From b7163d582a5a3ee0d197cfd926cfff7893645d53 Mon Sep 17 00:00:00 2001 From: NeilHanlon Date: Wed, 15 Mar 2023 13:06:00 +0000 Subject: [PATCH] deploy: 8ccce7fd31973e438889a894e0b29e70f8459500 --- index.html | 171 ++++++++++++++++++++++++++++++++--------- trivy-results.sarif | 182 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 309 insertions(+), 44 deletions(-) diff --git a/index.html b/index.html index edc03a4..a541388 100644 --- a/index.html +++ b/index.html @@ -51,7 +51,7 @@ } a.toggle-more-links { cursor: pointer; } - docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2023-03-14 13:12:00.083386159 +0000 UTC m=+1.927223576 + docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2023-03-15 13:05:59.866056283 +0000 UTC m=+0.772464739 -

docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2023-03-14 13:12:00.083429559 +0000 UTC m=+1.927266976

+

docker.io/rockylinux/rockylinux:8 (rocky 8.7) - Trivy Report - 2023-03-15 13:05:59.866083284 +0000 UTC m=+0.772491840

@@ -92,6 +92,58 @@ + + + + + + + + + + + + + + + + @@ -101,11 +153,9 @@ + + + + + + + + @@ -255,11 +331,9 @@ + + + + + + + + @@ -407,13 +507,14 @@
rocky
Fixed Version Links
curlCVE-2023-23916MEDIUM7.61.1-25.el8_7.17.61.1-25.el8_7.3 + https://access.redhat.com/errata/RHSA-2023:1140 + https://access.redhat.com/security/cve/CVE-2023-23916 + https://bugzilla.redhat.com/2167815 + https://bugzilla.redhat.com/show_bug.cgi?id=2167815 + https://curl.se/docs/CVE-2023-23916.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916 + https://errata.almalinux.org/8/ALSA-2023-1140.html + https://errata.rockylinux.org/RLSA-2023:1140 + https://hackerone.com/reports/1826048 + https://linux.oracle.com/cve/CVE-2023-23916.html + https://linux.oracle.com/errata/ELSA-2023-1140.html + https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/ + https://nvd.nist.gov/vuln/detail/CVE-2023-23916 + https://security.netapp.com/advisory/ntap-20230309-0006/ + https://ubuntu.com/security/notices/USN-5891-1 + https://www.debian.org/security/2023/dsa-5365 +
libcurl-minimalCVE-2023-23916MEDIUM7.61.1-25.el8_7.17.61.1-25.el8_7.3 + https://access.redhat.com/errata/RHSA-2023:1140 + https://access.redhat.com/security/cve/CVE-2023-23916 + https://bugzilla.redhat.com/2167815 + https://bugzilla.redhat.com/show_bug.cgi?id=2167815 + https://curl.se/docs/CVE-2023-23916.html + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916 + https://errata.almalinux.org/8/ALSA-2023-1140.html + https://errata.rockylinux.org/RLSA-2023:1140 + https://hackerone.com/reports/1826048 + https://linux.oracle.com/cve/CVE-2023-23916.html + https://linux.oracle.com/errata/ELSA-2023-1140.html + https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html + https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/ + https://nvd.nist.gov/vuln/detail/CVE-2023-23916 + https://security.netapp.com/advisory/ntap-20230309-0006/ + https://ubuntu.com/security/notices/USN-5891-1 + https://www.debian.org/security/2023/dsa-5365 +
platform-python CVE-2020-10735 http://www.openwall.com/lists/oss-security/2022/09/21/1 http://www.openwall.com/lists/oss-security/2022/09/21/4 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2022:7323 https://access.redhat.com/security/cve/CVE-2020-10735 https://bugzilla.redhat.com/1834423 - https://bugzilla.redhat.com/2120642 - https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=1834423 https://bugzilla.redhat.com/show_bug.cgi?id=2120642 https://bugzilla.redhat.com/show_bug.cgi?id=2144072 @@ -113,7 +163,7 @@ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061 https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2022-7323.html https://errata.rockylinux.org/RLSA-2023:0833 https://github.com/python/cpython/issues/95778 https://linux.oracle.com/cve/CVE-2020-10735.html @@ -148,12 +198,11 @@ 3.6.8-48.el8_7.rocky.0 3.6.8-48.el8_7.1.rocky.0 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2022:8353 https://access.redhat.com/security/cve/CVE-2021-28861 https://bugs.python.org/issue43223 - https://bugzilla.redhat.com/1834423 + https://bugzilla.redhat.com/2075390 https://bugzilla.redhat.com/2120642 - https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=2054702 https://bugzilla.redhat.com/show_bug.cgi?id=2059951 https://bugzilla.redhat.com/show_bug.cgi?id=2075390 @@ -161,7 +210,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=2128249 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-20107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2022-8353.html https://errata.rockylinux.org/RLSA-2022:8353 https://github.com/python/cpython/pull/24848 https://github.com/python/cpython/pull/93879 @@ -193,10 +242,8 @@ 3.6.8-48.el8_7.rocky.0 3.6.8-48.el8_7.1.rocky.0 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2023:0953 https://access.redhat.com/security/cve/CVE-2022-45061 - https://bugzilla.redhat.com/1834423 - https://bugzilla.redhat.com/2120642 https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=1834423 https://bugzilla.redhat.com/show_bug.cgi?id=2120642 @@ -204,7 +251,7 @@ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061 - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2023-0953.html https://errata.rockylinux.org/RLSA-2023:0833 https://github.com/python/cpython/issues/98433 https://github.com/python/cpython/pull/99092 @@ -246,6 +293,35 @@ https://ubuntu.com/security/notices/USN-5888-1
platform-python-setuptoolsCVE-2022-40897MEDIUM39.2.0-6.el839.2.0-6.el8_7.1 + https://access.redhat.com/errata/RHSA-2023:0952 + https://access.redhat.com/security/cve/CVE-2022-40897 + https://bugzilla.redhat.com/2158559 + https://bugzilla.redhat.com/show_bug.cgi?id=2158559 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 + https://errata.almalinux.org/9/ALSA-2023-0952.html + https://errata.rockylinux.org/RLSA-2023:0835 + https://github.com/advisories/GHSA-r9hx-vwmv-q579 + https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 + https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be + https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 + https://github.com/pypa/setuptools/issues/3659 + https://linux.oracle.com/cve/CVE-2022-40897.html + https://linux.oracle.com/errata/ELSA-2023-0952.html + https://nvd.nist.gov/vuln/detail/CVE-2022-40897 + https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ + https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ + https://security.netapp.com/advisory/ntap-20230214-0001/ + https://setuptools.pypa.io/en/latest/ + https://ubuntu.com/security/notices/USN-5817-1 +
python3-libs CVE-2020-10735 http://www.openwall.com/lists/oss-security/2022/09/21/1 http://www.openwall.com/lists/oss-security/2022/09/21/4 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2022:7323 https://access.redhat.com/security/cve/CVE-2020-10735 https://bugzilla.redhat.com/1834423 - https://bugzilla.redhat.com/2120642 - https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=1834423 https://bugzilla.redhat.com/show_bug.cgi?id=2120642 https://bugzilla.redhat.com/show_bug.cgi?id=2144072 @@ -267,7 +341,7 @@ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061 https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2022-7323.html https://errata.rockylinux.org/RLSA-2023:0833 https://github.com/python/cpython/issues/95778 https://linux.oracle.com/cve/CVE-2020-10735.html @@ -302,12 +376,11 @@ 3.6.8-48.el8_7.rocky.0 3.6.8-48.el8_7.1.rocky.0 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2022:8353 https://access.redhat.com/security/cve/CVE-2021-28861 https://bugs.python.org/issue43223 - https://bugzilla.redhat.com/1834423 + https://bugzilla.redhat.com/2075390 https://bugzilla.redhat.com/2120642 - https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=2054702 https://bugzilla.redhat.com/show_bug.cgi?id=2059951 https://bugzilla.redhat.com/show_bug.cgi?id=2075390 @@ -315,7 +388,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=2128249 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-20107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2022-8353.html https://errata.rockylinux.org/RLSA-2022:8353 https://github.com/python/cpython/pull/24848 https://github.com/python/cpython/pull/93879 @@ -347,10 +420,8 @@ 3.6.8-48.el8_7.rocky.0 3.6.8-48.el8_7.1.rocky.0 - https://access.redhat.com/errata/RHSA-2023:0833 + https://access.redhat.com/errata/RHSA-2023:0953 