Add cves and recommendation docker scout commands

[ashenm]

No description provided.

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:latest	ghcr.io/ashenm/workspace/latest
- digest	5c5ee97fbccb	5c5ee97fbccb
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.3 GB	2.3 GB
- packages	2892	2892
Base Image	ubuntu:developer also known as: • 20.04 • focal	ubuntu:developer also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	01284d847634	01284d847634
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2963	2963
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:railsbank	ghcr.io/ashenm/workspace/railsbank
- digest	891ca337708f	891ca337708f
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.3 GB	2.3 GB
- packages	3012	3012
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:secure-agility	ghcr.io/ashenm/workspace/secure-agility
- digest	f2c3607101bb	f2c3607101bb
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.3 GB	2.3 GB
- packages	2910	2910
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:secure-agility	ghcr.io/ashenm/workspace/secure-agility
- digest	0d35853000b2	0d35853000b2
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2941	2941
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	dee3adc4ccaa	dee3adc4ccaa
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2976	2976
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	be2a8b2f405c	be2a8b2f405c
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	3007	3007
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	9b03ee453ca7	9b03ee453ca7
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	2994	2994
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:latest	ghcr.io/ashenm/workspace/latest
- digest	d01af0f4b6bb	d01af0f4b6bb
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2923	2923
Base Image	ubuntu:developer also known as: • 20.04 • focal	ubuntu:developer also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:railsbank	ghcr.io/ashenm/workspace/railsbank
- digest	946d5cd46e84	946d5cd46e84
- provenance	ba75765	ee05fc8
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	3043	3043
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ee05fc8 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/latest@sha256:3210e1450f3e47a5956f43583f20f796d74717598c1570f618b8e4390026a301

📦 Image Reference ghcr.io/ashenm/workspace/latest@sha256:3210e1450f3e47a5956f43583f20f796d74717598c1570f618b8e4390026a301

digest	sha256:5c5ee97fbccbc0c95eabd774f069b3146130cbb93ea08b8b5083e19431251504
vulnerabilities
size	2.3 GB
packages	2892

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (137:142) RUN mkdir --parents /usr/local/share/java && \ curl --silent --fail --show-error --location 'https://sourceforge.net/projects/ditaa/files/latest/download' | \ bsdtar -xf - -s '/ditaa.*\.jar/ditaa.jar/' --directory /usr/local/share/java '*.jar' && \ curl --silent --fail --show-error --location --output /usr/local/share/java/plantuml.jar 'http://sourceforge.net/projects/plantuml/files/plantuml.jar/download' && \ curl --silent --fail --show-error --location --output - 'https://downloads.sourceforge.net/project/saxon/Saxon-HE/9.9/SaxonHE9-9-1-6J.zip' | \ bsdtar -xf - -s '/saxon.*\.jar/saxon.jar/' --directory /usr/local/share/java 'saxon9he.jar' Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/secure-agility@sha256:dc035c4125f0b69846e01ac81cf2bbc1153cf131edeb75ffb97e1f78b2a4347e

📦 Image Reference ghcr.io/ashenm/workspace/secure-agility@sha256:dc035c4125f0b69846e01ac81cf2bbc1153cf131edeb75ffb97e1f78b2a4347e

digest	sha256:f2c3607101bbf3046c991b0168772d870d0ffdd1138cbd2bef4c416a78bc565b
vulnerabilities
size	2.3 GB
packages	2910

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:aa2bd0cf8c52de20eb04df306bc7bdc424470aa43447213366aa178d9a0b9e48

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:aa2bd0cf8c52de20eb04df306bc7bdc424470aa43447213366aa178d9a0b9e48

digest	sha256:01284d8476346e41580af098e94f4e467dc227d301fb20b895695a9001234423
vulnerabilities
size	2.4 GB
packages	2963

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:5d7cff68b8f2b722ed67ec7498120f8c6f1e6b1be7ef7c64c632db83fff047c4

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:5d7cff68b8f2b722ed67ec7498120f8c6f1e6b1be7ef7c64c632db83fff047c4

digest	sha256:891ca337708f8901812e22aceb284cee6cc0d446e03be4c113ddcba26376e91c
vulnerabilities
size	2.3 GB
packages	3012

