Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22
argo-cd/docs/snyk/v2.4.7/ghcr.io_dexidp_dex:v2.30.2.html
Michael Crenshaw e3940cd2bf
chore: add Snyk scans to docs (#9856) 
* chore: generate Snyk reports

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

sarif

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

dashboard

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

cron job

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

more consistent formatting

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

clarification

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

sarif files

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

fix naming, fix doc get text

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

apply suggestions

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

apply suggestions

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

blarn

Signed-off-by: CI <michael@crenshaw.dev>

ignore errors due to vulns

Signed-off-by: CI <michael@crenshaw.dev>

specify target branch in script

Signed-off-by: CI <michael@crenshaw.dev>

don't checkout before running script

Signed-off-by: CI <michael@crenshaw.dev>

make sure dest dir exists

Signed-off-by: CI <michael@crenshaw.dev>

fix workflow

Signed-off-by: CI <michael@crenshaw.dev>

* update scans

Signed-off-by: CI <michael@crenshaw.dev>

* update reports

Signed-off-by: CI <michael@crenshaw.dev>

* use latest ignore rules

Signed-off-by: CI <michael@crenshaw.dev>

* update reports

Signed-off-by: CI <michael@crenshaw.dev>

* update reports

Signed-off-by: CI <michael@crenshaw.dev>

* update reports, add link to latest, push to master instead of stable

Signed-off-by: CI <michael@crenshaw.dev>

* fix for double-digit patch versions

Signed-off-by: CI <michael@crenshaw.dev>

* clean up testing changes

Signed-off-by: CI <michael@crenshaw.dev>
2022-07-27 21:15:00 +00:00

1291 lines
62 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Language" content="en-us">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Snyk test report</title>
<meta name="description" content="6 known vulnerabilities found in 36 vulnerable dependency paths.">
<base target="_blank">
<link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
sizes="194x194">
<link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
<style type="text/css">
body {
-moz-font-feature-settings: "pnum";
-webkit-font-feature-settings: "pnum";
font-variant-numeric: proportional-nums;
display: flex;
flex-direction: column;
font-feature-settings: "pnum";
font-size: 100%;
line-height: 1.5;
min-height: 100vh;
-webkit-text-size-adjust: 100%;
margin: 0;
padding: 0;
background-color: #F5F5F5;
font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
}
h1,
h2,
h3,
h4,
h5,
h6 {
font-weight: 500;
}
a,
a:link,
a:visited {
border-bottom: 1px solid #4b45a9;
text-decoration: none;
color: #4b45a9;
}
a:hover,
a:focus,
a:active {
border-bottom: 1px solid #4b45a9;
}
hr {
border: none;
margin: 1em 0;
border-top: 1px solid #c5c5c5;
}
ul {
padding: 0 1em;
margin: 1em 0;
}
code {
background-color: #EEE;
color: #333;
padding: 0.25em 0.5em;
border-radius: 0.25em;
}
pre {
background-color: #333;
font-family: monospace;
padding: 0.5em 1em 0.75em;
border-radius: 0.25em;
font-size: 14px;
}
pre code {
padding: 0;
background-color: transparent;
color: #fff;
}
a code {
border-radius: .125rem .125rem 0 0;
padding-bottom: 0;
color: #4b45a9;
}
a[href^="http://"]:after,
a[href^="https://"]:after {
background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
background-repeat: no-repeat;
background-size: .75rem;
content: "";
display: inline-block;
height: .75rem;
margin-left: .25rem;
width: .75rem;
}
/* Layout */
[class*=layout-container] {
margin: 0 auto;
max-width: 71.25em;
padding: 1.9em 1.3em;
position: relative;
}
.layout-container--short {
padding-top: 0;
padding-bottom: 0;
max-width: 48.75em;
}
.layout-container--short:after {
display: block;
content: "";
clear: both;
}
/* Header */
.header {
padding-bottom: 1px;
}
.paths {
margin-left: 8px;
}
.header-wrap {
display: flex;
flex-direction: row;
justify-content: space-between;
padding-top: 2em;
}
.project__header {
background-color: #4b45a9;
color: #fff;
margin-bottom: -1px;
padding-top: 1em;
padding-bottom: 0.25em;
border-bottom: 2px solid #BBB;
}
.project__header__title {
overflow-wrap: break-word;
word-wrap: break-word;
word-break: break-all;
margin-bottom: .1em;
margin-top: 0;
}
.timestamp {
float: right;
clear: none;
margin-bottom: 0;
}
.meta-counts {
clear: both;
display: block;
flex-wrap: wrap;
justify-content: space-between;
margin: 0 0 1.5em;
color: #fff;
clear: both;
font-size: 1.1em;
}
.meta-count {
display: block;
flex-basis: 100%;
margin: 0 1em 1em 0;
float: left;
padding-right: 1em;
border-right: 2px solid #fff;
}
.meta-count:last-child {
border-right: 0;
padding-right: 0;
margin-right: 0;
}
/* Card */
.card {
background-color: #fff;
border: 1px solid #c5c5c5;
border-radius: .25rem;
margin: 0 0 2em 0;
position: relative;
min-height: 40px;
padding: 1.5em;
}
.card .label {
background-color: #767676;
border: 2px solid #767676;
color: white;
padding: 0.25rem 0.75rem;
font-size: 0.875rem;
text-transform: uppercase;
display: inline-block;
margin: 0;
border-radius: 0.25rem;
}
.card .label__text {
vertical-align: text-top;
font-weight: bold;
}
.card .label--critical {
background-color: #AB1A1A;
border-color: #AB1A1A;
}
.card .label--high {
background-color: #CE5019;
border-color: #CE5019;
}
.card .label--medium {
background-color: #D68000;
border-color: #D68000;
}
.card .label--low {
