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2879 | high | 7.50 | go | 1.17.7 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Reader.Read does not set a limit on the maximum |
| | | | | | > 4 months ago | | | size of file headers. A maliciously crafted |
| | | | | | | | | archive could cause Read to allocate unbounded |
| | | | | | | | | amounts of ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2879 | high | 7.50 | go | 1.15.6 | fixed in 1.19.2, 1.18.7 | > 4 months | < 1 hour | Reader.Read does not set a limit on the maximum |
| | | | | | > 4 months ago | | | size of file headers. A maliciously crafted |
| | | | | | | | | archive could cause Read to allocate unbounded |
| | | | | | | | | amounts of ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28327 | high | 7.50 | go | 1.17.7 | fixed in 1.18.1, 1.17.9 | > 10 months | < 1 hour | The generic P-256 feature in crypto/elliptic in |
| | | | | | > 10 months ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a |
| | | | | | | | | panic via long scalar input. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28327 | high | 7.50 | go | 1.15.6 | fixed in 1.18.1, 1.17.9 | > 10 months | < 1 hour | The generic P-256 feature in crypto/elliptic in |
| | | | | | > 10 months ago | | | Go before 1.17.9 and 1.18.x before 1.18.1 allows a |
| | | | | | | | | panic via long scalar input. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28131 | high | 7.50 | go | 1.15.6 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Decoder.Skip in |
| | | | | | > 6 months ago | | | encoding/xml before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28131 | high | 7.50 | go | 1.17.7 | fixed in 1.18.4, 1.17.12 | > 6 months | < 1 hour | Uncontrolled recursion in Decoder.Skip in |
| | | | | | > 6 months ago | | | encoding/xml before Go 1.17.12 and Go 1.18.4 |
| | | | | | | | | allows an attacker to cause a panic due to stack |
| | | | | | | | | exhaustion via... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27782 | high | 7.50 | curl | 7.79.1-r1 | fixed in 7.79.1-r2 | > 8 months | < 1 hour | libcurl would reuse a previously created |
| | | | | | > 8 months ago | | | connection even when a TLS or SSHrelated option |
| | | | | | | | | had been changed that should have prohibited |
| | | | | | | | | reuse.libcurl ke... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27781 | high | 7.50 | curl | 7.79.1-r1 | fixed in 7.79.1-r2 | > 8 months | < 1 hour | libcurl provides the `CURLOPT_CERTINFO` option |
| | | | | | > 8 months ago | | | to allow applications torequest details to be |
| | | | | | | | | returned about a server\'s certificate chain.Due |
| | | | | | | | | to an er... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27664 | high | 7.50 | go | 1.17.7 | fixed in 1.19.1, 1.18.6 | > 5 months | < 1 hour | In net/http in Go before 1.18.6 and 1.19.x before |
| | | | | | > 5 months ago | | | 1.19.1, attackers can cause a denial of service |
| | | | | | | | | because an HTTP/2 connection can hang during |
| | | | | | | | | closing... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24975 | high | 7.50 | git | 2.30.3-r0 | fixed in 2.36.5-r0 | > 1 years | < 1 hour | The --mirror documentation for Git through 2.35.1 |
| | | | | | > 1 years ago | | | does not mention the availability of deleted |
| | | | | | | | | content, aka the \"GitBleed\" issue. This could |
| | | | | | | | | present... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24921 | high | 7.50 | go | 1.17.7 | fixed in 1.17.8, 1.16.15 | > 11 months | < 1 hour | regexp.Compile in Go before 1.16.15 and 1.17.x |
| | | | | | > 11 months ago | | | before 1.17.8 allows stack exhaustion via a deeply |
| | | | | | | | | nested expression. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24921 | high | 7.50 | go | 1.15.6 | fixed in 1.17.8, 1.16.15 | > 11 months | < 1 hour | regexp.Compile in Go before 1.16.15 and 1.17.x |
| | | | | | > 11 months ago | | | before 1.17.8 allows stack exhaustion via a deeply |
| | | | | | | | | nested expression. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24675 | high | 7.50 | go | 1.17.7 | fixed in 1.18.1, 1.17.9 | > 10 months | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before |
| | | | | | > 10 months ago | | | 1.18.1 has a Decode stack overflow via a large |
| | | | | | | | | amount of PEM data. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24675 | high | 7.50 | go | 1.15.6 | fixed in 1.18.1, 1.17.9 | > 10 months | < 1 hour | encoding/pem in Go before 1.17.9 and 1.18.x before |
| | | | | | > 10 months ago | | | 1.18.1 has a Decode stack overflow via a large |
| | | | | | | | | amount of PEM data. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23773 | high | 7.50 | go | 1.15.6 | fixed in 1.17.7, 1.16.14 | > 1 years | < 1 hour | cmd/go in Go before 1.16.14 and 1.17.x before |