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:f7d43d7a532aa8b3bae0bbbae82c091d65e55e6e755acbdc9df6da66a974307a

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:f7d43d7a532aa8b3bae0bbbae82c091d65e55e6e755acbdc9df6da66a974307a

digest	sha256:dee3adc4ccaa8ad9a0803d76d1321f9a722c8334edb5031daae6e52738772757
vulnerabilities
size	2.4 GB
packages	2976

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 EPSS Score 0.00098 EPSS Percentile 0.3977 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/secure-agility@sha256:b060fb047bb6e384bab664591652b8610a11758abb2c7bde0e078718de5a96c1

📦 Image Reference ghcr.io/ashenm/workspace/secure-agility@sha256:b060fb047bb6e384bab664591652b8610a11758abb2c7bde0e078718de5a96c1

digest	sha256:0d35853000b2b76dd555e1e66f224850d1d9e625db98d740979db4d7126e4a4d
vulnerabilities
size	2.5 GB
packages	2941

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:eb326a623055b002e232668d4b5a9a66c3e57a1f57c162c4eb297f35ea334484

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:eb326a623055b002e232668d4b5a9a66c3e57a1f57c162c4eb297f35ea334484

digest	sha256:be2a8b2f405cfbf8b7c16ec8300af95365fb0c40b69209d44314e1c67500e795
vulnerabilities
size	2.6 GB
packages	3007

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 EPSS Score 0.00098 EPSS Percentile 0.3977 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:d9b48e94a3ea6b87df6a06bc41f2cbd21dfce4c0a5db0c3bab665ced20af95a9

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:d9b48e94a3ea6b87df6a06bc41f2cbd21dfce4c0a5db0c3bab665ced20af95a9

digest	sha256:9b03ee453ca794ccfc026fc9850b86f69bf350fdf55d39e663b9e46beb78dfe2
vulnerabilities
size	2.6 GB
packages	2994

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/latest@sha256:a35168d68f9cc949890dc2b7d03913eab4922abf7456819e5923da0f222a2226

📦 Image Reference ghcr.io/ashenm/workspace/latest@sha256:a35168d68f9cc949890dc2b7d03913eab4922abf7456819e5923da0f222a2226

digest	sha256:d01af0f4b6bba07f6bb795d302ea1b893de0d7ee911a0dd12cf481aea9f1ec21
vulnerabilities
size	2.5 GB
packages	2923

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (137:142) RUN mkdir --parents /usr/local/share/java && \ curl --silent --fail --show-error --location 'https://sourceforge.net/projects/ditaa/files/latest/download' | \ bsdtar -xf - -s '/ditaa.*\.jar/ditaa.jar/' --directory /usr/local/share/java '*.jar' && \ curl --silent --fail --show-error --location --output /usr/local/share/java/plantuml.jar 'http://sourceforge.net/projects/plantuml/files/plantuml.jar/download' && \ curl --silent --fail --show-error --location --output - 'https://downloads.sourceforge.net/project/saxon/Saxon-HE/9.9/SaxonHE9-9-1-6J.zip' | \ bsdtar -xf - -s '/saxon.*\.jar/saxon.jar/' --directory /usr/local/share/java 'saxon9he.jar' Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:e8ad0cff2c4dd4d095eab67e9e1044cca6b7a1e761487d45a6a6244521b0fae8

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:e8ad0cff2c4dd4d095eab67e9e1044cca6b7a1e761487d45a6a6244521b0fae8

digest	sha256:946d5cd46e84119734e45818781f497be8de395f893a6ea8d38f9260aef9cb57
vulnerabilities
size	2.5 GB
packages	3043

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/latest@sha256:272dd1984eca4a03493852d654f3c8fa5faff3005b50641d3052a4cc6650ae42

📦 Image Reference ghcr.io/ashenm/workspace/latest@sha256:272dd1984eca4a03493852d654f3c8fa5faff3005b50641d3052a4cc6650ae42

digest	sha256:5c5ee97fbccbc0c95eabd774f069b3146130cbb93ea08b8b5083e19431251504
vulnerabilities
size	2.3 GB
packages	2892