background-color: #88879E;
border-color: #88879E;
}
.severity--low {
border-color: #88879E;
}
.severity--medium {
border-color: #D68000;
}
.severity--high {
border-color: #CE5019;
}
.severity--critical {
border-color: #AB1A1A;
}
.card--vuln {
padding-top: 4em;
}
.card--vuln .label {
left: 0;
position: absolute;
top: 1.1em;
padding-left: 1.9em;
padding-right: 1.9em;
border-radius: 0 0.25rem 0.25rem 0;
}
.card--vuln .card__section h2 {
font-size: 22px;
margin-bottom: 0.5em;
}
.card--vuln .card__section p {
margin: 0 0 0.5em 0;
}
.card--vuln .card__meta {
padding: 0 0 0 1em;
margin: 0;
font-size: 1.1em;
}
.card .card__meta__paths {
font-size: 0.9em;
}
.card--vuln .card__title {
font-size: 28px;
margin-top: 0;
}
.card--vuln .card__cta p {
margin: 0;
text-align: right;
}
.source-panel {
clear: both;
display: flex;
justify-content: flex-start;
flex-direction: column;
align-items: flex-start;
padding: 0.5em 0;
width: fit-content;
}
</style>
<style type="text/css">
.metatable {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
margin-top: 12px;
border-collapse: collapse;
border-spacing: 0;
font-variant-numeric: tabular-nums;
max-width: 51.75em;
}
tbody {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
display: flex;
flex-wrap: wrap;
}
.meta-row {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
outline: none;
text-align: left;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
display: flex;
align-items: start;
border-top: 1px solid #d3d3d9;
padding: 8px 0 0 0;
border-bottom: none;
margin: 8px;
width: 47.75%;
}
.meta-row-label {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
color: #4c4a73;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
margin: 0;
outline: none;
text-decoration: none;
z-index: auto;
align-self: start;
flex: 1;
font-size: 1rem;
line-height: 1.5rem;
padding: 0;
text-align: left;
vertical-align: top;
text-transform: none;
letter-spacing: 0;
}
.meta-row-value {
text-size-adjust: 100%;
-webkit-font-smoothing: antialiased;
-webkit-box-direction: normal;
color: inherit;
font-feature-settings: "pnum";
border-collapse: collapse;
border-spacing: 0;
word-break: break-word;
box-sizing: border-box;
background: transparent;
border: 0;
font: inherit;
font-size: 100%;
margin: 0;
outline: none;
padding: 0;
text-align: right;
text-decoration: none;
vertical-align: baseline;
z-index: auto;
}
</style>
</head>
<body class="section-projects">
<main class="layout-stacked">
<div class="layout-stacked__header header">
<header class="project__header">
<div class="layout-container">
<a class="brand" href="https://snyk.io" title="Snyk">
<svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
<title>Snyk - Open Source Security</title>
<g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g fill="#fff">
<path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
</g>
</g>
</svg>
</a>
<div class="header-wrap">
<h1 class="project__header__title">Snyk test report</h1>
<p class="timestamp">July 27th 2022, 3:00:56 pm</p>
</div>
<div class="source-panel">
<span>Scanned the following path:</span>
<ul>
<li class="paths">ghcr.io/dexidp/dex:v2.30.2/dexidp/dex (apk)</li>
</ul>
</div>
<div class="meta-counts">
<div class="meta-count"><span>6</span> <span>known vulnerabilities</span></div>
<div class="meta-count"><span>36 vulnerable dependency paths</span></div>
<div class="meta-count"><span>16</span> <span>dependencies</span></div>
</div><!-- .meta-counts -->
</div><!-- .layout-container--short -->
</header><!-- .project__header -->
</div><!-- .layout-stacked__header -->
<section class="layout-container">
<table class="metatable">
<tbody>
<tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
<tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.30.2/dexidp/dex</td></tr>
<tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
</tbody>
</table>
</section>
<div class="layout-container" style="padding-top: 35px;">
<div class="cards--vuln filter--patch filter--ignore">
<div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical">
<h2 class="card__title">CVE-2022-28391</h2>
<div class="card__section">
<div class="label label--critical">
<span class="label__text">critical severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
busybox/busybox
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and busybox/busybox@1.33.1-r6
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
alpine-baselayout/alpine-baselayout@3.2.0-r16
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
busybox/ssl_client@1.33.1-r6
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>busybox</code> package.</em>
<em>See <code>How to fix?</code> for <code>Alpine:3.14</code> relevant versions.</em></p>
<p>BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record&#39;s value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal&#39;s colors.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>busybox</code> to version 1.33.1-r7 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch">MISC</a></li>
<li><a href="https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661">MISC</a></li>
<li><a href="https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch">MISC</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2440608">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Out-of-bounds Write</h2>
<div class="card__section">
<div class="label label--high">
<span class="label__text">high severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
zlib/zlib
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and zlib/zlib@1.2.11-r3
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
zlib/zlib@1.2.11-r3
