diff --git a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapper.java b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapper.java index 400df268bb..275c701854 100644 --- a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapper.java +++ b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapper.java @@ -86,7 +86,7 @@ private void setFindingLocation(SecureCodeBoxFinding secureCodeBoxFinding, Defec URI.create(secureCodeBoxFinding.getLocation()); result.setEndpoints(Collections.singletonList(secureCodeBoxFinding.getLocation())); } catch (IllegalArgumentException e) { - log.warn("Couldn't parse the secureCodeBox location, because it: {} is not a vailid uri: {}", e, secureCodeBoxFinding.getLocation()); + log.warn("Couldn't parse the secureCodeBox location, because it: {} is not a valid uri: {}", e, secureCodeBoxFinding.getLocation()); } } } diff --git a/scanners/trivy/.helm-docs.gotmpl b/scanners/trivy/.helm-docs.gotmpl index ce8876d3e0..8450f80de5 100644 --- a/scanners/trivy/.helm-docs.gotmpl +++ b/scanners/trivy/.helm-docs.gotmpl @@ -85,6 +85,25 @@ One way to avoid that is to [preemptively download](https://aquasecurity.github. ::: In case only a single scan or very few are run, and you want to avoid the small performance overhead, client/server mode can be disabled by setting `--set="trivyDatabaseCache.enabled=false"` during helm install. + +## Parser specifics +Our parser customizes the format of Trivy scan results by using a unique `location` attribute that employs a custom URL format (`scb://trivy/`) with URL parameters. These parameters are extracted from the corresponding scan result file attributes and vary depending on the type of scan performed — either a Kubernetes (K8S) resource scan or a container image scan. + +### URL Format Patterns +#### For Kubernetes (K8S) Resource Scans: +`scb://trivy/?ClusterName=&Namespace=&Kind=&Name=` + +##### Parameters: +- ClusterName: The name of the Kubernetes cluster (optional). +- Namespace: The namespace within the cluster (optional). +- Kind: The type of Kubernetes resource (e.g., Deployment, Service, Pod). +- Name: The name of the resource. + +#### For Container Image Scans: +`scb://trivy/?ArtifactName=` + +##### Parameter: +- ArtifactName: The name (and optionally the tag) of the container image. {{- end }} {{- define "extra.chartConfigurationSection" -}} diff --git a/scanners/trivy/parser/__snapshots__/parser.test.js.snap b/scanners/trivy/parser/__snapshots__/parser.test.js.snap index 8300cf17dc..5c3251ae00 100644 --- a/scanners/trivy/parser/__snapshots__/parser.test.js.snap +++ b/scanners/trivy/parser/__snapshots__/parser.test.js.snap @@ -23,7 +23,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.7-r0 or remove the package from the image.", "name": "libfetch: an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes leads to information leak or crash", "osi_layer": "NOT_APPLICABLE", @@ -89,7 +89,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package apk-tools to the fixed version: 2.10.6-r0 or remove the package from the image.", "name": "Vulnerability in Dependency apk-tools (2.10.4-r3)", "osi_layer": "NOT_APPLICABLE", @@ -137,7 +137,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r10 or remove the package from the image.", "name": "busybox: invalid free or segmentation fault via malformed gzip data", "osi_layer": "NOT_APPLICABLE", @@ -222,7 +222,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "osi_layer": "NOT_APPLICABLE", @@ -295,7 +295,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "osi_layer": "NOT_APPLICABLE", @@ -368,7 +368,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "osi_layer": "NOT_APPLICABLE", @@ -441,7 +441,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "osi_layer": "NOT_APPLICABLE", @@ -514,7 +514,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "osi_layer": "NOT_APPLICABLE", @@ -586,7 +586,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -655,7 +655,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "osi_layer": "NOT_APPLICABLE", @@ -728,7 +728,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -801,7 +801,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "osi_layer": "NOT_APPLICABLE", @@ -874,7 +874,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "osi_layer": "NOT_APPLICABLE", @@ -966,7 +966,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: SM2 Decryption Buffer Overflow", "osi_layer": "NOT_APPLICABLE", @@ -1151,7 +1151,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "osi_layer": "NOT_APPLICABLE", @@ -1394,7 +1394,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: integer overflow in CipherUpdate", "osi_layer": "NOT_APPLICABLE", @@ -1596,7 +1596,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "osi_layer": "NOT_APPLICABLE", @@ -1799,7 +1799,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: Read buffer overruns processing ASN.1 strings", "osi_layer": "NOT_APPLICABLE", @@ -2016,7 +2016,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "osi_layer": "NOT_APPLICABLE", @@ -2214,7 +2214,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "osi_layer": "NOT_APPLICABLE", @@ -2438,7 +2438,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in signature_algorithms processing", "osi_layer": "NOT_APPLICABLE", @@ -2655,7 +2655,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libcrypto1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: incorrect SSLv2 rollback protection", "osi_layer": "NOT_APPLICABLE", @@ -2746,7 +2746,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libgcc to the fixed version: 9.3.0-r0 or remove the package from the image.", "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "osi_layer": "NOT_APPLICABLE", @@ -2846,7 +2846,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: SM2 Decryption Buffer Overflow", "osi_layer": "NOT_APPLICABLE", @@ -3031,7 +3031,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1g-r0 or remove the package from the image.", "name": "openssl: Segmentation fault in SSL_check_chain causes denial of service", "osi_layer": "NOT_APPLICABLE", @@ -3274,7 +3274,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: integer overflow in CipherUpdate", "osi_layer": "NOT_APPLICABLE", @@ -3476,7 +3476,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "osi_layer": "NOT_APPLICABLE", @@ -3679,7 +3679,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1l-r0 or remove the package from the image.", "name": "openssl: Read buffer overruns processing ASN.1 strings", "osi_layer": "NOT_APPLICABLE", @@ -3896,7 +3896,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1i-r0 or remove the package from the image.", "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "osi_layer": "NOT_APPLICABLE", @@ -4094,7 +4094,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "osi_layer": "NOT_APPLICABLE", @@ -4318,7 +4318,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1k-r0 or remove the package from the image.", "name": "openssl: NULL pointer dereference in signature_algorithms processing", "osi_layer": "NOT_APPLICABLE", @@ -4535,7 +4535,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libssl1.1 to the fixed version: 1.1.1j-r0 or remove the package from the image.", "name": "openssl: incorrect SSLv2 rollback protection", "osi_layer": "NOT_APPLICABLE", @@ -4626,7 +4626,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libstdc++ to the fixed version: 9.3.0-r0 or remove the package from the image.", "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "osi_layer": "NOT_APPLICABLE", @@ -4711,7 +4711,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package musl to the fixed version: 1.1.24-r3 or remove the package from the image.", "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", "osi_layer": "NOT_APPLICABLE", @@ -4804,7 +4804,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package musl-utils to the fixed version: 1.1.24-r3 or remove the package from the image.", "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", "osi_layer": "NOT_APPLICABLE", @@ -4896,7 +4896,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r10 or remove the package from the image.", "name": "busybox: invalid free or segmentation fault via malformed gzip data", "osi_layer": "NOT_APPLICABLE", @@ -4981,7 +4981,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "osi_layer": "NOT_APPLICABLE", @@ -5054,7 +5054,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "osi_layer": "NOT_APPLICABLE", @@ -5127,7 +5127,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "osi_layer": "NOT_APPLICABLE", @@ -5200,7 +5200,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "osi_layer": "NOT_APPLICABLE", @@ -5273,7 +5273,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "osi_layer": "NOT_APPLICABLE", @@ -5345,7 +5345,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -5414,7 +5414,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "osi_layer": "NOT_APPLICABLE", @@ -5487,7 +5487,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -5560,7 +5560,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "osi_layer": "NOT_APPLICABLE", @@ -5633,7 +5633,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "osi_layer": "NOT_APPLICABLE", @@ -5742,7 +5742,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package zlib to the fixed version: 1.2.11-r4 or remove the package from the image.", "name": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "osi_layer": "NOT_APPLICABLE", @@ -5964,7 +5964,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ajv to the fixed version: 6.12.3 or remove the package from the image.", "name": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "osi_layer": "NOT_APPLICABLE", @@ -6062,7 +6062,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ajv to the fixed version: 6.12.3 or remove the package from the image.", "name": "nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function", "osi_layer": "NOT_APPLICABLE", @@ -6176,7 +6176,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -6354,7 +6354,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -6532,7 +6532,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -6710,7 +6710,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -6888,7 +6888,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -7058,7 +7058,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -7196,7 +7196,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -7334,7 +7334,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -7452,7 +7452,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read", "osi_layer": "NOT_APPLICABLE", @@ -7497,7 +7497,7 @@ exports[`parses bkimminich/juice-shop:v10.2.0 result file into findings 1`] = ` ## Recommendation Update to version 3.0.0 or later.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read in base64url", "osi_layer": "NOT_APPLICABLE", @@ -7543,7 +7543,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package bl to the fixed version: 1.2.3, 2.2.1, 3.0.1, 4.0.3 or remove the package from the image.", "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", "osi_layer": "NOT_APPLICABLE", @@ -7621,7 +7621,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package bl to the fixed version: 1.2.3, 2.2.1, 3.0.1, 4.0.3 or remove the package from the image.", "name": "nodejs-bl: buffer over-read vulnerability leads to corrupted BufferList which can result in uninitialized memory being leaked", "osi_layer": "NOT_APPLICABLE", @@ -7695,7 +7695,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", "name": "body-parser: Denial of Service Vulnerability in body-parser", "osi_layer": "NOT_APPLICABLE", @@ -7758,7 +7758,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", @@ -7839,7 +7839,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package color-string to the fixed version: 1.5.5 or remove the package from the image.", "name": "nodejs-color-string: Regular expression denial of service when the application is provided and checks a crafted invalid HWB string", "osi_layer": "NOT_APPLICABLE", @@ -7910,7 +7910,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", @@ -7973,7 +7973,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", @@ -8037,7 +8037,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package crypto-js to the fixed version: 4.2.0 or remove the package from the image.", "name": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", "osi_layer": "NOT_APPLICABLE", @@ -8113,7 +8113,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8221,7 +8221,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8329,7 +8329,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8437,7 +8437,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8545,7 +8545,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8653,7 +8653,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8761,7 +8761,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package debug to the fixed version: 2.6.9, 3.1.0, 3.2.7, 4.3.1 or remove the package from the image.", "name": "nodejs-debug: Regular expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -8877,7 +8877,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", "name": "decode-uri-component: improper input validation resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -9025,7 +9025,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", "name": "decode-uri-component: improper input validation resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -9160,7 +9160,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package dicer to the fixed version: undefined or remove the package from the image.", "name": "dicer: nodejs service crash by sending a crafted payload", "osi_layer": "NOT_APPLICABLE", @@ -9237,7 +9237,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", "name": "Regular Expression Denial of Service (ReDoS)", "osi_layer": "NOT_APPLICABLE", @@ -9290,7 +9290,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package dot-prop to the fixed version: 4.2.1, 5.1.1 or remove the package from the image.", "name": "nodejs-dot-prop: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -9377,7 +9377,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package dottie to the fixed version: 2.0.4 or remove the package from the image.", "name": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", "osi_layer": "NOT_APPLICABLE", @@ -9442,7 +9442,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package engine.io to the fixed version: 3.6.0 or remove the package from the image.", "name": "yarnpkg-socket.io/engine.io: allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport", "osi_layer": "NOT_APPLICABLE", @@ -9513,7 +9513,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package engine.io to the fixed version: 3.6.1, 6.2.1 or remove the package from the image.", "name": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", "osi_layer": "NOT_APPLICABLE", @@ -9575,7 +9575,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into \`function#copy\` or \`function#toStringTokens\` may cause the script to stall. The vulnerability is patched in v0.10.63.