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (137:142) RUN mkdir --parents /usr/local/share/java && \ curl --silent --fail --show-error --location 'https://sourceforge.net/projects/ditaa/files/latest/download' | \ bsdtar -xf - -s '/ditaa.*\.jar/ditaa.jar/' --directory /usr/local/share/java '*.jar' && \ curl --silent --fail --show-error --location --output /usr/local/share/java/plantuml.jar 'http://sourceforge.net/projects/plantuml/files/plantuml.jar/download' && \ curl --silent --fail --show-error --location --output - 'https://downloads.sourceforge.net/project/saxon/Saxon-HE/9.9/SaxonHE9-9-1-6J.zip' | \ bsdtar -xf - -s '/saxon.*\.jar/saxon.jar/' --directory /usr/local/share/java 'saxon9he.jar' Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:c3cf5f50097322b51972ac2f5052551071419d74bb85cf636a55352e9629a538

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:c3cf5f50097322b51972ac2f5052551071419d74bb85cf636a55352e9629a538

digest	sha256:891ca337708f8901812e22aceb284cee6cc0d446e03be4c113ddcba26376e91c
vulnerabilities
size	2.3 GB
packages	3012

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:latest	ghcr.io/ashenm/workspace/latest
- digest	5c5ee97fbccb	5c5ee97fbccb
- provenance	ba75765	ed4184b
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.3 GB	2.3 GB
- packages	2892	2892
Base Image	ubuntu:developer also known as: • 20.04 • focal	ubuntu:developer also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	01284d847634	01284d847634
- provenance	ba75765	ed4184b
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2963	2963
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:ed4184b also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:latest	ghcr.io/ashenm/workspace/latest
- digest	d01af0f4b6bb	d01af0f4b6bb
- provenance	ba75765	ed4184b
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2923	2923
Base Image	ubuntu:developer also known as: • 20.04 • focal	ubuntu:developer also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:railsbank	ghcr.io/ashenm/workspace/railsbank
- digest	891ca337708f	891ca337708f
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.3 GB	2.3 GB
- packages	3012	3012
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	dee3adc4ccaa	dee3adc4ccaa
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2976	2976
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:latest	ghcr.io/ashenm/workspace/latest
- digest	d01af0f4b6bb	d01af0f4b6bb
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2923	2923
Base Image	ubuntu:developer also known as: • 20.04 • focal	ubuntu:developer also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	9b03ee453ca7	9b03ee453ca7
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	2994	2994
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:secure-agility	ghcr.io/ashenm/workspace/secure-agility
- digest	0d35853000b2	0d35853000b2
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2941	2941
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	be2a8b2f405c	be2a8b2f405c
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	3007	3007
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:railsbank	ghcr.io/ashenm/workspace/railsbank
- digest	946d5cd46e84	946d5cd46e84
- provenance	ba75765	e598d48
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	3043	3043
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:e598d48 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/latest@sha256:2c97853934bd1c466d50b5a25e7d25e9f5bb047ae5eb1e66302a4b7846c72222

📦 Image Reference ghcr.io/ashenm/workspace/latest@sha256:2c97853934bd1c466d50b5a25e7d25e9f5bb047ae5eb1e66302a4b7846c72222

digest	sha256:5c5ee97fbccbc0c95eabd774f069b3146130cbb93ea08b8b5083e19431251504
vulnerabilities
size	2.3 GB
packages	2892

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (137:142) RUN mkdir --parents /usr/local/share/java && \ curl --silent --fail --show-error --location 'https://sourceforge.net/projects/ditaa/files/latest/download' | \ bsdtar -xf - -s '/ditaa.*\.jar/ditaa.jar/' --directory /usr/local/share/java '*.jar' && \ curl --silent --fail --show-error --location --output /usr/local/share/java/plantuml.jar 'http://sourceforge.net/projects/plantuml/files/plantuml.jar/download' && \ curl --silent --fail --show-error --location --output - 'https://downloads.sourceforge.net/project/saxon/Saxon-HE/9.9/SaxonHE9-9-1-6J.zip' | \ bsdtar -xf - -s '/saxon.*\.jar/saxon.jar/' --directory /usr/local/share/java 'saxon9he.jar' Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:a2e9d548fbeb3ee6b74d40a9c9aebffd0bb4172ebc52154679a0b64619867d64

