mirror of
https://github.com/rocky-linux/sig-cloud-instance-images.git
synced 2024-12-29 20:30:55 +00:00
428 lines
No EOL
20 KiB
JSON
428 lines
No EOL
20 KiB
JSON
{
|
|
"version": "2.1.0",
|
|
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
|
"runs": [
|
|
{
|
|
"tool": {
|
|
"driver": {
|
|
"fullName": "Trivy Vulnerability Scanner",
|
|
"informationUri": "https://github.com/aquasecurity/trivy",
|
|
"name": "Trivy",
|
|
"rules": [
|
|
{
|
|
"id": "CVE-2022-32206",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-32206"
|
|
},
|
|
"fullDescription": {
|
|
"text": "curl \u0026lt; 7.84.0 supports \u0026#34;chained\u0026#34; HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \u0026#34;links\u0026#34; in this \u0026#34;decompression chain\u0026#34; was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \u0026#34;malloc bomb\u0026#34;, makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-32206",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-32206\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.",
|
|
"markdown": "**Vulnerability CVE-2022-32206**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)|\n\ncurl \u003c 7.84.0 supports \"chained\" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable \"links\" in this \"decompression chain\" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a \"malloc bomb\", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "CVE-2022-32208",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-32208"
|
|
},
|
|
"fullDescription": {
|
|
"text": "When curl \u0026lt; 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-32208",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-32208\nSeverity: MEDIUM\nPackage: libcurl-minimal\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.",
|
|
"markdown": "**Vulnerability CVE-2022-32208**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libcurl-minimal|7.61.1-22.el8_6.4|[CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)|\n\nWhen curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "CVE-2022-2526",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-2526"
|
|
},
|
|
"fullDescription": {
|
|
"text": "A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in \u0026#39;resolved-dns-stream.c\u0026#39; not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-2526",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-2526\nSeverity: HIGH\nPackage: systemd-pam\nFixed Version: 239-58.el8_6.4\nLink: [CVE-2022-2526](https://avd.aquasec.com/nvd/cve-2022-2526)\nA use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.",
|
|
"markdown": "**Vulnerability CVE-2022-2526**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|systemd-pam|239-58.el8_6.4|[CVE-2022-2526](https://avd.aquasec.com/nvd/cve-2022-2526)|\n\nA use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "8.0",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"HIGH"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "CVE-2022-1785",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-1785"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-1785",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-1785\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.",
|
|
"markdown": "**Vulnerability CVE-2022-1785**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)|\n\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "CVE-2022-1897",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-1897"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-1897",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-1897\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2.",
|
|
"markdown": "**Vulnerability CVE-2022-1897**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)|\n\nOut-of-bounds Write in GitHub repository vim/vim prior to 8.2."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"id": "CVE-2022-1927",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2022-1927"
|
|
},
|
|
"fullDescription": {
|
|
"text": "Buffer Over-read in GitHub repository vim/vim prior to 8.2."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "warning"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2022-1927",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2022-1927\nSeverity: MEDIUM\nPackage: vim-minimal\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)\nBuffer Over-read in GitHub repository vim/vim prior to 8.2.",
|
|
"markdown": "**Vulnerability CVE-2022-1927**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|vim-minimal|2:8.0.1763-19.el8_6.4|[CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)|\n\nBuffer Over-read in GitHub repository vim/vim prior to 8.2."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "5.5",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"MEDIUM"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"version": "0.31.2"
|
|
}
|
|
},
|
|
"results": [
|
|
{
|
|
"ruleId": "CVE-2022-32206",
|
|
"ruleIndex": 0,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-32208",
|
|
"ruleIndex": 1,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: curl\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-32206",
|
|
"ruleIndex": 0,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32206\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32206](https://avd.aquasec.com/nvd/cve-2022-32206)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-32208",
|
|
"ruleIndex": 1,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: libcurl-minimal\nInstalled Version: 7.61.1-22.el8_6.3\nVulnerability CVE-2022-32208\nSeverity: MEDIUM\nFixed Version: 7.61.1-22.el8_6.4\nLink: [CVE-2022-32208](https://avd.aquasec.com/nvd/cve-2022-32208)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-2526",
|
|
"ruleIndex": 2,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Package: systemd\nInstalled Version: 239-58.el8\nVulnerability CVE-2022-2526\nSeverity: HIGH\nFixed Version: 239-58.el8_6.4\nLink: [CVE-2022-2526](https://avd.aquasec.com/nvd/cve-2022-2526)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-2526",
|
|
"ruleIndex": 2,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Package: systemd-libs\nInstalled Version: 239-58.el8\nVulnerability CVE-2022-2526\nSeverity: HIGH\nFixed Version: 239-58.el8_6.4\nLink: [CVE-2022-2526](https://avd.aquasec.com/nvd/cve-2022-2526)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-2526",
|
|
"ruleIndex": 2,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Package: systemd-pam\nInstalled Version: 239-58.el8\nVulnerability CVE-2022-2526\nSeverity: HIGH\nFixed Version: 239-58.el8_6.4\nLink: [CVE-2022-2526](https://avd.aquasec.com/nvd/cve-2022-2526)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-1785",
|
|
"ruleIndex": 3,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1785\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1785](https://avd.aquasec.com/nvd/cve-2022-1785)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-1897",
|
|
"ruleIndex": 4,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1897\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1897](https://avd.aquasec.com/nvd/cve-2022-1897)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"ruleId": "CVE-2022-1927",
|
|
"ruleIndex": 5,
|
|
"level": "warning",
|
|
"message": {
|
|
"text": "Package: vim-minimal\nInstalled Version: 2:8.0.1763-19.el8_6.2\nVulnerability CVE-2022-1927\nSeverity: MEDIUM\nFixed Version: 2:8.0.1763-19.el8_6.4\nLink: [CVE-2022-1927](https://avd.aquasec.com/nvd/cve-2022-1927)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "rockylinux/rockylinux",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"columnKind": "utf16CodeUnits",
|
|
"originalUriBaseIds": {
|
|
"ROOTPATH": {
|
|
"uri": "file:///"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
} |