[CVE Report]: messagebird/sachet:0.2.6
eliyamlevy opened this issue · comments
Hello,
Can you publish a new docker image to address these CVEs?
Issues found using aquasec/trivy:0.20.2.
Thank you!
For reference it this is a similar request to this issue.
| Vulnerability ID | Title | Package Name | Fixed Version | Severity | URL | Target |
|---|---|---|---|---|---|---|
| CVE-2021-42378 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42378 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42379 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42379 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42380 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42380 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42381 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42381 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42382 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42382 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42383 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42383 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42384 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42384 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42385 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42385 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42386 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc() | busybox | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42386 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2022-0778 | openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | libcrypto1.1 | 1.1.1n-r0 | HIGH | https://avd.aquasec.com/nvd/cve-2022-0778 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2022-0778 | openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | libretls | 3.3.3p1-r3 | HIGH | https://avd.aquasec.com/nvd/cve-2022-0778 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2022-0778 | openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates | libssl1.1 | 1.1.1n-r0 | HIGH | https://avd.aquasec.com/nvd/cve-2022-0778 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42378 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42378 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42379 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42379 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42380 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42380 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42381 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42381 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42382 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42382 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42383 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42383 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42384 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42384 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42385 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42385 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2021-42386 | busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc() | ssl_client | 1.33.1-r6 | HIGH | https://avd.aquasec.com/nvd/cve-2021-42386 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
| CVE-2018-25032 | zlib: A flaw in zlib-1.2.11 when compressing (not decompressing!) certain inputs. | zlib | 1.2.12-r0 | HIGH | https://avd.aquasec.com/nvd/cve-2018-25032 | rancher/mirrored-messagebird-sachet:0.2.6 (alpine 3.14.2) |
Thank you for the issue!
Please use new releases. Just released 0.3.1 and tested with trivy:
> trivy image messagebird/sachet:0.3.1
2022-04-07T11:02:58.059+0200 INFO Detected OS: alpine
2022-04-07T11:02:58.059+0200 INFO Detecting Alpine vulnerabilities...
2022-04-07T11:02:58.062+0200 INFO Number of language-specific files: 1
2022-04-07T11:02:58.062+0200 INFO Detecting gobinary vulnerabilities...
messagebird/sachet:0.3.1 (alpine 3.15.4)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/local/bin/sachet (gobinary)
===============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Thank you!