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:a2e9d548fbeb3ee6b74d40a9c9aebffd0bb4172ebc52154679a0b64619867d64

digest	sha256:01284d8476346e41580af098e94f4e467dc227d301fb20b895695a9001234423
vulnerabilities
size	2.4 GB
packages	2963

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:4af452292f2036494ffaa4cd30fb677cf7161c092c46c94a956f14809c644450

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:4af452292f2036494ffaa4cd30fb677cf7161c092c46c94a956f14809c644450

digest	sha256:891ca337708f8901812e22aceb284cee6cc0d446e03be4c113ddcba26376e91c
vulnerabilities
size	2.3 GB
packages	3012

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/latest@sha256:8023078e4b795ffee80aa57d01a9d4de61405e206c759829c6e6b053d59ebb7a

📦 Image Reference ghcr.io/ashenm/workspace/latest@sha256:8023078e4b795ffee80aa57d01a9d4de61405e206c759829c6e6b053d59ebb7a

digest	sha256:d01af0f4b6bba07f6bb795d302ea1b893de0d7ee911a0dd12cf481aea9f1ec21
vulnerabilities
size	2.5 GB
packages	2923

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (21:26) RUN curl --silent --fail --show-error --location 'https://packagecloud.io/github/git-lfs/gpgkey' | \ apt-key --keyring /usr/share/keyrings/packagecloud.io.gpg add - && \ echo "deb [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee /etc/apt/sources.list.d/github-git-lfs.list && \ echo "deb-src [signed-by=/usr/share/keyrings/packagecloud.io.gpg] https://packagecloud.io/github/git-lfs/ubuntu/ $(lsb_release --short --codename) main" | \ tee --append /etc/apt/sources.list.d/github-git-lfs.list Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (137:142) RUN mkdir --parents /usr/local/share/java && \ curl --silent --fail --show-error --location 'https://sourceforge.net/projects/ditaa/files/latest/download' | \ bsdtar -xf - -s '/ditaa.*\.jar/ditaa.jar/' --directory /usr/local/share/java '*.jar' && \ curl --silent --fail --show-error --location --output /usr/local/share/java/plantuml.jar 'http://sourceforge.net/projects/plantuml/files/plantuml.jar/download' && \ curl --silent --fail --show-error --location --output - 'https://downloads.sourceforge.net/project/saxon/Saxon-HE/9.9/SaxonHE9-9-1-6J.zip' | \ bsdtar -xf - -s '/saxon.*\.jar/saxon.jar/' --directory /usr/local/share/java 'saxon9he.jar' Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (132:134) RUN curl --silent --fail --show-error \ --location "https://s3.amazonaws.com/travis-rubies/binaries/ubuntu/$(lsb_release --short --release)/$(uname --machine)/ruby-3.1.2.tar.bz2" | \ tar --extract --bzip2 --verbose --directory /usr/local --file - --strip-components 1 Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (184:197) RUN npm install --global \ artillery \ eslint \ eslint-plugin-html \ heroku \ jest \ nodemon \ prettier \ ts-node \ typescript && \ npm install --global --unsafe-perm \ ngrok && \ rm --recursive --force $HOME/.ngrok && \ npm cache clean --force Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:14a856dc61aad7b7a4f7a62f80e42900d2510f8efd95b0da0d8adb59f693803f

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:14a856dc61aad7b7a4f7a62f80e42900d2510f8efd95b0da0d8adb59f693803f

digest	sha256:dee3adc4ccaa8ad9a0803d76d1321f9a722c8334edb5031daae6e52738772757
vulnerabilities
size	2.4 GB
packages	2976

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 EPSS Score 0.00098 EPSS Percentile 0.3977 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:df14350ab3cf3216f2b211cfb6572a90a6e0bd9ae9c924fdb4a43a22953b5c07