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
apk-tools/apk-tools@2.12.7-r0
<span class="list-paths__item__arrow"></span>
zlib/zlib@1.2.11-r3
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>zlib</code> package.</em>
<em>See <code>How to fix?</code> for <code>Alpine:3.14</code> relevant versions.</em></p>
<p>zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>zlib</code> to version 1.2.12-r0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.openwall.com/lists/oss-security/2022/03/24/1">MISC</a></li>
<li><a href="https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531">MISC</a></li>
<li><a href="http://www.openwall.com/lists/oss-security/2022/03/25/2">MLIST</a></li>
<li><a href="http://www.openwall.com/lists/oss-security/2022/03/26/1">MLIST</a></li>
<li><a href="https://www.openwall.com/lists/oss-security/2022/03/28/1">MISC</a></li>
<li><a href="https://github.com/madler/zlib/compare/v1.2.11...v1.2.12">CONFIRM</a></li>
<li><a href="https://www.openwall.com/lists/oss-security/2022/03/28/3">MISC</a></li>
<li><a href="https://github.com/madler/zlib/issues/605">MISC</a></li>
<li><a href="https://www.debian.org/security/2022/dsa-5111">DEBIAN</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html">MLIST</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/">FEDORA</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/">FEDORA</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/">FEDORA</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html">MLIST</a></li>
<li><a href="https://support.apple.com/kb/HT213255">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213256">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213257">CONFIRM</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/33">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/35">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/38">FULLDISC</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220526-0009/">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/">FEDORA</a></li>
<li><a href="https://www.oracle.com/security-alerts/cpujul2022.html">N/A</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-ZLIB-2434419">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Loop with Unreachable Exit Condition (&#x27;Infinite Loop&#x27;)</h2>
<div class="card__section">
<div class="label label--high">
<span class="label__text">high severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
openssl/libcrypto1.1
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and openssl/libcrypto1.1@1.1.1l-r0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
apk-tools/apk-tools@2.12.7-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
apk-tools/apk-tools@2.12.7-r0
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssl</code> package.</em>
<em>See <code>How to fix?</code> for <code>Alpine:3.14</code> relevant versions.</em></p>
<p>The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>openssl</code> to version 1.1.1n-r0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83">CONFIRM</a></li>
<li><a href="https://www.openssl.org/news/secadv/20220315.txt">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65">CONFIRM</a></li>
<li><a href="https://www.debian.org/security/2022/dsa-5103">DEBIAN</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html">MLIST</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html">MLIST</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220321-0002/">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/">FEDORA</a></li>
<li><a href="https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002">CONFIRM</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-06">CONFIRM</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-07">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/">FEDORA</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/">FEDORA</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-08">CONFIRM</a></li>
<li><a href="https://www.oracle.com/security-alerts/cpuapr2022.html">MISC</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-09">CONFIRM</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220429-0005/">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213256">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213255">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213257">CONFIRM</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/38">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/35">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/33">FULLDISC</a></li>
<li><a href="http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html">MISC</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf">CONFIRM</a></li>
<li><a href="https://www.oracle.com/security-alerts/cpujul2022.html">N/A</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2426333">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Inadequate Encryption Strength</h2>
<div class="card__section">
<div class="label label--high">
<span class="label__text">high severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
openssl/libcrypto1.1
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and openssl/libcrypto1.1@1.1.1l-r0
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
apk-tools/apk-tools@2.12.7-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libcrypto1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
apk-tools/apk-tools@2.12.7-r0
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
<span class="list-paths__item__arrow"></span>
openssl/libssl1.1@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
openssl/openssl@1.1.1l-r0