| | | | | | > 1 years ago | | | 1.17.7 can misinterpret branch names that falsely |
| | | | | | | | | appear to be version tags. This can lead to |
| | | | | | | | | incorrect ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23772 | high | 7.50 | go | 1.15.6 | fixed in 1.17.7, 1.16.14 | > 1 years | < 1 hour | Rat.SetString in math/big in Go before 1.16.14 and |
| | | | | | > 1 years ago | | | 1.17.x before 1.17.7 has an overflow that can lead |
| | | | | | | | | to Uncontrolled Memory Consumption. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-0778 | high | 7.50 | openssl | 1.1.1l-r0 | fixed in 1.1.1n-r0 | > 11 months | < 1 hour | The BN_mod_sqrt() function, which computes a |
| | | | | | > 11 months ago | | | modular square root, contains a bug that can |
| | | | | | | | | cause it to loop forever for non-prime moduli. |
| | | | | | | | | Internally th... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-41772 | high | 7.50 | go | 1.15.6 | fixed in 1.17.3, 1.16.10 | > 1 years | < 1 hour | Go before 1.16.10 and 1.17.x before 1.17.3 allows |
| | | | | | > 1 years ago | | | an archive/zip Reader.Open panic via a crafted |
| | | | | | | | | ZIP archive containing an invalid name or an empty |
| | | | | | | | | fi... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-41771 | high | 7.50 | go | 1.15.6 | fixed in 1.17.3, 1.16.10 | > 1 years | < 1 hour | ImportedSymbols in debug/macho (for Open or |
| | | | | | > 1 years ago | | | OpenFat) in Go before 1.16.10 and 1.17.x before |
| | | | | | | | | 1.17.3 Accesses a Memory Location After the End of |
| | | | | | | | | a Buffe... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-39293 | high | 7.50 | go | 1.15.6 | fixed in 1.17.1, 1.16.8 | > 1 years | < 1 hour | In archive/zip in Go before 1.16.8 and 1.17.x |
| | | | | | > 1 years ago | | | before 1.17.1, a crafted archive header (falsely |
| | | | | | | | | designating that many files are present) can cause |
| | | | | | | | | a Ne... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33198 | high | 7.50 | go | 1.15.6 | fixed in 1.16.5, 1.15.13 | > 1 years | < 1 hour | In Go before 1.15.13 and 1.16.x before 1.16.5, |
| | | | | | > 1 years ago | | | there can be a panic for a large exponent to the |
| | | | | | | | | math/big.Rat SetString or UnmarshalText method. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33196 | high | 7.50 | go | 1.15.6 | fixed in 1.16.5, 1.15.13 | > 1 years | < 1 hour | In archive/zip in Go before 1.15.13 and 1.16.x |
| | | | | | > 1 years ago | | | before 1.16.5, a crafted file count (in an |
| | | | | | | | | archive\'s header) can cause a NewReader or |
| | | | | | | | | OpenReader panic... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-29923 | high | 7.50 | go | 1.15.6 | fixed in 1.17 | > 1 years | < 1 hour | Go before 1.17 does not properly consider |
| | | | | | > 1 years ago | | | extraneous zero characters at the beginning of |
| | | | | | | | | an IP address octet, which (in some situations) |
| | | | | | | | | allows attack... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-27918 | high | 7.50 | go | 1.15.6 | fixed in 1.16.1, 1.15.9 | > 1 years | < 1 hour | encoding/xml in Go before 1.15.9 and 1.16.x |
| | | | | | > 1 years ago | | | before 1.16.1 has an infinite loop if a custom |
| | | | | | | | | TokenReader (for xml.NewTokenDecoder) returns EOF |
| | | | | | | | | in the mi... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-29652 | high | 7.50 | golang.org/x/crypto | v0.0.0-20190426145343-a29dc8fdc734 | fixed in v0.0.0-20201216223049-8b5274cf687f | > 2 years | < 1 hour | A nil pointer dereference in the |
| | | | | | > 1 years ago | | | golang.org/x/crypto/ssh component through |
| | | | | | | | | v0.0.0-20201203163018-be400aefbc4c for Go allows |
| | | | | | | | | remote attackers to cause ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2018-25032 | high | 7.50 | zlib | 1.2.11-r3 | fixed in 1.2.12-r0 | > 10 months | < 1 hour | zlib before 1.2.12 allows memory corruption when |
| | | | | | > 11 months ago | | | deflating (i.e., when compressing) if the input |
| | | | | | | | | has many distant matches. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2023-0286 | high | 7.40 | openssl | 1.1.1l-r0 | fixed in 1.1.1t-r0 | 14 days | < 1 hour | There is a type confusion vulnerability relating |
| | | | | | 3 days ago | | | to X.400 address processing inside an X.509 |
| | | | | | | | | GeneralName. X.400 addresses were parsed as an |
| | | | | | | | | ASN1_STRIN... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33195 | high | 7.30 | go | 1.15.6 | fixed in 1.16.5, 1.15.13 | > 1 years | < 1 hour | Go before 1.15.13 and 1.16.x before 1.16.5 has |
| | | | | | > 1 years ago | | | functions for DNS lookups that do not validate |
| | | | | | | | | replies from DNS servers, and thus a return value |