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:df14350ab3cf3216f2b211cfb6572a90a6e0bd9ae9c924fdb4a43a22953b5c07

digest	sha256:be2a8b2f405cfbf8b7c16ec8300af95365fb0c40b69209d44314e1c67500e795
vulnerabilities
size	2.6 GB
packages	3007

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 EPSS Score 0.00098 EPSS Percentile 0.3977 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:8d89be8c3972f71801b44f2e1f498465fb3bd0b10715fef5049e6993ab7ffd05

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:8d89be8c3972f71801b44f2e1f498465fb3bd0b10715fef5049e6993ab7ffd05

digest	sha256:9b03ee453ca794ccfc026fc9850b86f69bf350fdf55d39e663b9e46beb78dfe2
vulnerabilities
size	2.6 GB
packages	2994

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/secure-agility@sha256:995c27d00bf3442ce1d51707ad6ffde53acda2d54130af145c0cfb400831214d

📦 Image Reference ghcr.io/ashenm/workspace/secure-agility@sha256:995c27d00bf3442ce1d51707ad6ffde53acda2d54130af145c0cfb400831214d

digest	sha256:0d35853000b2b76dd555e1e66f224850d1d9e625db98d740979db4d7126e4a4d
vulnerabilities
size	2.5 GB
packages	2941

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:45ff086949373485ace10a525d2ca584fa5fdd57491b72b35a50d55b3b0ac748

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:45ff086949373485ace10a525d2ca584fa5fdd57491b72b35a50d55b3b0ac748

digest	sha256:946d5cd46e84119734e45818781f497be8de395f893a6ea8d38f9260aef9cb57
vulnerabilities
size	2.5 GB
packages	3043

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00815 EPSS Percentile 0.81413 Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00336 EPSS Percentile 0.70716 Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.01138 EPSS Percentile 0.8441 Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.00042 EPSS Percentile 0.05352 Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00042 EPSS Percentile 0.05352 Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00958 EPSS Percentile 0.82901 Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00282 EPSS Percentile 0.67853 Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00045 EPSS Percentile 0.12923 Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.00098 EPSS Percentile 0.39712 Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00292 EPSS Percentile 0.68486 Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.00059 EPSS Percentile 0.22886 Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00132 EPSS Percentile 0.47272 Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00197 EPSS Percentile 0.56603 Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00323 EPSS Percentile 0.7009 Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.00067 EPSS Percentile 0.27578 Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00127 EPSS Percentile 0.46425 Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.0006 EPSS Percentile 0.23675 Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.00105 EPSS Percentile 0.41808 Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	dee3adc4ccaa	dee3adc4ccaa
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2980	2980
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	01284d847634	01284d847634
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	2.4 GB	2.4 GB
- packages	2966	2966
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:singlife	ghcr.io/ashenm/workspace/singlife
- digest	be2a8b2f405c	be2a8b2f405c
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	3011	3011
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:secure-agility	ghcr.io/ashenm/workspace/secure-agility
- digest	0d35853000b2	0d35853000b2
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	2944	2944
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

Overview

Image reference	ashenm/workspace:railsbank	ghcr.io/ashenm/workspace/railsbank
- digest	946d5cd46e84	946d5cd46e84
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.5 GB	2.5 GB
- packages	3046	3046
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Overview

Image reference	ashenm/workspace:stanford-cs143	ghcr.io/ashenm/workspace/stanford-cs143
- digest	9b03ee453ca7	9b03ee453ca7
- provenance	ba75765	9c62c85
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	2.6 GB	2.6 GB
- packages	2997	2997
Base Image	ubuntu:ba75765 also known as: • 20.04 • focal	ubuntu:9c62c85 also known as: • 20.04 • focal
- vulnerabilities

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:3567011449e75eec767b137c97edaf3f5896e93b3d6622b10e470442aa6decee

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:3567011449e75eec767b137c97edaf3f5896e93b3d6622b10e470442aa6decee

digest	sha256:dee3adc4ccaa8ad9a0803d76d1321f9a722c8334edb5031daae6e52738772757
vulnerabilities
platform	linux/arm64
size	2.4 GB
packages	2980