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package es5-ext to the fixed version: 0.10.63 or remove the package from the image.", "name": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", "osi_layer": "NOT_APPLICABLE", @@ -9637,7 +9637,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using \`encodeurl\`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the \`location\` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is \`res.location()\` but this is also called from within \`res.redirect()\`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package express to the fixed version: 4.19.2, 5.0.0-beta.3 or remove the package from the image.", "name": "express: cause malformed URLs to be evaluated", "osi_layer": "NOT_APPLICABLE", @@ -9711,7 +9711,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", "name": "express: Improper Input Handling in Express Redirects", "osi_layer": "NOT_APPLICABLE", @@ -9766,7 +9766,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", "name": "Authorization bypass in express-jwt", "osi_layer": "NOT_APPLICABLE", @@ -9813,7 +9813,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package getobject to the fixed version: 1.0.0 or remove the package from the image.", "name": "nodejs-getobject: Prototype pollution could result in DoS and RCE", "osi_layer": "NOT_APPLICABLE", @@ -9892,7 +9892,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", "osi_layer": "NOT_APPLICABLE", @@ -10035,7 +10035,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", "osi_layer": "NOT_APPLICABLE", @@ -10165,7 +10165,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", "osi_layer": "NOT_APPLICABLE", @@ -10244,7 +10244,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package grunt to the fixed version: 1.3.0 or remove the package from the image.", "name": "The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execut ...", "osi_layer": "NOT_APPLICABLE", @@ -10324,7 +10324,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package grunt to the fixed version: 1.5.3 or remove the package from the image.", "name": "gruntjs: race condition leading to arbitrary file write", "osi_layer": "NOT_APPLICABLE", @@ -10395,7 +10395,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package grunt to the fixed version: 1.5.2 or remove the package from the image.", "name": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", "osi_layer": "NOT_APPLICABLE", @@ -10482,7 +10482,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", "osi_layer": "NOT_APPLICABLE", @@ -10585,7 +10585,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package hosted-git-info to the fixed version: 2.8.9, 3.0.8 or remove the package from the image.", "name": "nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()", "osi_layer": "NOT_APPLICABLE", @@ -10709,7 +10709,7 @@ Update to version 3.0.0 or later.", "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -10909,7 +10909,7 @@ Update to version 3.0.0 or later.", "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -11096,7 +11096,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", "name": "nodejs-ini: Prototype pollution via malicious INI file", "osi_layer": "NOT_APPLICABLE", @@ -11239,7 +11239,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ini to the fixed version: 1.3.6 or remove the package from the image.", "name": "nodejs-ini: Prototype pollution via malicious INI file", "osi_layer": "NOT_APPLICABLE", @@ -11367,7 +11367,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", "name": "node-ip: Incomplete fix for CVE-2023-42282", "osi_layer": "NOT_APPLICABLE", @@ -11441,7 +11441,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ip to the fixed version: 2.0.1, 1.1.9 or remove the package from the image.", "name": "nodejs-ip: arbitrary code execution via the isPublic() function", "osi_layer": "NOT_APPLICABLE", @@ -11539,7 +11539,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", "name": "nodejs-json-schema: Prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -11637,7 +11637,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", "name": "nodejs-json-schema: Prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -11735,7 +11735,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The \`parse\` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named \`__proto__\`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by \`JSON5.parse\` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from \`JSON5.parse\`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. \`JSON5.parse\` should restrict parsing of \`__proto__\` keys when parsing JSON strings to objects. As a point of reference, the \`JSON.parse\` method included in JavaScript ignores \`__proto__\` keys. Simply changing \`JSON5.parse\` to \`JSON.parse\` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package json5 to the fixed version: 2.2.2, 1.0.2 or remove the package from the image.", "name": "json5: Prototype Pollution in JSON5 via Parse Method", "osi_layer": "NOT_APPLICABLE", @@ -11829,7 +11829,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", @@ -11905,7 +11905,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", "osi_layer": "NOT_APPLICABLE", @@ -11968,7 +11968,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", @@ -12017,7 +12017,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", "osi_layer": "NOT_APPLICABLE", @@ -12086,7 +12086,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", "osi_layer": "NOT_APPLICABLE", @@ -12160,7 +12160,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", @@ -12236,7 +12236,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", "osi_layer": "NOT_APPLICABLE", @@ -12299,7 +12299,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", @@ -12348,7 +12348,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", "osi_layer": "NOT_APPLICABLE", @@ -12417,7 +12417,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", "osi_layer": "NOT_APPLICABLE", @@ -12492,7 +12492,7 @@ Update to version 3.0.0 or later.", In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. *Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package jws to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Forgeable Public/Private Tokens", "osi_layer": "NOT_APPLICABLE", @@ -12553,7 +12553,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", "name": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", "osi_layer": "NOT_APPLICABLE", @@ -12606,7 +12606,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", "name": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", "osi_layer": "NOT_APPLICABLE", @@ -12667,7 +12667,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", @@ -12756,7 +12756,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: >=4.17.11 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", @@ -12840,7 +12840,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", @@ -12957,7 +12957,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "osi_layer": "NOT_APPLICABLE", @@ -13043,7 +13043,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "osi_layer": "NOT_APPLICABLE", @@ -13168,7 +13168,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: >=4.17.5 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", @@ -13245,7 +13245,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", @@ -13345,7 +13345,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -13473,7 +13473,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", @@ -13603,7 +13603,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "osi_layer": "NOT_APPLICABLE", @@ -13739,7 +13739,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -13867,7 +13867,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", @@ -13978,7 +13978,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack (lodash)", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: >=4.17.19 or remove the package from the image.", "name": "Allocation of Resources Without Limits or Throttling", "osi_layer": "NOT_APPLICABLE", @@ -14040,7 +14040,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "osi_layer": "NOT_APPLICABLE", @@ -14176,7 +14176,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -14291,7 +14291,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", "name": "Command Injection in marsdb", "osi_layer": "NOT_APPLICABLE", @@ -14334,7 +14334,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -14454,7 +14454,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", "name": "nodejs-minimatch: ReDoS via the braceExpand function", "osi_layer": "NOT_APPLICABLE", @@ -14642,7 +14642,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", "name": "nodejs-minimatch: ReDoS via the braceExpand function", "osi_layer": "NOT_APPLICABLE", @@ -14835,7 +14835,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -15025,7 +15025,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimist to the fixed version: 0.2.1, 1.2.3 or remove the package from the image.", "name": "nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload", "osi_layer": "NOT_APPLICABLE", @@ -15146,7 +15146,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -15359,7 +15359,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -15572,7 +15572,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -15759,7 +15759,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", "name": "nodejs-moment: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -15846,7 +15846,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -15954,7 +15954,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: >=2.11.2 or remove the package from the image.", "name": "moment.js: regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -16077,7 +16077,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -16180,7 +16180,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -16283,7 +16283,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -16386,7 +16386,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -16499,7 +16499,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -16652,7 +16652,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -16805,7 +16805,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -16958,7 +16958,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -17099,7 +17099,7 @@ Problem has been patched in version 0.5.35, patch should be applicable with mino ### Workarounds Specify the exact version of tzdata (like \`2014d\`, full command being \`grunt data:2014d\`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", "name": "Cleartext Transmission of Sensitive Information in moment-timezone", "osi_layer": "NOT_APPLICABLE", @@ -17233,7 +17233,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec * https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html * https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", "name": "Command Injection in moment-timezone", "osi_layer": "NOT_APPLICABLE", @@ -17272,7 +17272,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package mout to the fixed version: 1.2.3 or remove the package from the image.", "name": "Prototype Pollution in mout", "osi_layer": "NOT_APPLICABLE", @@ -17337,7 +17337,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package mout to the fixed version: 1.2.4 or remove the package from the image.", "name": "Prototype Pollution in mout", "osi_layer": "NOT_APPLICABLE", @@ -17405,7 +17405,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package notevil to the fixed version: undefined or remove the package from the image.", "name": "Sandbox escape in notevil and argencoders-notevil", "osi_layer": "NOT_APPLICABLE", @@ -17464,7 +17464,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package npm to the fixed version: 6.14.6 or remove the package from the image.", "name": "npm: sensitive information exposure through logs", "osi_layer": "NOT_APPLICABLE", @@ -17557,7 +17557,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Affected versions of \`npm-registry-fetch\` are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like \`://[[:]@][:][:][/]\`. The password value is not redacted and is printed to stdout and also to any generated log files.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package npm-registry-fetch to the fixed version: 4.0.5, 8.1.1 or remove the package from the image.", "name": "Sensitive information exposure through logs in npm-registry-fetch", "osi_layer": "NOT_APPLICABLE", @@ -17607,7 +17607,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", "name": "nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -17685,7 +17685,7 @@ The issue is patched in version 1.0.1 by improving the regular expression used a ### Workarounds Restrict the character length to a reasonable degree before passing a value to \`.emal()\`; Also, consider doing a more rigorous sanitizing/validation beforehand.