https://access.redhat.com/security/cve/CVE-2022-45061 - https://bugzilla.redhat.com/1834423 - https://bugzilla.redhat.com/2120642 https://bugzilla.redhat.com/2144072 https://bugzilla.redhat.com/show_bug.cgi?id=1834423 https://bugzilla.redhat.com/show_bug.cgi?id=2120642 @@ -358,7 +429,7 @@ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061 - https://errata.almalinux.org/8/ALSA-2023-0833.html + https://errata.almalinux.org/9/ALSA-2023-0953.html https://errata.rockylinux.org/RLSA-2023:0833 https://github.com/python/cpython/issues/98433 https://github.com/python/cpython/pull/99092 @@ -400,6 +471,35 @@ https://ubuntu.com/security/notices/USN-5888-1
python3-setuptools-wheelCVE-2022-40897MEDIUM39.2.0-6.el839.2.0-6.el8_7.1 + https://access.redhat.com/errata/RHSA-2023:0952 + https://access.redhat.com/security/cve/CVE-2022-40897 + https://bugzilla.redhat.com/2158559 + https://bugzilla.redhat.com/show_bug.cgi?id=2158559 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 + https://errata.almalinux.org/9/ALSA-2023-0952.html + https://errata.rockylinux.org/RLSA-2023:0835 + https://github.com/advisories/GHSA-r9hx-vwmv-q579 + https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 + https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be + https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 + https://github.com/pypa/setuptools/issues/3659 + https://linux.oracle.com/cve/CVE-2022-40897.html + https://linux.oracle.com/errata/ELSA-2023-0952.html + https://nvd.nist.gov/vuln/detail/CVE-2022-40897 + https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ + https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ + https://security.netapp.com/advisory/ntap-20230214-0001/ + https://setuptools.pypa.io/en/latest/ + https://ubuntu.com/security/notices/USN-5817-1 +
systemd CVE-2022-4415239-68.el8_7.2 239-68.el8_7.4 - https://access.redhat.com/errata/RHSA-2023:0837 + https://access.redhat.com/errata/RHSA-2023:0954 https://access.redhat.com/security/cve/CVE-2022-4415 + https://bugzilla.redhat.com/2149063 https://bugzilla.redhat.com/2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2164049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4415 - https://errata.almalinux.org/8/ALSA-2023-0837.html + https://errata.almalinux.org/9/ALSA-2023-0954.html https://errata.rockylinux.org/RLSA-2023:0837 https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c https://linux.oracle.com/cve/CVE-2022-4415.html @@ -430,13 +531,14 @@ 239-68.el8_7.2 239-68.el8_7.4 - https://access.redhat.com/errata/RHSA-2023:0837 + https://access.redhat.com/errata/RHSA-2023:0954 https://access.redhat.com/security/cve/CVE-2022-4415 + https://bugzilla.redhat.com/2149063 https://bugzilla.redhat.com/2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2164049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4415 - https://errata.almalinux.org/8/ALSA-2023-0837.html + https://errata.almalinux.org/9/ALSA-2023-0954.html https://errata.rockylinux.org/RLSA-2023:0837 https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c https://linux.oracle.com/cve/CVE-2022-4415.html @@ -453,13 +555,14 @@ 239-68.el8_7.2 239-68.el8_7.4 - https://access.redhat.com/errata/RHSA-2023:0837 + https://access.redhat.com/errata/RHSA-2023:0954 https://access.redhat.com/security/cve/CVE-2022-4415 + https://bugzilla.redhat.com/2149063 https://bugzilla.redhat.com/2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2155515 https://bugzilla.redhat.com/show_bug.cgi?id=2164049 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4415 - https://errata.almalinux.org/8/ALSA-2023-0837.html + https://errata.almalinux.org/9/ALSA-2023-0954.html https://errata.rockylinux.org/RLSA-2023:0837 https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c https://linux.oracle.com/cve/CVE-2022-4415.html @@ -476,12 +579,12 @@ 2:1.30-6.el8 2:1.30-6.el8_7.1 - https://access.redhat.com/errata/RHSA-2023:0842 + https://access.redhat.com/errata/RHSA-2023:0959 https://access.redhat.com/security/cve/CVE-2022-48303 https://bugzilla.redhat.com/2149722 https://bugzilla.redhat.com/show_bug.cgi?id=2149722 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303 - https://errata.almalinux.org/8/ALSA-2023-0842.html + https://errata.almalinux.org/9/ALSA-2023-0959.html https://errata.rockylinux.org/RLSA-2023:0842 https://linux.oracle.com/cve/CVE-2022-48303.html https://linux.oracle.com/errata/ELSA-2023-0959.html diff --git a/trivy-results.sarif b/trivy-results.sarif index 8c0df31..045c557 100644 --- a/trivy-results.sarif +++ b/trivy-results.sarif @@ -9,6 +9,33 @@ "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ + { + "id": "CVE-2023-23916", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "curl: HTTP multi-header compression denial of service" + }, + "fullDescription": { + "text": "An allocation of resources without limits or throttling vulnerability exists in curl \u0026lt;v7.88.0 based on the \u0026#34;chained\u0026#34; HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable \u0026#34;links\u0026#34; in this \u0026#34;decompression chain\u0026#34; wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a \u0026#34;malloc bomb\u0026#34;, making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2023-23916", + "help": { + "text": "Vulnerability CVE-2023-23916\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-25.el8_7.3\nLink: [CVE-2023-23916](https://avd.aquasec.com/nvd/cve-2023-23916)\nAn allocation of resources without limits or throttling vulnerability exists in curl \u003cv7.88.0 based on the \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable \"links\" in this \"decompression chain\" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.", + "markdown": "**Vulnerability CVE-2023-23916**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-25.el8_7.3|[CVE-2023-23916](https://avd.aquasec.com/nvd/cve-2023-23916)|\n\nAn allocation of resources without limits or throttling vulnerability exists in curl \u003cv7.88.0 based on the \"chained\" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable \"links\" in this \"decompression chain\" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a \"malloc bomb\", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, { "id": "CVE-2020-10735", "name": "OsPackageVulnerability", @@ -90,6 +117,33 @@ ] } }, + { + "id": "CVE-2022-40897", + "name": "OsPackageVulnerability", + "shortDescription": { + "text": "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py" + }, + "fullDescription": { + "text": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py." + }, + "defaultConfiguration": { + "level": "warning" + }, + "helpUri": "https://avd.aquasec.com/nvd/cve-2022-40897", + "help": { + "text": "Vulnerability CVE-2022-40897\nSeverity: MEDIUM\nPackage: python3-setuptools-wheel\nFixed Version: 39.2.0-6.el8_7.1\nLink: [CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)\nPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "markdown": "**Vulnerability CVE-2022-40897**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|python3-setuptools-wheel|39.2.0-6.el8_7.1|[CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)|\n\nPython Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py." + }, + "properties": { + "precision": "very-high", + "security-severity": "5.5", + "tags": [ + "vulnerability", + "security", + "MEDIUM" + ] + } + }, { "id": "CVE-2022-4415", "name": "OsPackageVulnerability", @@ -150,9 +204,63 @@ }, "results": [ { - "ruleId": "CVE-2020-10735", + "ruleId": "CVE-2023-23916", "ruleIndex": 0, "level": "warning", + "message": { + "text": "Package: curl\nInstalled Version: 7.61.1-25.el8_7.1\nVulnerability CVE-2023-23916\nSeverity: MEDIUM\nFixed Version: 7.61.1-25.el8_7.3\nLink: [CVE-2023-23916](https://avd.aquasec.com/nvd/cve-2023-23916)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "rockylinux/rockylinux: curl@7.61.1-25.el8_7.1" + } + } + ] + }, + { + "ruleId": "CVE-2023-23916", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-25.el8_7.1\nVulnerability CVE-2023-23916\nSeverity: MEDIUM\nFixed Version: 7.61.1-25.el8_7.3\nLink: [CVE-2023-23916](https://avd.aquasec.com/nvd/cve-2023-23916)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "rockylinux/rockylinux: libcurl-minimal@7.61.1-25.el8_7.1" + } + } + ] + }, + { + "ruleId": "CVE-2020-10735", + "ruleIndex": 