| | | | | | | | | may co... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42386 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads to |
| | | | | | > 1 years ago | | | denial of service and possibly code execution when |
| | | | | | | | | processing a crafted awk pattern in the nvalloc |
| | | | | | | | | ... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42385 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | evaluate... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42384 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | handle_s... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42383 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | evaluate... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42382 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | getvar_s... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42381 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | hash_ini... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42380 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads to |
| | | | | | > 1 years ago | | | denial of service and possibly code execution when |
| | | | | | | | | processing a crafted awk pattern in the clrvar |
| | | | | | | | | f... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42379 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | next_inp... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-42378 | high | 7.20 | busybox | 1.32.1-r6 | fixed in 1.32.1-r7 | > 1 years | < 1 hour | A use-after-free in Busybox\'s awk applet leads |
| | | | | | > 1 years ago | | | to denial of service and possibly code execution |
| | | | | | | | | when processing a crafted awk pattern in the |
| | | | | | | | | getvar_i... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-29458 | high | 7.10 | ncurses | 6.2_p20210109-r0 | fixed in 6.2_p20210109-r1 | > 10 months | < 1 hour | ncurses 6.3 before patch 20220416 has an |
| | | | | | > 10 months ago | | | out-of-bounds read and segmentation violation |
| | | | | | | | | in convert_strings in tinfo/read_entry.c in the |
| | | | | | | | | terminfo librar... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27664 | high | 7.00 | golang.org/x/net | v0.0.0-20220225172249-27dd8689420f | fixed in 0.0.0-20220906165146-f3363e06e74c | > 5 months | < 1 hour | In net/http in Go before 1.18.6 and 1.19.x before |
| | | | | | 4 days ago | | | 1.19.1, attackers can cause a denial of service |
| | | | | | | | | because an HTTP/2 connection can hang during |
| | | | | | | | | closing... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27191 | high | 7.00 | golang.org/x/crypto | v0.0.0-20220214200702-86341886e292 | fixed in 0.0.0-20220314234659-1baeb1ce4c0b | > 11 months | < 1 hour | The golang.org/x/crypto/ssh package before |
| | | | | | 4 days ago | | | 0.0.0-20220314234659-1baeb1ce4c0b for Go |
| | | | | | | | | allows an attacker to crash a server in certain |
| | | | | | | | | circumstances invo... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23648 | high | 7.00 | github.com/containerd/containerd | v1.4.3 | fixed in 1.6.1, 1.5.10, 1.4.13 | > 11 months | < 1 hour | containerd is a container runtime available as a |
| | | | | | > 11 months ago | | | daemon for Linux and Windows. A bug was found in |
| | | | | | | | | containerd prior to versions 1.6.1, 1.5.10, and |
| | | | | | | | | 1.14... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-21698 | high | 7.00 | github.com/prometheus/client_golang | v1.1.0 | fixed in 1.11.1 | > 1 years | < 1 hour | client_golang is the instrumentation library for |
| | | | | | 7 days ago | | | Go applications in Prometheus, and the promhttp |
| | | | | | | | | package in client_golang provides tooling around |
| | | | | | | | | HTTP... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-43565 | high | 7.00 | golang.org/x/crypto | v0.0.0-20190426145343-a29dc8fdc734 | fixed in 0.0.0-20211202192323-5770296d904e | > 5 months | < 1 hour | The x/crypto/ssh package before |
| | | | | | 4 days ago | | | 0.0.0-20211202192323-5770296d904e of |
| | | | | | | | | golang.org/x/crypto allows an attacker to panic an |
| | | | | | | | | SSH server. |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-9283 | high | 7.00 | golang.org/x/crypto | v0.0.0-20190426145343-a29dc8fdc734 | fixed in 0.0.0-20200220183623-bac4c82f6975 | > 3 years | < 1 hour | golang.org/x/crypto before |
| | | | | | > 1 years ago | | | v0.0.0-20200220183623-bac4c82f6975 for Go allows |
| | | | | | | | | a panic during signature verification in the |
| | | | | | | | | golang.org/x/crypto/ssh packa... |
+----------------+----------+------+-------------------------------------+------------------------------------+---------------------------------------------+-------------+------------+----------------------------------------------------+
Edited by Axel von Bertoldi