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:84ecf0b8b9e3bd09a2ee6ea859c8cae67da4e03d5ee7046e92ce55e7c97a437b

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:84ecf0b8b9e3bd09a2ee6ea859c8cae67da4e03d5ee7046e92ce55e7c97a437b

digest	sha256:01284d8476346e41580af098e94f4e467dc227d301fb20b895695a9001234423
vulnerabilities
platform	linux/arm64
size	2.4 GB
packages	2966

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:4aa61d4985265be6d872cc214016f2f91a77b1c925dab5ce502db2edc4a7e5af
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/singlife@sha256:4e09ec8f59349f17319e54d9e674d2855bd19724985fe0d7f9c8b30f3b15183a

📦 Image Reference ghcr.io/ashenm/workspace/singlife@sha256:4e09ec8f59349f17319e54d9e674d2855bd19724985fe0d7f9c8b30f3b15183a

digest	sha256:be2a8b2f405cfbf8b7c16ec8300af95365fb0c40b69209d44314e1c67500e795
vulnerabilities
platform	linux/amd64
size	2.6 GB
packages	3011

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

stdlib 1.20.11 (golang) pkg:golang/stdlib@1.20.11 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Affected range >=1.20.11 <1.20.12 Fixed version 1.20.12 Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:14) RUN sudo --set-home python3 -m pip install --no-cache-dir --ignore-installed \ aws-sam-cli \ qldbshell Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/secure-agility@sha256:9ac39a41889f25b564dd30f929c9f5edd80d362e01b3021c07b93c2920ac7595

📦 Image Reference ghcr.io/ashenm/workspace/secure-agility@sha256:9ac39a41889f25b564dd30f929c9f5edd80d362e01b3021c07b93c2920ac7595

digest	sha256:0d35853000b2b76dd555e1e66f224850d1d9e625db98d740979db4d7126e4a4d
vulnerabilities
platform	linux/amd64
size	2.5 GB
packages	2944

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:15) RUN sudo --set-home --preserve-env=ACCEPT_EULA,DEBIAN_FRONTEND apt-get install --yes --no-install-recommends \ msodbcsql18 \ mssql-tools18 \ unixodbc-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

[github-actions]

Outdated

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/railsbank@sha256:b7d2e9cb884a80b44a5379279fedca006bf1f250d92a8a3d673957a010f38a29

📦 Image Reference ghcr.io/ashenm/workspace/railsbank@sha256:b7d2e9cb884a80b44a5379279fedca006bf1f250d92a8a3d673957a010f38a29

digest	sha256:946d5cd46e84119734e45818781f497be8de395f893a6ea8d38f9260aef9cb57
vulnerabilities
platform	linux/amd64
size	2.5 GB
packages	3046

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (15:17) RUN printf '; Railsbank NPM Package Registry\n\ @railsbank-tech:registry=https://gitlab.com/api/v4/packages/npm/\n\n' | \ sudo tee --append /etc/npmrc 1> /dev/null Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

[github-actions]

🔍 Vulnerabilities of ghcr.io/ashenm/workspace/stanford-cs143@sha256:613aeba662c88e2b12549de38f6c3a20cbacea7a53ce1fa73033141543900af4

📦 Image Reference ghcr.io/ashenm/workspace/stanford-cs143@sha256:613aeba662c88e2b12549de38f6c3a20cbacea7a53ce1fa73033141543900af4

digest	sha256:9b03ee453ca794ccfc026fc9850b86f69bf350fdf55d39e663b9e46beb78dfe2
vulnerabilities
platform	linux/amd64
size	2.6 GB
packages	2997

📦 Base Image ubuntu:20.04

also known as	focal focal-20240216
digest	sha256:48c35f3de33487442af224ed4aabac19fd9bfbd91ee90e9471d412706b20ba73
vulnerabilities

cgi 0.3.1 (gem) pkg:gem/cgi@0.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=0.3.1 Fixed version 0.3.2 CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description CGI.escape_html in Ruby has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. Interpretation Conflict Affected range >=0.3.0 <0.3.5 Fixed version 0.3.5 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Ruby gem cgi.rb prior to versions 0.3.5, 0.2.2 and 0.1.0.2 allow HTTP header injection. If a CGI application using the CGI library inserts untrusted input into the HTTP response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This issue has been patched in versions 0.3.5, 0.2.2 and 0.1.0.2.

