{ "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": [ { "tool": { "driver": { "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ { "id": "CVE-2022-32206", "name": "OsPackageVulnerability", "shortDescription": { "text": "CVE-2022-32206" }, "fullDescription": { "text": "curl \u0026lt; 7.84.0 supports \u0026#34;chained\u0026#34; HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \u0026#34;links\u0026#34; in this \u0026#34;decompression chain\u0026#34; was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \u0026#34;malloc bomb\u0026#34;, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2022-32206", "help": { "text": "Vulnerability CVE-2022-32206\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.", "markdown": "**Vulnerability CVE-2022-32206**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)|\n\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors." }, "properties": { "precision": "very-high", "security-severity": "5.5", "tags": [ "vulnerability", "security", "MEDIUM" ] } }, { "id": "CVE-2022-32208", "name": "OsPackageVulnerability", "shortDescription": { "text": "CVE-2022-32208" }, "fullDescription": { "text": "When curl \u0026lt; 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2022-32208", "help": { "text": "Vulnerability CVE-2022-32208\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.", "markdown": "**Vulnerability CVE-2022-32208**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)|\n\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client." }, "properties": { "precision": "very-high", "security-severity": "5.5", "tags": [ "vulnerability", "security", "MEDIUM" ] } }, { "id": "CVE-2022-1785", "name": "OsPackageVulnerability", "shortDescription": { "text": "CVE-2022-1785" }, "fullDescription": { "text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2022-1785", "help": { "text": "Vulnerability CVE-2022-1785\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.", "markdown": "**Vulnerability CVE-2022-1785**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)|\n\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977." }, "properties": { "precision": "very-high", "security-severity": "5.5", "tags": [ "vulnerability", "security", "MEDIUM" ] } }, { "id": "CVE-2022-1897", "name": "OsPackageVulnerability", "shortDescription": { "text": "CVE-2022-1897" }, "fullDescription": { "text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2022-1897", "help": { "text": "Vulnerability CVE-2022-1897\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.", "markdown": "**Vulnerability CVE-2022-1897**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)|\n\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2." }, "properties": { "precision": "very-high", "security-severity": "5.5", "tags": [ "vulnerability", "security", "MEDIUM" ] } }, { "id": "CVE-2022-1927", "name": "OsPackageVulnerability", "shortDescription": { "text": "CVE-2022-1927" }, "fullDescription": { "text": "Buffer Over-read in GitHub repository vim/vim prior to 8.2." }, "defaultConfiguration": { "level": "warning" }, "helpUri": "https://avd.aquasec.com/nvd/cve-2022-1927", "help": { "text": "Vulnerability CVE-2022-1927\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)\nBuffer Over-read in GitHub repository vim/vim prior to 8.2.", "markdown": "**Vulnerability CVE-2022-1927**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)|\n\nBuffer Over-read in GitHub repository vim/vim prior to 8.2." }, "properties": { "precision": "very-high", "security-severity": "5.5", "tags": [ "vulnerability", "security", "MEDIUM" ] } } ], "version": "0.31.2" } }, "results": [ { "ruleId": "CVE-2022-32206", "ruleIndex": 0, "level": "warning", "message": { "text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-32208", "ruleIndex": 1, "level": "warning", "message": { "text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-32206", "ruleIndex": 0, "level": "warning", "message": { "text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-32208", "ruleIndex": 1, "level": "warning", "message": { "text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-1785", "ruleIndex": 2, "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1785\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-1897", "ruleIndex": 3, "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1897\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] }, { "ruleId": "CVE-2022-1927", "ruleIndex": 4, "level": "warning", "message": { "text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1927\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "rockylinux/rockylinux", "uriBaseId": "ROOTPATH" }, "region": { "startLine": 1, "startColumn": 1, "endLine": 1, "endColumn": 1 } } } ] } ], "columnKind": "utf16CodeUnits", "originalUriBaseIds": { "ROOTPATH": { "uri": "file:///" } } } ] }