1, + "level": "warning", "message": { "text": "Package: platform-python\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2020-10735\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2020-10735](https://avd.aquasec.com/nvd/cve-2020-10735)" }, @@ -178,7 +286,7 @@ }, { "ruleId": "CVE-2021-28861", - "ruleIndex": 1, + "ruleIndex": 2, "level": "warning", "message": { "text": "Package: platform-python\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2021-28861\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2021-28861](https://avd.aquasec.com/nvd/cve-2021-28861)" @@ -205,7 +313,7 @@ }, { "ruleId": "CVE-2022-45061", - "ruleIndex": 2, + "ruleIndex": 3, "level": "warning", "message": { "text": "Package: platform-python\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2022-45061\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2022-45061](https://avd.aquasec.com/nvd/cve-2022-45061)" @@ -230,9 +338,36 @@ } ] }, + { + "ruleId": "CVE-2022-40897", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Package: platform-python-setuptools\nInstalled Version: 39.2.0-6.el8\nVulnerability CVE-2022-40897\nSeverity: MEDIUM\nFixed Version: 39.2.0-6.el8_7.1\nLink: [CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "rockylinux/rockylinux: platform-python-setuptools@39.2.0-6.el8" + } + } + ] + }, { "ruleId": "CVE-2020-10735", - "ruleIndex": 0, + "ruleIndex": 1, "level": "warning", "message": { "text": "Package: python3-libs\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2020-10735\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2020-10735](https://avd.aquasec.com/nvd/cve-2020-10735)" @@ -259,7 +394,7 @@ }, { "ruleId": "CVE-2021-28861", - "ruleIndex": 1, + "ruleIndex": 2, "level": "warning", "message": { "text": "Package: python3-libs\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2021-28861\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2021-28861](https://avd.aquasec.com/nvd/cve-2021-28861)" @@ -286,7 +421,7 @@ }, { "ruleId": "CVE-2022-45061", - "ruleIndex": 2, + "ruleIndex": 3, "level": "warning", "message": { "text": "Package: python3-libs\nInstalled Version: 3.6.8-48.el8_7.rocky.0\nVulnerability CVE-2022-45061\nSeverity: MEDIUM\nFixed Version: 3.6.8-48.el8_7.1.rocky.0\nLink: [CVE-2022-45061](https://avd.aquasec.com/nvd/cve-2022-45061)" @@ -311,9 +446,36 @@ } ] }, + { + "ruleId": "CVE-2022-40897", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Package: python3-setuptools-wheel\nInstalled Version: 39.2.0-6.el8\nVulnerability CVE-2022-40897\nSeverity: MEDIUM\nFixed Version: 39.2.0-6.el8_7.1\nLink: [CVE-2022-40897](https://avd.aquasec.com/nvd/cve-2022-40897)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "rockylinux/rockylinux", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "rockylinux/rockylinux: python3-setuptools-wheel@39.2.0-6.el8" + } + } + ] + }, { "ruleId": "CVE-2022-4415", - "ruleIndex": 3, + "ruleIndex": 5, "level": "warning", "message": { "text": "Package: systemd\nInstalled Version: 239-68.el8_7.2\nVulnerability CVE-2022-4415\nSeverity: MEDIUM\nFixed Version: 239-68.el8_7.4\nLink: [CVE-2022-4415](https://avd.aquasec.com/nvd/cve-2022-4415)" @@ -340,7 +502,7 @@ }, { "ruleId": "CVE-2022-4415", - "ruleIndex": 3, + "ruleIndex": 5, "level": "warning", "message": { "text": "Package: systemd-libs\nInstalled Version: 239-68.el8_7.2\nVulnerability CVE-2022-4415\nSeverity: MEDIUM\nFixed Version: 239-68.el8_7.4\nLink: [CVE-2022-4415](https://avd.aquasec.com/nvd/cve-2022-4415)" @@ -367,7 +529,7 @@ }, { "ruleId": "CVE-2022-4415", - "ruleIndex": 3, + "ruleIndex": 5, "level": "warning", "message": { "text": "Package: systemd-pam\nInstalled Version: 239-68.el8_7.2\nVulnerability CVE-2022-4415\nSeverity: MEDIUM\nFixed Version: 239-68.el8_7.4\nLink: [CVE-2022-4415](https://avd.aquasec.com/nvd/cve-2022-4415)" @@ -394,7 +556,7 @@ }, { "ruleId": "CVE-2022-48303", - "ruleIndex": 4, + "ruleIndex": 6, "level": "warning", "message": { "text": "Package: tar\nInstalled Version: 2:1.30-6.el8\nVulnerability CVE-2022-48303\nSeverity: MEDIUM\nFixed Version: 2:1.30-6.el8_7.1\nLink: [CVE-2022-48303](https://avd.aquasec.com/nvd/cve-2022-48303)"