execa 0.10.0 (npm) pkg:npm/execa@0.10.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

execa 1.0.0 (npm) pkg:npm/execa@1.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

rvm 1.11.3.9 (gem) pkg:gem/rvm@1.11.3.9 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.28.0 Fixed version 1.29.0 CVSS Score 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Description RVM automatically loads environment variables from files in $PWD resulting in command execution.

cryptography 41.0.7 (pypi) pkg:pypi/cryptography@41.0.7 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

linux 5.4.0-173.191 (deb) pkg:deb/ubuntu/linux@5.4.0-173.191?os_distro=focal&os_name=ubuntu&os_version=20.04 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <5.4.0-174.193 Fixed version 5.4.0-174.193 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. Affected range >=0 Fixed version Not Fixed CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Description A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.

pygments 2.3.1 (pypi) pkg:pypi/pygments@2.3.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.1 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.5 <2.7.4 Fixed version 2.7.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

cryptography 41.0.6 (pypi) pkg:pypi/cryptography@41.0.6 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev NULL Pointer Dereference Affected range >=38.0.0 <42.0.4 Fixed version 42.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description If pkcs12.serialize_key_and_certificates is called with both: A certificate whose public key did not match the provided private key An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...) Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a ValueError is properly raised. Patched in pyca/cryptography#10423 Observable Discrepancy Affected range <42.0.0 Fixed version 42.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Description A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

time 0.2.0 (gem) pkg:gem/time@0.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.2.0 <0.2.2 Fixed version 0.2.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

async 1.5.0 (npm) pkg:npm/async@1.5.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

net.sourceforge.plantuml/plantuml 0.0.0 (maven) pkg:maven/net.sourceforge.plantuml/plantuml@0.0.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Server-Side Request Forgery (SSRF) Affected range <1.2023.9 Fixed version 1.2023.9 CVSS Score 7.2 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Description Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

setuptools 41.2.0 (pypi) pkg:pypi/setuptools@41.2.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <65.5.1 Fixed version 65.5.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

httpie 1.0.3 (pypi) pkg:pypi/httpie@1.0.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Improper Certificate Validation Affected range <=3.2.2 Fixed version Not Fixed CVSS Score 7.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Description Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

uri 0.11.0 (gem) pkg:gem/uri@0.11.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range >=0.11.0 <0.11.1 Fixed version 0.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

certifi 2019.11.28 (pypi) pkg:pypi/certifi@2019.11.28 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Insufficient Verification of Data Authenticity Affected range >=2015.4.28 <2023.7.22 Fixed version 2023.7.22 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Description Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store. e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

github.com/cloudflare/circl 1.3.3 (golang) pkg:golang/github.com/cloudflare/circl@1.3.3 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Affected range <1.3.7 Fixed version 1.3.7 Description Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn (parts of) the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References kyberslash.cr.yp.to

urllib3 1.25.8 (pypi) pkg:pypi/urllib3@1.25.8 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range >=1.25.4 <1.26.5 Fixed version 1.26.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in urllib3 v1.26.5. References CVE-2021-33503 JVNVU#92413403 (English) JVNVU#92413403 (Japanese) urllib3 v1.26.5 For more information If you have any questions or comments about this advisory: Ask in our community Discord Email sethmichaellarson@gmail.com

printf 0.3.0 (npm) pkg:npm/printf@0.3.0 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Uncontrolled Resource Consumption Affected range <0.6.1 Fixed version 0.6.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

http-cache-semantics 3.8.1 (npm) pkg:npm/http-cache-semantics@3.8.1 # Dockerfile (12:19) RUN sudo --set-home --preserve-env=DEBIAN_FRONTEND apt-get install --yes \ flex \ bison \ build-essential \ csh \ openjdk-8-jdk \ spim \ libxaw7-dev Inefficient Regular Expression Complexity Affected range <4.1.1 Fixed version 4.1.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.