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package npm-user-validate to the fixed version: 1.0.1 or remove the package from the image.", "name": "Regular Expression Denial of Service in npm-user-validate", "osi_layer": "NOT_APPLICABLE", @@ -17741,7 +17741,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", "osi_layer": "NOT_APPLICABLE", @@ -17929,7 +17929,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package path-parse to the fixed version: 1.0.7 or remove the package from the image.", "name": "nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe", "osi_layer": "NOT_APPLICABLE", @@ -18096,7 +18096,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -18178,7 +18178,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package pug to the fixed version: 3.0.1 or remove the package from the image.", "name": "pug: user provided objects as input to pug templates can achieve remote code execution", "osi_layer": "NOT_APPLICABLE", @@ -18256,7 +18256,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package pug to the fixed version: 3.0.3 or remove the package from the image.", "name": "Pug allows JavaScript code execution if an application accepts untrusted input", "osi_layer": "NOT_APPLICABLE", @@ -18334,7 +18334,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the \`pretty\` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the \`pretty\` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package pug-code-gen to the fixed version: 2.0.3, 3.0.2 or remove the package from the image.", "name": "pug: user provided objects as input to pug templates can achieve remote code execution", "osi_layer": "NOT_APPLICABLE", @@ -18412,7 +18412,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.3 or remove the package from the image.", "name": "Pug allows JavaScript code execution if an application accepts untrusted input", "osi_layer": "NOT_APPLICABLE", @@ -18507,7 +18507,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -18670,7 +18670,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -18833,7 +18833,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -18982,7 +18982,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -19075,7 +19075,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -19162,7 +19162,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.7.1 or remove the package from the image.", "name": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -19225,7 +19225,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "sanitize-html before 1.4.3 has XSS.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.4.3 or remove the package from the image.", "name": "XSS - Sanitization not applied recursively", "osi_layer": "NOT_APPLICABLE", @@ -19289,7 +19289,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", "name": "Cross-Site Scripting in sanitize-html", "osi_layer": "NOT_APPLICABLE", @@ -19357,7 +19357,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", "osi_layer": "NOT_APPLICABLE", @@ -19423,7 +19423,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", "osi_layer": "NOT_APPLICABLE", @@ -19489,7 +19489,7 @@ Restrict the character length to a reasonable degree before passing a value to \ }, "category": "NPM Package Vulnerability", "description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.12.1 or remove the package from the image.", "name": "sanitize-html: Information Exposure when used on the backend", "osi_layer": "NOT_APPLICABLE", @@ -19593,7 +19593,7 @@ console.log(clean); // !! \`\`\`", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", "name": "Cross Site Scripting", "osi_layer": "NOT_APPLICABLE", @@ -19658,7 +19658,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -19819,7 +19819,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -19980,7 +19980,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20141,7 +20141,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20302,7 +20302,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20463,7 +20463,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20624,7 +20624,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20785,7 +20785,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -20946,7 +20946,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -21084,7 +21084,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", "name": "send: Code Execution Vulnerability in Send Library", "osi_layer": "NOT_APPLICABLE", @@ -21146,7 +21146,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sequelize to the fixed version: 6.29.0 or remove the package from the image.", "name": "Sequelize - Default support for “raw attributes” when using parentheses", "osi_layer": "NOT_APPLICABLE", @@ -21225,7 +21225,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", "name": "Unsafe fall-through in getWhereConditions", "osi_layer": "NOT_APPLICABLE", @@ -21304,7 +21304,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the \`replacements\` and the \`where\` option in the same query.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sequelize to the fixed version: 6.19.1 or remove the package from the image.", "name": "Sequelize vulnerable to SQL Injection via replacements", "osi_layer": "NOT_APPLICABLE", @@ -21369,7 +21369,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", "name": "Sequelize information disclosure vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -21440,7 +21440,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", "name": "serve-static: Improper Sanitization in serve-static", "osi_layer": "NOT_APPLICABLE", @@ -21508,7 +21508,7 @@ console.log(clean); "description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package simple-get to the fixed version: 4.0.1, 3.1.1, 2.8.2 or remove the package from the image.", "name": "simple-get: exposure of sensitive information to an unauthorized actor", "osi_layer": "NOT_APPLICABLE", @@ -21584,7 +21584,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit \`15af22fc22\` which has been included in \`socket.io@4.6.2\` (released in May 2023). The fix was backported in the 2.x branch as well with commit \`d30630ba10\`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io to the fixed version: 2.5.1, 4.6.2 or remove the package from the image.", "name": "socket.io: Unhandled 'error' event", "osi_layer": "NOT_APPLICABLE", @@ -21646,7 +21646,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io to the fixed version: 2.4.0 or remove the package from the image.", "name": "CORS misconfiguration in socket.io", "osi_layer": "NOT_APPLICABLE", @@ -21708,7 +21708,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", "name": "Insufficient validation when decoding a Socket.IO packet", "osi_layer": "NOT_APPLICABLE", @@ -21787,7 +21787,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.3.2, 3.4.1 or remove the package from the image.", "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", "osi_layer": "NOT_APPLICABLE", @@ -21869,7 +21869,7 @@ console.log(clean); "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", "osi_layer": "NOT_APPLICABLE", @@ -21939,7 +21939,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", "name": "Insufficient validation when decoding a Socket.IO packet", "osi_layer": "NOT_APPLICABLE", @@ -22018,7 +22018,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 3.3.2, 3.4.1 or remove the package from the image.", "name": "yarnpkg-socket.io-parser: a denial of service (memory consumption) via a large packet because a concatenation approach is used", "osi_layer": "NOT_APPLICABLE", @@ -22100,7 +22100,7 @@ console.log(clean); "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", "osi_layer": "NOT_APPLICABLE", @@ -22177,7 +22177,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ssri to the fixed version: 6.0.2, 7.1.1, 8.0.1 or remove the package from the image.", "name": "nodejs-ssri: Regular expression DoS (ReDoS) when parsing malicious SRI in strict mode", "osi_layer": "NOT_APPLICABLE", @@ -22279,7 +22279,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", "name": "Spoofing attack in swagger-ui-dist", "osi_layer": "NOT_APPLICABLE", @@ -22386,7 +22386,7 @@ Through the exploration of this issue, it became apparent that users may not be **Warning** in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", "name": "Server side request forgery in SwaggerUI", "osi_layer": "NOT_APPLICABLE", @@ -22443,7 +22443,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 3.2.3, 4.4.15, 5.0.7, 6.1.2 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -22556,7 +22556,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. \`node-tar\` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary \`stat\` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the \`node-tar\` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where \`node-tar\` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass \`node-tar\` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 3.2.3, 4.4.15, 5.0.7, 6.1.2 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -22665,7 +22665,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -22758,7 +22758,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -22852,7 +22852,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.16, 5.0.8, 6.1.7 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -22950,7 +22950,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \`\\\` and \`/\` characters as path separators, however \`\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at \`FOO\`, followed by a symbolic link named \`foo\`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the \`FOO\` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.16, 5.0.8, 6.1.7 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -23054,7 +23054,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -23182,7 +23182,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", "name": "nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -23301,7 +23301,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", @@ -23384,7 +23384,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", @@ -23471,7 +23471,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -23574,7 +23574,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -23677,7 +23677,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -23780,7 +23780,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -23880,7 +23880,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package trim-newlines to the fixed version: 3.0.1, 4.0.1 or remove the package from the image.", "name": "nodejs-trim-newlines: ReDoS in .end() method", "osi_layer": "NOT_APPLICABLE", @@ -23962,7 +23962,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", "name": "validator: Inefficient Regular Expression Complexity in Validator.js", "osi_layer": "NOT_APPLICABLE", @@ -24028,7 +24028,7 @@ Through the exploration of this issue, it became apparent that users may not be "description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. ", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package word-wrap to the fixed version: 1.2.4 or remove the package from the image.", "name": "word-wrap: ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -24116,7 +24116,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -24203,7 +24203,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ws to the fixed version: 7.4.6, 6.2.2, 5.2.3 or remove the package from the image.", "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", "osi_layer": "NOT_APPLICABLE", @@ -24287,7 +24287,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -24374,7 +24374,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [\`--max-http-header-size=size\`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [\`maxHeaderSize\`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package ws to the fixed version: 7.4.6, 6.2.2, 5.2.3 or remove the package from the image.", "name": "nodejs-ws: Specially crafted value of the \`Sec-Websocket-Protocol\` header can be used to significantly slow down a ws server", "osi_layer": "NOT_APPLICABLE", @@ -24458,7 +24458,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.2 or remove the package from the image.", "name": "nodejs-xmlhttprequest: Code injection through user input to xhr.send", "osi_layer": "NOT_APPLICABLE", @@ -24542,7 +24542,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package xmlhttprequest-ssl to the fixed version: 1.6.1 or remove the package from the image.", "name": "xmlhttprequest-ssl: SSL certificate validation disabled by default", "osi_layer": "NOT_APPLICABLE", @@ -24617,7 +24617,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", "name": "nodejs-y18n: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -24720,7 +24720,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", "name": "nodejs-y18n: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -24823,7 +24823,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package y18n to the fixed version: 3.2.2, 4.0.1, 5.0.5 or remove the package from the image.", "name": "nodejs-y18n: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -24922,7 +24922,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package yargs-parser to the fixed version: 13.1.2, 15.0.1, 18.1.1, 5.0.1 or remove the package from the image.", "name": "nodejs-yargs-parser: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -25005,7 +25005,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package yargs-parser to the fixed version: 13.1.2, 15.0.1, 18.1.1, 5.0.1 or remove the package from the image.", "name": "nodejs-yargs-parser: prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -25084,7 +25084,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", - "location": "bkimminich/juice-shop:v10.2.0", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v10.2.0", "mitigation": "Update the affected package yarn to the fixed version: 1.22.13 or remove the package from the image.", "name": "yarn: untrusted search path", "osi_layer": "NOT_APPLICABLE", @@ -25154,7 +25154,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "osi_layer": "NOT_APPLICABLE", @@ -25227,7 +25227,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "osi_layer": "NOT_APPLICABLE", @@ -25300,7 +25300,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "osi_layer": "NOT_APPLICABLE", @@ -25373,7 +25373,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "osi_layer": "NOT_APPLICABLE", @@ -25446,7 +25446,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "osi_layer": "NOT_APPLICABLE", @@ -25518,7 +25518,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -25587,7 +25587,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "osi_layer": "NOT_APPLICABLE", @@ -25660,7 +25660,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -25733,7 +25733,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "osi_layer": "NOT_APPLICABLE", @@ -25806,7 +25806,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package busybox to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "osi_layer": "NOT_APPLICABLE", @@ -25879,7 +25879,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "osi_layer": "NOT_APPLICABLE", @@ -25952,7 +25952,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "osi_layer": "NOT_APPLICABLE", @@ -26025,7 +26025,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "osi_layer": "NOT_APPLICABLE", @@ -26098,7 +26098,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "osi_layer": "NOT_APPLICABLE", @@ -26171,7 +26171,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "osi_layer": "NOT_APPLICABLE", @@ -26243,7 +26243,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -26312,7 +26312,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "osi_layer": "NOT_APPLICABLE", @@ -26385,7 +26385,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "osi_layer": "NOT_APPLICABLE", @@ -26458,7 +26458,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "osi_layer": "NOT_APPLICABLE", @@ -26531,7 +26531,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ssl_client to the fixed version: 1.31.1-r11 or remove the package from the image.", "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "osi_layer": "NOT_APPLICABLE", @@ -26640,7 +26640,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "Image Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package zlib to the fixed version: 1.2.11-r4 or remove the package from the image.", "name": "zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "osi_layer": "NOT_APPLICABLE", @@ -26878,7 +26878,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27056,7 +27056,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27234,7 +27234,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27412,7 +27412,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27590,7 +27590,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27768,7 +27768,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ansi-regex to the fixed version: 6.0.1, 5.0.1, 4.1.1, 3.0.1 or remove the package from the image.", "name": "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "osi_layer": "NOT_APPLICABLE", @@ -27938,7 +27938,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -28076,7 +28076,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -28214,7 +28214,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -28352,7 +28352,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package async to the fixed version: 3.2.2, 2.6.4 or remove the package from the image.", "name": "async: Prototype Pollution in async", "osi_layer": "NOT_APPLICABLE", @@ -28470,7 +28470,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "\`base64url\` allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package base64url to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read", "osi_layer": "NOT_APPLICABLE", @@ -28515,7 +28515,7 @@ exports[`parses bkimminich/juice-shop:v12.10.2 result file into findings 1`] = ` ## Recommendation Update to version 3.0.0 or later.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package base64url to the fixed version: 3.0.0 or remove the package from the image.", "name": "Out-of-bounds Read in base64url", "osi_layer": "NOT_APPLICABLE", @@ -28557,7 +28557,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", "name": "body-parser: Denial of Service Vulnerability in body-parser", "osi_layer": "NOT_APPLICABLE", @@ -28620,7 +28620,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", @@ -28703,7 +28703,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", @@ -28786,7 +28786,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", @@ -28865,7 +28865,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", @@ -28928,7 +28928,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", @@ -28992,7 +28992,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package crypto-js to the fixed version: 4.2.0 or remove the package from the image.", "name": "crypto-js: PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard", "osi_layer": "NOT_APPLICABLE", @@ -29076,7 +29076,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", "name": "decode-uri-component: improper input validation resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -29224,7 +29224,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package decode-uri-component to the fixed version: 0.2.1 or remove the package from the image.", "name": "decode-uri-component: improper input validation resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -29359,7 +29359,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package dicer to the fixed version: undefined or remove the package from the image.", "name": "dicer: nodejs service crash by sending a crafted payload", "osi_layer": "NOT_APPLICABLE", @@ -29436,7 +29436,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package diff to the fixed version: 3.5.0 or remove the package from the image.", "name": "Regular Expression Denial of Service (ReDoS)", "osi_layer": "NOT_APPLICABLE", @@ -29483,7 +29483,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions of the package dottie before 2.0.4 are vulnerable to Prototype Pollution due to insufficient checks, via the set() function and the current variable in the /dottie.js file.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package dottie to the fixed version: 2.0.4 or remove the package from the image.", "name": "Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...", "osi_layer": "NOT_APPLICABLE", @@ -29550,7 +29550,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the \`engine.io\` package starting from version \`4.0.0\`, including those who uses depending packages like \`socket.io\`. Versions prior to \`4.0.0\` are not impacted. A fix has been released for each major branch, namely \`4.1.2\` for the \`4.x.x\` branch, \`5.2.1\` for the \`5.x.x\` branch, and \`6.1.1\` for the \`6.x.x\` branch. There is no known workaround except upgrading to a safe version.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package engine.io to the fixed version: 4.1.2, 5.2.1, 6.1.1 or remove the package from the image.", "name": "Uncaught Exception in engine.io", "osi_layer": "NOT_APPLICABLE", @@ -29629,7 +29629,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package engine.io to the fixed version: 3.6.1, 6.2.1 or remove the package from the image.", "name": "engine.io: Specially crafted HTTP request can trigger an uncaught exception", "osi_layer": "NOT_APPLICABLE", @@ -29691,7 +29691,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into \`function#copy\` or \`function#toStringTokens\` may cause the script to stall. The vulnerability is patched in v0.10.63.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package es5-ext to the fixed version: 0.10.63 or remove the package from the image.", "name": "es5-ext contains ECMAScript 5 extensions. Passing functions with very ...", "osi_layer": "NOT_APPLICABLE", @@ -29753,7 +29753,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode [using \`encodeurl\`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the \`location\` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list. The main method impacted is \`res.location()\` but this is also called from within \`res.redirect()\`. The vulnerability is fixed in 4.19.2 and 5.0.0-beta.3.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package express to the fixed version: 4.19.2, 5.0.0-beta.3 or remove the package from the image.", "name": "express: cause malformed URLs to be evaluated", "osi_layer": "NOT_APPLICABLE", @@ -29827,7 +29827,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", "name": "express: Improper Input Handling in Express Redirects", "osi_layer": "NOT_APPLICABLE", @@ -29882,7 +29882,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package express-jwt to the fixed version: 6.0.0 or remove the package from the image.", "name": "Authorization bypass in express-jwt", "osi_layer": "NOT_APPLICABLE", @@ -29936,7 +29936,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package file-type to the fixed version: 16.5.4, 17.1.3 or remove the package from the image.", "name": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop", "osi_layer": "NOT_APPLICABLE", @@ -30043,7 +30043,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", "osi_layer": "NOT_APPLICABLE", @@ -30186,7 +30186,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package got to the fixed version: 12.1.0, 11.8.5 or remove the package from the image.", "name": "nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets", "osi_layer": "NOT_APPLICABLE", @@ -30316,7 +30316,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package growl to the fixed version: 1.10.0 or remove the package from the image.", "name": "nodejs-growl: Does not properly sanitize input before passing it to exec", "osi_layer": "NOT_APPLICABLE", @@ -30392,7 +30392,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package grunt to the fixed version: 1.5.3 or remove the package from the image.", "name": "gruntjs: race condition leading to arbitrary file write", "osi_layer": "NOT_APPLICABLE", @@ -30463,7 +30463,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package grunt to the fixed version: 1.5.2 or remove the package from the image.", "name": "Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.", "osi_layer": "NOT_APPLICABLE", @@ -30539,7 +30539,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package hbs to the fixed version: undefined or remove the package from the image.", "name": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", "osi_layer": "NOT_APPLICABLE", @@ -30619,7 +30619,7 @@ Update to version 3.0.0 or later.", "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -30819,7 +30819,7 @@ Update to version 3.0.0 or later.", "description": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package http-cache-semantics to the fixed version: 4.1.1 or remove the package from the image.", "name": "http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -30991,7 +30991,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", "name": "node-ip: Incomplete fix for CVE-2023-42282", "osi_layer": "NOT_APPLICABLE", @@ -31065,7 +31065,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ip to the fixed version: 2.0.1, 1.1.9 or remove the package from the image.", "name": "nodejs-ip: arbitrary code execution via the isPublic() function", "osi_layer": "NOT_APPLICABLE", @@ -31163,7 +31163,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", "name": "nodejs-json-schema: Prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -31261,7 +31261,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package json-schema to the fixed version: 0.4.0 or remove the package from the image.", "name": "nodejs-json-schema: Prototype pollution vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -31359,7 +31359,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The \`parse\` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named \`__proto__\`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by \`JSON5.parse\` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from \`JSON5.parse\`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. \`JSON5.parse\` should restrict parsing of \`__proto__\` keys when parsing JSON strings to objects. As a point of reference, the \`JSON.parse\` method included in JavaScript ignores \`__proto__\` keys. Simply changing \`JSON5.parse\` to \`JSON.parse\` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package json5 to the fixed version: 2.2.2, 1.0.2 or remove the package from the image.", "name": "json5: Prototype Pollution in JSON5 via Parse Method", "osi_layer": "NOT_APPLICABLE", @@ -31453,7 +31453,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", @@ -31529,7 +31529,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", "osi_layer": "NOT_APPLICABLE", @@ -31592,7 +31592,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", @@ -31641,7 +31641,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", "osi_layer": "NOT_APPLICABLE", @@ -31710,7 +31710,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", "osi_layer": "NOT_APPLICABLE", @@ -31784,7 +31784,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 4.2.2 or remove the package from the image.", "name": "nodejs-jsonwebtoken: verification step bypass with an altered token", "osi_layer": "NOT_APPLICABLE", @@ -31860,7 +31860,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "Versions \`<=8.5.1\` of \`jsonwebtoken\` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the \`allowInvalidAsymmetricKeyTypes\` option to \`true\` in the \`sign()\` and/or \`verify()\` functions.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Unrestricted key type could lead to legacy keys usagen", "osi_layer": "NOT_APPLICABLE", @@ -31923,7 +31923,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)" [1]", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: >=4.2.2 or remove the package from the image.", "name": "Verification Bypass", "osi_layer": "NOT_APPLICABLE", @@ -31972,7 +31972,7 @@ Update to version 3.0.0 or later.", "category": "NPM Package Vulnerability", "description": "In versions \`<=8.5.1\` of \`jsonwebtoken\` library, lack of algorithm definition in the \`jwt.verify()\` function can lead to signature validation bypass due to defaulting to the \`none\` algorithm for signature verification. Users are affected if you do not specify algorithms in the \`jwt.verify()\` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the \`jwt.verify()\` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the \`none\` algorithm. If you need 'none' algorithm, you have to explicitly specify that in \`jwt.verify()\` options. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass", "osi_layer": "NOT_APPLICABLE", @@ -32041,7 +32041,7 @@ Update to version 3.0.0 or later.", }, "category": "NPM Package Vulnerability", "description": "jsonwebtoken is an implementation of JSON Web Tokens. Versions \`<= 8.5.1\` of \`jsonwebtoken\` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the \`secretOrPublicKey\` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jsonwebtoken to the fixed version: 9.0.0 or remove the package from the image.", "name": "jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC", "osi_layer": "NOT_APPLICABLE", @@ -32116,7 +32116,7 @@ Update to version 3.0.0 or later.", In addition, there is the \`none\` algorithm to be concerned about. In versions prior to 3.0.0, verification of the token could be bypassed when the \`alg\` field is set to \`none\`. *Edit ( 7/29/16 ): A previous version of this advisory incorrectly stated that the vulnerability was patched in version 2.0.0 instead of 3.0.0. The advisory has been updated to reflect this new information. Thanks to Fabien Catteau for reporting the error.*", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package jws to the fixed version: >=3.0.0 or remove the package from the image.", "name": "Forgeable Public/Private Tokens", "osi_layer": "NOT_APPLICABLE", @@ -32177,7 +32177,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", "name": "libxmljs2 type confusion vulnerability when parsing specially crafted XML", "osi_layer": "NOT_APPLICABLE", @@ -32230,7 +32230,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package libxmljs2 to the fixed version: undefined or remove the package from the image.", "name": "libxmljs2 vulnerable to type confusion when parsing specially crafted XML", "osi_layer": "NOT_APPLICABLE", @@ -32291,7 +32291,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", @@ -32380,7 +32380,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: >=4.17.11 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", @@ -32464,7 +32464,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", @@ -32581,7 +32581,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.11 or remove the package from the image.", "name": "lodash: uncontrolled resource consumption in Data handler causing denial of service", "osi_layer": "NOT_APPLICABLE", @@ -32667,7 +32667,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "osi_layer": "NOT_APPLICABLE", @@ -32792,7 +32792,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: >=4.17.5 or remove the package from the image.", "name": "lodash: Prototype pollution in utilities function", "osi_layer": "NOT_APPLICABLE", @@ -32869,7 +32869,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.12 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "osi_layer": "NOT_APPLICABLE", @@ -32969,7 +32969,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.19 or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -33097,7 +33097,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: command injection via template", "osi_layer": "NOT_APPLICABLE", @@ -33227,7 +33227,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash to the fixed version: 4.17.21 or remove the package from the image.", "name": "nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions", "osi_layer": "NOT_APPLICABLE", @@ -33363,7 +33363,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -33478,7 +33478,7 @@ In addition, there is the \`none\` algorithm to be concerned about. In versions ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package marsdb to the fixed version: undefined or remove the package from the image.", "name": "Command Injection in marsdb", "osi_layer": "NOT_APPLICABLE", @@ -33521,7 +33521,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -33624,7 +33624,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -33744,7 +33744,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", "name": "nodejs-minimatch: ReDoS via the braceExpand function", "osi_layer": "NOT_APPLICABLE", @@ -33932,7 +33932,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimatch to the fixed version: 3.0.5 or remove the package from the image.", "name": "nodejs-minimatch: ReDoS via the braceExpand function", "osi_layer": "NOT_APPLICABLE", @@ -34125,7 +34125,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -34338,7 +34338,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -34551,7 +34551,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -34764,7 +34764,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package minimist to the fixed version: 1.2.6, 0.2.4 or remove the package from the image.", "name": "minimist: prototype pollution", "osi_layer": "NOT_APPLICABLE", @@ -34951,7 +34951,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.19.3 or remove the package from the image.", "name": "nodejs-moment: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -35038,7 +35038,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35146,7 +35146,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: >=2.11.2 or remove the package from the image.", "name": "moment.js: regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -35269,7 +35269,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35372,7 +35372,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35475,7 +35475,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35578,7 +35578,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35681,7 +35681,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35784,7 +35784,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.2 or remove the package from the image.", "name": "Moment.js: Path traversal in moment.locale", "osi_layer": "NOT_APPLICABLE", @@ -35897,7 +35897,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36050,7 +36050,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36203,7 +36203,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36356,7 +36356,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36509,7 +36509,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36662,7 +36662,7 @@ No fix is currently available. Consider using an alternative package until a fix }, "category": "NPM Package Vulnerability", "description": "moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment to the fixed version: 2.29.4 or remove the package from the image.", "name": "moment: inefficient parsing algorithm resulting in DoS", "osi_layer": "NOT_APPLICABLE", @@ -36803,7 +36803,7 @@ Problem has been patched in version 0.5.35, patch should be applicable with mino ### Workarounds Specify the exact version of tzdata (like \`2014d\`, full command being \`grunt data:2014d\`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", "name": "Cleartext Transmission of Sensitive Information in moment-timezone", "osi_layer": "NOT_APPLICABLE", @@ -36937,7 +36937,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec * https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html * https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package moment-timezone to the fixed version: 0.5.35 or remove the package from the image.", "name": "Command Injection in moment-timezone", "osi_layer": "NOT_APPLICABLE", @@ -36978,7 +36978,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to exploiting this vulnerability. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7792](https://security.snyk.io/vuln/SNYK-JS-MOUT-1014544).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package mout to the fixed version: 1.2.4 or remove the package from the image.", "name": "Prototype Pollution in mout", "osi_layer": "NOT_APPLICABLE", @@ -37065,7 +37065,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package node-fetch to the fixed version: 3.1.1, 2.6.7 or remove the package from the image.", "name": "node-fetch: exposure of sensitive information to an unauthorized actor", "osi_layer": "NOT_APPLICABLE", @@ -37189,7 +37189,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package notevil to the fixed version: undefined or remove the package from the image.", "name": "Sandbox escape in notevil and argencoders-notevil", "osi_layer": "NOT_APPLICABLE", @@ -37244,7 +37244,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -37326,7 +37326,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package pug to the fixed version: 3.0.3 or remove the package from the image.", "name": "Pug allows JavaScript code execution if an application accepts untrusted input", "osi_layer": "NOT_APPLICABLE", @@ -37404,7 +37404,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package pug-code-gen to the fixed version: 3.0.3 or remove the package from the image.", "name": "Pug allows JavaScript code execution if an application accepts untrusted input", "osi_layer": "NOT_APPLICABLE", @@ -37499,7 +37499,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -37662,7 +37662,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -37825,7 +37825,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package qs to the fixed version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 or remove the package from the image.", "name": "express: "qs" prototype poisoning causes the hang of the node process", "osi_layer": "NOT_APPLICABLE", @@ -37974,7 +37974,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -38067,7 +38067,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -38154,7 +38154,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.7.1 or remove the package from the image.", "name": "sanitize-html: insecure global regular expression replacement logic may lead to ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -38217,7 +38217,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "sanitize-html before 1.4.3 has XSS.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.4.3 or remove the package from the image.", "name": "XSS - Sanitization not applied recursively", "osi_layer": "NOT_APPLICABLE", @@ -38281,7 +38281,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Sanitize-html is a library for scrubbing html input of malicious values. Versions 1.11.1 and below are vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: 1.11.4 or remove the package from the image.", "name": "Cross-Site Scripting in sanitize-html", "osi_layer": "NOT_APPLICABLE", @@ -38349,7 +38349,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.1 or remove the package from the image.", "name": "sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation", "osi_layer": "NOT_APPLICABLE", @@ -38415,7 +38415,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\\\example.com".", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.3.2 or remove the package from the image.", "name": "sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element", "osi_layer": "NOT_APPLICABLE", @@ -38481,7 +38481,7 @@ The supplied patch on top of 0.5.34 is applicable with minor tweaks to all affec }, "category": "NPM Package Vulnerability", "description": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: 2.12.1 or remove the package from the image.", "name": "sanitize-html: Information Exposure when used on the backend", "osi_layer": "NOT_APPLICABLE", @@ -38585,7 +38585,7 @@ console.log(clean); // !! \`\`\`", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sanitize-html to the fixed version: >=1.11.4 or remove the package from the image.", "name": "Cross Site Scripting", "osi_layer": "NOT_APPLICABLE", @@ -38650,7 +38650,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -38811,7 +38811,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -38972,7 +38972,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39133,7 +39133,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39294,7 +39294,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39455,7 +39455,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39616,7 +39616,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39777,7 +39777,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -39938,7 +39938,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -40099,7 +40099,7 @@ console.log(clean); ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package semver to the fixed version: 7.5.2, 6.3.1, 5.7.2 or remove the package from the image.", "name": "nodejs-semver: Regular expression denial of service", "osi_layer": "NOT_APPLICABLE", @@ -40237,7 +40237,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", "name": "send: Code Execution Vulnerability in Send Library", "osi_layer": "NOT_APPLICABLE", @@ -40299,7 +40299,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sequelize to the fixed version: 6.29.0 or remove the package from the image.", "name": "Sequelize - Default support for “raw attributes” when using parentheses", "osi_layer": "NOT_APPLICABLE", @@ -40378,7 +40378,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", "name": "Unsafe fall-through in getWhereConditions", "osi_layer": "NOT_APPLICABLE", @@ -40457,7 +40457,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the \`replacements\` and the \`where\` option in the same query.