diff --git a/index.html b/index.html index 49234ff..1210aa8 100644 --- a/index.html +++ b/index.html @@ -51,7 +51,7 @@ } a.toggle-more-links { cursor: pointer; } -
rocky | |||||
---|---|---|---|---|---|
Fixed Version | Links | ||||
curl | +CVE-2022-32206 | +MEDIUM | +7.61.1-22.el8_6.3 | +7.61.1-22.el8_6.4 | ++ https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json + https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json + https://access.redhat.com/security/cve/CVE-2022-32206 + https://curl.se/docs/CVE-2022-32206.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206 + https://hackerone.com/reports/1570651 + https://linux.oracle.com/cve/CVE-2022-32206.html + https://linux.oracle.com/errata/ELSA-2022-6159.html + https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/ + https://nvd.nist.gov/vuln/detail/CVE-2022-32206 + https://ubuntu.com/security/notices/USN-5495-1 + https://www.debian.org/security/2022/dsa-5197 + | +
curl | +CVE-2022-32208 | +MEDIUM | +7.61.1-22.el8_6.3 | +7.61.1-22.el8_6.4 | ++ https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json + https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json + https://access.redhat.com/security/cve/CVE-2022-32208 + https://curl.se/docs/CVE-2022-32208.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208 + https://hackerone.com/reports/1590071 + https://linux.oracle.com/cve/CVE-2022-32208.html + https://linux.oracle.com/errata/ELSA-2022-6159.html + https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/ + https://nvd.nist.gov/vuln/detail/CVE-2022-32208 + https://ubuntu.com/security/notices/USN-5495-1 + https://ubuntu.com/security/notices/USN-5499-1 + https://www.debian.org/security/2022/dsa-5197 + | +
libcurl-minimal | +CVE-2022-32206 | +MEDIUM | +7.61.1-22.el8_6.3 | +7.61.1-22.el8_6.4 | ++ https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json + https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json + https://access.redhat.com/security/cve/CVE-2022-32206 + https://curl.se/docs/CVE-2022-32206.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206 + https://hackerone.com/reports/1570651 + https://linux.oracle.com/cve/CVE-2022-32206.html + https://linux.oracle.com/errata/ELSA-2022-6159.html + https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/ + https://nvd.nist.gov/vuln/detail/CVE-2022-32206 + https://ubuntu.com/security/notices/USN-5495-1 + https://www.debian.org/security/2022/dsa-5197 + | +
libcurl-minimal | +CVE-2022-32208 | +MEDIUM | +7.61.1-22.el8_6.3 | +7.61.1-22.el8_6.4 | ++ https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32206.json + https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32208.json + https://access.redhat.com/security/cve/CVE-2022-32208 + https://curl.se/docs/CVE-2022-32208.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208 + https://hackerone.com/reports/1590071 + https://linux.oracle.com/cve/CVE-2022-32208.html + https://linux.oracle.com/errata/ELSA-2022-6159.html + https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/ + https://nvd.nist.gov/vuln/detail/CVE-2022-32208 + https://ubuntu.com/security/notices/USN-5495-1 + https://ubuntu.com/security/notices/USN-5499-1 + https://www.debian.org/security/2022/dsa-5197 + | +
vim-minimal | CVE-2022-1785 | diff --git a/trivy-results.sarif b/trivy-results.sarif index add28e9..e15c486 100644 --- a/trivy-results.sarif +++ b/trivy-results.sarif @@ -9,6 +9,60 @@ "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ + { + "id": "CVE-2022-32206", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "CVE-2022-32206" + }, + "fullDescription": { + "text": "curl \u0026lt; 7.84.0 supports \u0026#34;chained\u0026#34; HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \u0026#34;links\u0026#34; in this \u0026#34;decompression chain\u0026#34; was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \u0026#34;malloc bomb\u0026#34;, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-32206", + "help": { + "text": "Vulnerability CVE-2022-32206\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.", + "markdown": "**Vulnerability CVE-2022-32206**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)|\n\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, + { + "id": "CVE-2022-32208", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "CVE-2022-32208" + }, + "fullDescription": { + "text": "When curl \u0026lt; 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-32208", + "help": { + "text": "Vulnerability CVE-2022-32208\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.", + "markdown": "**Vulnerability CVE-2022-32208**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)|\n\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, { "id": "CVE-2022-1785", "name": "OsPackageVulnerability", @@ -96,9 +150,105 @@ }, "results": [ { - "ruleId": "CVE-2022-1785", + "ruleId": "CVE-2022-32206", "ruleIndex": 0, "level": "warning", + "message": { + "text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ] + }, + { + "ruleId": "CVE-2022-32208", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ] + }, + { + "ruleId": "CVE-2022-32206", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ] + }, + { + "ruleId": "CVE-2022-32208", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ] + }, + { + "ruleId": "CVE-2022-1785", + "ruleIndex": 2, + "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1785\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)" }, @@ -121,7 +271,7 @@ }, { "ruleId": "CVE-2022-1897", - "ruleIndex": 1, + "ruleIndex": 3, "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1897\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)" @@ -145,7 +295,7 @@ }, { "ruleId": "CVE-2022-1927", - "ruleIndex": 2, + "ruleIndex": 4, "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1927\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)"