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssl</code> package.</em>
<em>See <code>How to fix?</code> for <code>Alpine:3.14</code> relevant versions.</em></p>
<p>AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn&#39;t written. In the special case of &#34;in place&#34; encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>openssl</code> to version 1.1.1q-r0 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://www.openssl.org/news/secadv/20220705.txt">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/">FEDORA</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/">FEDORA</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220715-0011/">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/">FEDORA</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-OPENSSL-2941807">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--high" data-snyk-test="high">
<h2 class="card__title">Loop with Unreachable Exit Condition (&#x27;Infinite Loop&#x27;)</h2>
<div class="card__section">
<div class="label label--high">
<span class="label__text">high severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
libretls/libretls
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and libretls/libretls@3.3.3p1-r2
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
busybox/ssl_client@1.33.1-r6
<span class="list-paths__item__arrow"></span>
libretls/libretls@3.3.3p1-r2
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>libretls</code> package.</em>
<em>See <code>How to fix?</code> for <code>Alpine:3.14</code> relevant versions.</em></p>
<p>The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).</p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>libretls</code> to version 3.3.3p1-r3 or higher.</p>
<h2 id="references">References</h2>
<ul>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83">CONFIRM</a></li>
<li><a href="https://www.openssl.org/news/secadv/20220315.txt">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246">CONFIRM</a></li>
<li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65">CONFIRM</a></li>
<li><a href="https://www.debian.org/security/2022/dsa-5103">DEBIAN</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html">MLIST</a></li>
<li><a href="https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html">MLIST</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220321-0002/">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/">FEDORA</a></li>
<li><a href="https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002">CONFIRM</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-06">CONFIRM</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-07">CONFIRM</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/">FEDORA</a></li>
<li><a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/">FEDORA</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-08">CONFIRM</a></li>
<li><a href="https://www.oracle.com/security-alerts/cpuapr2022.html">MISC</a></li>
<li><a href="https://www.tenable.com/security/tns-2022-09">CONFIRM</a></li>
<li><a href="https://security.netapp.com/advisory/ntap-20220429-0005/">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213256">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213255">CONFIRM</a></li>
<li><a href="https://support.apple.com/kb/HT213257">CONFIRM</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/38">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/35">FULLDISC</a></li>
<li><a href="http://seclists.org/fulldisclosure/2022/May/33">FULLDISC</a></li>
<li><a href="http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html">MISC</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf">CONFIRM</a></li>
<li><a href="https://www.oracle.com/security-alerts/cpujul2022.html">N/A</a></li>
</ul>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-LIBRETLS-2432985">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
<div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low">
<h2 class="card__title">ALPINE-13661</h2>
<div class="card__section">
<div class="label label--low">
<span class="label__text">low severity</span>
</div>
<hr/>
<ul class="card__meta">
<li class="card__meta__item">
Package Manager: alpine:3.14
</li>
<li class="card__meta__item">
Vulnerable module:
busybox/busybox
</li>
<li class="card__meta__item">Introduced through:
docker-image|ghcr.io/dexidp/dex@v2.30.2 and busybox/busybox@1.33.1-r6
</li>
</ul>
<hr/>
<h3 class="card__section__title">Detailed paths</h3>
<ul class="card__meta__paths">
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
alpine-baselayout/alpine-baselayout@3.2.0-r16
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
ca-certificates/ca-certificates@20191127-r5
<span class="list-paths__item__arrow"></span>
busybox/busybox@1.33.1-r6
</span>
</li>
<li>
<span class="list-paths__item__introduced"><em>Introduced through</em>:
docker-image|ghcr.io/dexidp/dex@v2.30.2
<span class="list-paths__item__arrow"></span>
busybox/ssl_client@1.33.1-r6
</span>
</li>
</ul><!-- .list-paths -->
</div><!-- .card__section -->
<hr/>
<!-- Overview -->
<h2 id="nvd-description">NVD Description</h2>
<p><em>This vulnerability has not been analyzed by NVD yet.</em></p>
<h2 id="remediation">Remediation</h2>
<p>Upgrade <code>Alpine:3.14</code> <code>busybox</code> to version 1.33.1-r7 or higher.</p>
<hr/>
<div class="cta card__cta">
<p><a href="https://snyk.io/vuln/SNYK-ALPINE314-BUSYBOX-2606934">More about this vulnerability</a></p>
</div>
</div><!-- .card -->
</div><!-- cards -->
</div>
</main><!-- .layout-stacked__content -->
</body>
</html>
Reference in a new issue View git blame Copy permalink