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sequelize to the fixed version: 6.19.1 or remove the package from the image.", "name": "Sequelize vulnerable to SQL Injection via replacements", "osi_layer": "NOT_APPLICABLE", @@ -40522,7 +40522,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sequelize to the fixed version: 6.28.1 or remove the package from the image.", "name": "Sequelize information disclosure vulnerability", "osi_layer": "NOT_APPLICABLE", @@ -40593,7 +40593,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", "name": "serve-static: Improper Sanitization in serve-static", "osi_layer": "NOT_APPLICABLE", @@ -40661,7 +40661,7 @@ console.log(clean); "description": "Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package simple-get to the fixed version: 4.0.1, 3.1.1, 2.8.2 or remove the package from the image.", "name": "simple-get: exposure of sensitive information to an unauthorized actor", "osi_layer": "NOT_APPLICABLE", @@ -40737,7 +40737,7 @@ console.log(clean); "category": "NPM Package Vulnerability", "description": "Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit \`15af22fc22\` which has been included in \`socket.io@4.6.2\` (released in May 2023). The fix was backported in the 2.x branch as well with commit \`d30630ba10\`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package socket.io to the fixed version: 2.5.1, 4.6.2 or remove the package from the image.", "name": "socket.io: Unhandled 'error' event", "osi_layer": "NOT_APPLICABLE", @@ -40803,7 +40803,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "Due to improper type validation in attachment parsing the Socket.io js library, it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.0.5, 4.2.1, 3.3.3, 3.4.2 or remove the package from the image.", "name": "Insufficient validation when decoding a Socket.IO packet", "osi_layer": "NOT_APPLICABLE", @@ -40881,7 +40881,7 @@ console.log(clean); "description": "socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package socket.io-parser to the fixed version: 4.2.3, 3.4.3, 3.3.4 or remove the package from the image.", "name": "socket.io parser is a socket.io encoder and decoder written in JavaScr ...", "osi_layer": "NOT_APPLICABLE", @@ -40952,7 +40952,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "The package sqlite3 before 5.0.3 are vulnerable to Denial of Service (DoS) which will invoke the toString function of the passed parameter. If passed an invalid Function object it will throw and crash the V8 engine.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sqlite3 to the fixed version: 5.0.3 or remove the package from the image.", "name": "sqlite3: Denial of Service (DoS) in sqlite3", "osi_layer": "NOT_APPLICABLE", @@ -41029,7 +41029,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package sqlite3 to the fixed version: 5.1.5 or remove the package from the image.", "name": "A code execution vulnerability exists in the Statement Bindings functi ...", "osi_layer": "NOT_APPLICABLE", @@ -41083,7 +41083,7 @@ console.log(clean); }, "category": "NPM Package Vulnerability", "description": "The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", "name": "Spoofing attack in swagger-ui-dist", "osi_layer": "NOT_APPLICABLE", @@ -41190,7 +41190,7 @@ Through the exploration of this issue, it became apparent that users may not be **Warning** in versions < 3.38.0, it is possible to combine the URL options (as mentioned above) with a vulnerability in DOMPurify (https://www.cvedetails.com/cve/CVE-2020-26870/) to create a reflected XSS vector. If your version of Swagger UI is older than 3.38.0, we suggest you upgrade or implement the workaround as mentioned above. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package swagger-ui-dist to the fixed version: 4.1.3 or remove the package from the image.", "name": "Server side request forgery in SwaggerUI", "osi_layer": "NOT_APPLICABLE", @@ -41243,7 +41243,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the \`preservePaths\` flag is not set to \`true\`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example \`/home/user/.bashrc\` would turn into \`home/user/.bashrc\`. This logic was insufficient when file paths contained repeated path roots such as \`////home/user/.bashrc\`. \`node-tar\` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. \`///home/user/.bashrc\`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom \`onentry\` method which sanitizes the \`entry.path\` or a \`filter\` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 3.2.2, 4.4.14, 5.0.6, 6.1.1 or remove the package from the image.", "name": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "osi_layer": "NOT_APPLICABLE", @@ -41334,7 +41334,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain \`..\` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as \`C:some\\path\`. If the drive letter does not match the extraction target, for example \`D:\\extraction\\dir\`, then the result of \`path.resolve(extractionDirectory, entryPath)\` would resolve against the current working directory on the \`C:\` drive, rather than the extraction target directory. Additionally, a \`..\` portion of the path could occur immediately after the drive letter, such as \`C:../foo\`, and was not properly sanitized by the logic that checked for \`..\` within the normalized and split portions of the path. This only affects users of \`node-tar\` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 4.4.18, 5.0.10, 6.1.9 or remove the package from the image.", "name": "nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", "osi_layer": "NOT_APPLICABLE", @@ -41421,7 +41421,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -41524,7 +41524,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -41627,7 +41627,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -41730,7 +41730,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -41833,7 +41833,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tar to the fixed version: 6.2.1 or remove the package from the image.", "name": "node-tar: denial of service while parsing a tar file due to lack of folders depth validation", "osi_layer": "NOT_APPLICABLE", @@ -41936,7 +41936,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -42039,7 +42039,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -42133,7 +42133,7 @@ Through the exploration of this issue, it became apparent that users may not be }, "category": "NPM Package Vulnerability", "description": "validator.js is vulnerable to Inefficient Regular Expression Complexity", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", "name": "validator: Inefficient Regular Expression Complexity in Validator.js", "osi_layer": "NOT_APPLICABLE", @@ -42195,7 +42195,7 @@ Versions of \`validator\` prior to 13.7.0 are affected by an inefficient Regular ### Patches The problem has been patched in validator 13.7.0", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package validator to the fixed version: 13.7.0 or remove the package from the image.", "name": "Inefficient Regular Expression Complexity in Validator.js", "osi_layer": "NOT_APPLICABLE", @@ -42247,7 +42247,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.4 or remove the package from the image.", "name": "Prototype Pollution in vm2", "osi_layer": "NOT_APPLICABLE", @@ -42314,7 +42314,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.6 or remove the package from the image.", "name": "vm2: vulnerable to Sandbox Bypass", "osi_layer": "NOT_APPLICABLE", @@ -42376,7 +42376,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.10 or remove the package from the image.", "name": "vm2 vulnerable to Arbitrary Code Execution", "osi_layer": "NOT_APPLICABLE", @@ -42439,7 +42439,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.11 or remove the package from the image.", "name": "vm2: Sandbox Escape in vm2", "osi_layer": "NOT_APPLICABLE", @@ -42519,7 +42519,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to \`Error.prepareStackTrace\` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.15 or remove the package from the image.", "name": "vm2: sandbox escape", "osi_layer": "NOT_APPLICABLE", @@ -42589,7 +42589,7 @@ The problem has been patched in validator 13.7.0", "category": "NPM Package Vulnerability", "description": "There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass \`handleException()\` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version \`3.9.16\` of \`vm2\`. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.16 or remove the package from the image.", "name": "vm2: Sandbox Escape", "osi_layer": "NOT_APPLICABLE", @@ -42662,7 +42662,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside \`handleException()\` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version \`3.9.17\` of \`vm2\`. There are no known workarounds for this vulnerability. Users are advised to upgrade.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.17 or remove the package from the image.", "name": "vm2: Sandbox Escape when exception sanitization", "osi_layer": "NOT_APPLICABLE", @@ -42734,7 +42734,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of \`Proxy\`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version \`3.9.18\` of \`vm2\`. Users are advised to upgrade. There are no known workarounds for this vulnerability.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.18 or remove the package from the image.", "name": "vm2: Sandbox Escape", "osi_layer": "NOT_APPLICABLE", @@ -42801,7 +42801,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, \`Promise\` handler sanitization can be bypassed with the \`@@species\` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: undefined or remove the package from the image.", "name": "vm2: Promise handler sanitization can be bypassed allowing attackers to escape the sandbox and run arbitrary code", "osi_layer": "NOT_APPLICABLE", @@ -42864,7 +42864,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: undefined or remove the package from the image.", "name": "vm2: custom inspect function allows attackers to escape the sandbox and run arbitrary code", "osi_layer": "NOT_APPLICABLE", @@ -42928,7 +42928,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node \`inspect\` method and edit options for \`console.log\`. As a result a threat actor can edit options for the \`console.log\` command. This vulnerability was patched in the release of version \`3.9.18\` of \`vm2\`. Users are advised to upgrade. Users unable to upgrade may make the \`inspect\` method readonly with \`vm.readonly(inspect)\` after creating a vm.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package vm2 to the fixed version: 3.9.18 or remove the package from the image.", "name": "vm2: Inspect Manipulation", "osi_layer": "NOT_APPLICABLE", @@ -43002,7 +43002,7 @@ The problem has been patched in validator 13.7.0", "description": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. ", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package word-wrap to the fixed version: 1.2.4 or remove the package from the image.", "name": "word-wrap: ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -43090,7 +43090,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -43173,7 +43173,7 @@ The problem has been patched in validator 13.7.0", }, "category": "NPM Package Vulnerability", "description": "An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.", - "location": "bkimminich/juice-shop:v12.10.2", + "location": "scb://trivy/?ArtifactName=bkimminich/juice-shop:v12.10.2", "mitigation": "Update the affected package yarn to the fixed version: 1.22.13 or remove the package from the image.", "name": "yarn: untrusted search path", "osi_layer": "NOT_APPLICABLE", @@ -43247,7 +43247,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -43342,7 +43342,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -43436,7 +43436,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package body-parser to the fixed version: 1.20.3 or remove the package from the image.", "name": "body-parser: Denial of Service Vulnerability in body-parser", "osi_layer": "NOT_APPLICABLE", @@ -43495,7 +43495,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package cookie to the fixed version: 0.7.0 or remove the package from the image.", "name": "cookie: cookie accepts cookie name, path, and domain with out of bounds characters", "osi_layer": "NOT_APPLICABLE", @@ -43557,7 +43557,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package express to the fixed version: 4.20.0, 5.0.0 or remove the package from the image.", "name": "express: Improper Input Handling in Express Redirects", "osi_layer": "NOT_APPLICABLE", @@ -43617,7 +43617,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package http-proxy-middleware to the fixed version: 2.0.7, 3.0.3 or remove the package from the image.", "name": "http-proxy-middleware: Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -43692,7 +43692,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -43791,7 +43791,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -43874,7 +43874,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -43957,7 +43957,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package path-to-regexp to the fixed version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 or remove the package from the image.", "name": "path-to-regexp: Backtracking regular expressions cause ReDoS", "osi_layer": "NOT_APPLICABLE", @@ -44035,7 +44035,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package send to the fixed version: 0.19.0 or remove the package from the image.", "name": "send: Code Execution Vulnerability in Send Library", "osi_layer": "NOT_APPLICABLE", @@ -44094,7 +44094,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package serve-static to the fixed version: 1.16.0, 2.1.0 or remove the package from the image.", "name": "serve-static: Improper Sanitization in serve-static", "osi_layer": "NOT_APPLICABLE", @@ -44159,7 +44159,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s \`AutoPublicPathRuntimeModule\`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an \`img\` tag with an unsanitized \`name\` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package webpack to the fixed version: 5.94.0 or remove the package from the image.", "name": "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", "osi_layer": "NOT_APPLICABLE", @@ -44234,7 +44234,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` }, "category": "NPM Package Vulnerability", "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", @@ -44319,7 +44319,7 @@ exports[`parses securecodebox:master result file into findings 1`] = ` **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", @@ -44396,7 +44396,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -44491,7 +44491,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -44591,7 +44591,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -44680,7 +44680,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", @@ -44757,7 +44757,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -44852,7 +44852,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -44951,7 +44951,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", @@ -45034,7 +45034,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", @@ -45119,7 +45119,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", @@ -45196,7 +45196,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -45291,7 +45291,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -45391,7 +45391,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -45480,7 +45480,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", @@ -45557,7 +45557,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -45652,7 +45652,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -45760,7 +45760,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package lodash.set to the fixed version: undefined or remove the package from the image.", "name": "nodejs-lodash: prototype pollution in zipObjectDeep function", "osi_layer": "NOT_APPLICABLE", @@ -45903,7 +45903,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "Image Vulnerability", "description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package golang.org/x/net to the fixed version: 0.23.0 or remove the package from the image.", "name": "golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS", "osi_layer": "NOT_APPLICABLE", @@ -46084,7 +46084,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -46179,7 +46179,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -46278,7 +46278,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package axios to the fixed version: 1.7.4 or remove the package from the image.", "name": "axios: axios: Server-Side Request Forgery", "osi_layer": "NOT_APPLICABLE", @@ -46363,7 +46363,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P **Note:** There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package jsonpath-plus to the fixed version: 10.0.0 or remove the package from the image.", "name": "jsonpath-plus: Remote Code Execution in jsonpath-plus via Improper Input Sanitization", "osi_layer": "NOT_APPLICABLE", @@ -46440,7 +46440,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package request to the fixed version: undefined or remove the package from the image.", "name": "The Request package through 2.88.1 for Node.js allows a bypass of SSRF ...", "osi_layer": "NOT_APPLICABLE", @@ -46535,7 +46535,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package tough-cookie to the fixed version: 4.1.3 or remove the package from the image.", "name": "tough-cookie: prototype pollution in cookie memstore", "osi_layer": "NOT_APPLICABLE", @@ -46635,7 +46635,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package ws to the fixed version: 5.2.4, 6.2.3, 7.5.10, 8.17.1 or remove the package from the image.", "name": "nodejs-ws: denial of service when handling a request with many HTTP headers", "osi_layer": "NOT_APPLICABLE", @@ -46719,7 +46719,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package ip to the fixed version: undefined or remove the package from the image.", "name": "node-ip: Incomplete fix for CVE-2023-42282", "osi_layer": "NOT_APPLICABLE", @@ -46790,7 +46790,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The NPM package \`braces\`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In \`lib/parse.js,\` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package braces to the fixed version: 3.0.3 or remove the package from the image.", "name": "braces: fails to limit the number of characters it can handle", "osi_layer": "NOT_APPLICABLE", @@ -46877,7 +46877,7 @@ There was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-P }, "category": "NPM Package Vulnerability", "description": "The NPM package \`micromatch\` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in \`micromatch.braces()\` in \`index.js\` because the pattern \`.*\` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching. This issue was fixed in version 4.0.8.", - "location": "https://github.com/secureCodeBox/secureCodeBox", + "location": "scb://trivy/?ArtifactName=https://github.com/secureCodeBox/secureCodeBox", "mitigation": "Update the affected package micromatch to the fixed version: 4.0.8 or remove the package from the image.", "name": "micromatch: vulnerable to Regular Expression Denial of Service", "osi_layer": "NOT_APPLICABLE", @@ -46972,7 +46972,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'manager' of Deployment 'securecodebox-controller-manager' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -47001,7 +47001,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'manager' of Deployment 'securecodebox-controller-manager' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -47030,7 +47030,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -47059,7 +47059,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -47098,7 +47098,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang", "references": [ @@ -47181,7 +47181,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang", "references": [ @@ -47331,7 +47331,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of \`promhttp.InstrumentHandler*\` middleware except \`RequestsInFlight\`; not filter any specific methods (e.g GET) before middleware; pass metric with \`method\` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown \`method\`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the \`method\` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "Denial of service using InstrumentHandlerCounter", "references": [ @@ -47679,7 +47679,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang.org/x/crypto: empty plaintext packet causes panic", "references": [ @@ -47772,7 +47772,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -47952,7 +47952,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -48110,7 +48110,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -48351,7 +48351,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -48450,7 +48450,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -48575,7 +48575,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -48698,7 +48698,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -48783,7 +48783,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -48869,7 +48869,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "crash when attempting to deserialize invalid input", "references": [ @@ -48922,7 +48922,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'coredns' of Deployment 'coredns' should set 'resources.limits.cpu')", "references": [ @@ -48951,7 +48951,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -48980,7 +48980,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -49009,7 +49009,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -49038,7 +49038,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add", "name": "Non-default capabilities added(Container 'coredns' of Deployment 'coredns' should not set 'securityContext.capabilities.add')", "references": [ @@ -49067,7 +49067,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -49096,7 +49096,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -49131,7 +49131,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -49194,7 +49194,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -49256,7 +49256,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -49315,7 +49315,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -49379,7 +49379,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -49446,7 +49446,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -49506,7 +49506,7 @@ exports[`should parse a trivy-k8s scan result 1`] = ` }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -49571,7 +49571,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -49704,7 +49704,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -49806,7 +49806,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -49910,7 +49910,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -49996,7 +49996,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -50072,7 +50072,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -50153,7 +50153,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -50286,7 +50286,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -50388,7 +50388,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -50492,7 +50492,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -50578,7 +50578,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -50654,7 +50654,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -50792,7 +50792,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of \`promhttp.InstrumentHandler*\` middleware except \`RequestsInFlight\`; not filter any specific methods (e.g GET) before middleware; pass metric with \`method\` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown \`method\`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the \`method\` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Denial of service using InstrumentHandlerCounter", "references": [ @@ -51140,7 +51140,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "golang.org/x/crypto: empty plaintext packet causes panic", "references": [ @@ -51233,7 +51233,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -51404,7 +51404,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "golang: x/net/html: infinite loop in ParseFragment", "references": [ @@ -51496,7 +51496,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -51654,7 +51654,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -51895,7 +51895,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -51988,7 +51988,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header", "references": [ @@ -52087,7 +52087,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -52212,7 +52212,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -52335,7 +52335,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -52420,7 +52420,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -52514,7 +52514,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "kubernetes: Denial of service in API server via crafted YAML payloads by authorized users", "references": [ @@ -52607,7 +52607,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "references": [ @@ -52672,7 +52672,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -52701,7 +52701,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -52730,7 +52730,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.cpu')", "references": [ @@ -52759,7 +52759,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -52788,7 +52788,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -52817,7 +52817,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.cpu')", "references": [ @@ -52846,7 +52846,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.memory')", "references": [ @@ -52875,7 +52875,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.memory')", "references": [ @@ -52904,7 +52904,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -52933,7 +52933,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -52962,7 +52962,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -52991,7 +52991,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -53020,7 +53020,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -53049,7 +53049,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -53078,7 +53078,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -53107,7 +53107,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -53136,7 +53136,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -53165,7 +53165,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -53194,7 +53194,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -53223,7 +53223,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -53252,7 +53252,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -53281,7 +53281,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -53310,7 +53310,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -53339,7 +53339,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -53368,7 +53368,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -53397,7 +53397,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable anonymous requests to the API server.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set '--anonymous-auth' to 'false'.", "name": "Ensure that the --anonymous-auth argument is set to false(Ensure that the --anonymous-auth argument is set to false)", "references": [ @@ -53426,7 +53426,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Verify kubelet's certificate before establishing connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. ", "name": "Ensure that the --kubelet-certificate-authority argument is set as appropriate(Ensure that the --kubelet-certificate-authority argument is set as appropriate)", "references": [ @@ -53455,7 +53455,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Limit the rate at which the API server accepts requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.", "name": "Ensure that the admission control plugin EventRateLimit is set(Ensure that the admission control plugin EventRateLimit is set)", "references": [ @@ -53484,7 +53484,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Always pull images.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages.", "name": "Ensure that the admission control plugin AlwaysPullImages is set(Ensure that the admission control plugin AlwaysPullImages is set)", "references": [ @@ -53513,7 +53513,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place.", "name": "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used(Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used)", "references": [ @@ -53542,7 +53542,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -53571,7 +53571,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enable auditing on the Kubernetes API Server and set the desired audit log path.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-path parameter.", "name": "Ensure that the --audit-log-path argument is set(Ensure that the --audit-log-path argument is set)", "references": [ @@ -53600,7 +53600,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Retain the logs for at least 30 days or as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days.", "name": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate(Ensure that the --audit-log-maxage argument is set to 30 or as appropriate)", "references": [ @@ -53629,7 +53629,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Retain 10 or an appropriate number of old log files.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value.", "name": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate(Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate)", "references": [ @@ -53658,7 +53658,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Rotate log files on reaching 100 MB or as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxsize parameter to an appropriate size in MB", "name": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate(Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate)", "references": [ @@ -53687,7 +53687,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -53716,7 +53716,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -53745,7 +53745,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -53774,7 +53774,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -53803,7 +53803,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -53832,7 +53832,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -53861,7 +53861,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -53890,7 +53890,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -53919,7 +53919,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -53948,7 +53948,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -53977,7 +53977,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -54006,7 +54006,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -54035,7 +54035,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Activate garbage collector on pod termination, as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --terminated-pod-gc-threshold to an appropriate threshold.", "name": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate(Ensure that the --terminated-pod-gc-threshold argument is set as appropriate)", "references": [ @@ -54064,7 +54064,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -54093,7 +54093,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enable kubelet server certificate rotation on controller-manager.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true .", "name": "Ensure that the RotateKubeletServerCertificate argument is set to true(Ensure that the RotateKubeletServerCertificate argument is set to true)", "references": [ @@ -54122,7 +54122,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -54151,7 +54151,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -54180,7 +54180,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -54209,7 +54209,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -54238,7 +54238,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -54267,7 +54267,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -54296,7 +54296,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -54325,7 +54325,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -54354,7 +54354,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -54383,7 +54383,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -54412,7 +54412,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -54441,7 +54441,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -54475,7 +54475,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -54538,7 +54538,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "a heap-buffer-overflow in valid_parameter_transform", "references": [ @@ -54615,7 +54615,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -54671,7 +54671,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -54734,7 +54734,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -54799,7 +54799,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (\`CURLOPT_READFUNCTION\`) to ask for data to send, even when the \`CURLOPT_POSTFIELDS\` option has been set, if the same handle previously was used to issue a \`PUT\` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent \`POST\` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "POST following PUT confusion", "references": [ @@ -54934,7 +54934,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A cleartext transmission of sensitive information vulnerability exists in curl n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -60483,7 +60483,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -60615,7 +60615,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -60684,7 +60684,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -60816,7 +60816,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -60885,7 +60885,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -61017,7 +61017,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -61065,7 +61065,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "null pointer dereference in ber_memalloc_x function", "references": [ @@ -61117,7 +61117,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "incorrect multi-keyword mode cipherstring parsing", "references": [ @@ -61181,7 +61181,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill \`cat /pathname\`" command, as demonstrated by openldap-initscript.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: Privilege escalation via PID file manipulation", "references": [ @@ -61232,7 +61232,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service", "references": [ @@ -61297,7 +61297,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: Certificate validation incorrectly matches name against CN-ID", "references": [ @@ -61366,7 +61366,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -61425,7 +61425,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -61508,7 +61508,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -61591,7 +61591,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -61674,7 +61674,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -61767,7 +61767,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c", "references": [ @@ -61894,7 +61894,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c", "references": [ @@ -61990,7 +61990,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -62060,7 +62060,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -62134,7 +62134,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -62192,7 +62192,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -62262,7 +62262,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -62381,7 +62381,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -62504,7 +62504,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -62627,7 +62627,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -62751,7 +62751,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -62864,7 +62864,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -62957,7 +62957,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -63246,7 +63246,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -63526,7 +63526,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -63783,7 +63783,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -63916,7 +63916,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -64030,7 +64030,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -64237,7 +64237,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -64459,7 +64459,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -64563,7 +64563,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -64649,7 +64649,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -64725,7 +64725,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -64801,7 +64801,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -64909,7 +64909,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -65006,7 +65006,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -65068,7 +65068,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -65172,7 +65172,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -65291,7 +65291,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -65374,7 +65374,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -65462,7 +65462,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -65570,7 +65570,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -65667,7 +65667,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -65729,7 +65729,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -65818,7 +65818,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -65870,7 +65870,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in util.c", "references": [ @@ -65919,7 +65919,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -65980,7 +65980,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -66068,7 +66068,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -66135,7 +66135,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -66196,7 +66196,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -66255,7 +66255,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -66338,7 +66338,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -66455,7 +66455,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -66744,7 +66744,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -67024,7 +67024,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -67281,7 +67281,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -67414,7 +67414,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -67528,7 +67528,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -67735,7 +67735,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -67957,7 +67957,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -68061,7 +68061,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -68147,7 +68147,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -68223,7 +68223,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -68288,7 +68288,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -68349,7 +68349,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -68437,7 +68437,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -68504,7 +68504,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -68570,7 +68570,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -68649,7 +68649,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -68728,7 +68728,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -68792,7 +68792,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standa ...", "references": [ @@ -68856,7 +68856,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -68916,7 +68916,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -69013,7 +69013,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -69076,7 +69076,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "volume mount race condition (regression of CVE-2019-19921)", "references": [ @@ -69175,7 +69175,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the \`C\` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration", "references": [ @@ -69268,7 +69268,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where \`runc exec --cap\` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes \`runc exec --cap\` behavior such that the additional capabilities granted to the process being executed (as specified via \`--cap\` arguments) do not include inheritable capabilities. In addition, \`runc spec\` is changed to not set any inheritable capabilities in the created example OCI spec (\`config.json\`) file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "runc: incorrect handling of inheritable capabilities", "references": [ @@ -69388,7 +69388,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when \`/proc\` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked \`/proc\`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AppArmor can be bypassed when \`/proc\` inside the container is symlinked with a specific mount configuration", "references": [ @@ -69457,7 +69457,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes \`/sys/fs/cgroup\` writable in following conditons: 1. when runc is executed inside the user namespace, and the \`config.json\` does not specify the cgroup namespace to be unshared (e.g.., \`(docker|podman|nerdctl) run --cgroupns=host\`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and \`/sys\` is mounted with \`rbind, ro\` (e.g., \`runc spec --rootless\`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy \`/sys/fs/cgroup/user.slice/...\` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (\`(docker|podman|nerdctl) run --cgroupns=private)\`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add \`/sys/fs/cgroup\` to \`maskedPaths\`.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Rootless runc makes \`/sys/fs/cgroup\` writable", "references": [ @@ -69542,7 +69542,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -69675,7 +69675,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -69837,7 +69837,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -70071,7 +70071,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -70136,7 +70136,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -70235,7 +70235,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -70352,7 +70352,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -70436,7 +70436,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of ..svc.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreDNS: DNS Redirection of Internal Services", "references": [ @@ -70484,7 +70484,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "DNS Redirection of Top-Level Domains", "references": [ @@ -70534,7 +70534,7 @@ commonly used by applications.", "description": "Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited", "references": [ @@ -70628,7 +70628,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -70862,7 +70862,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -70927,7 +70927,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -71026,7 +71026,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -71143,7 +71143,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -71224,7 +71224,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -71253,7 +71253,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'minio' of Deployment 'securecodebox-operator-minio' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -71282,7 +71282,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.limits.cpu')", "references": [ @@ -71311,7 +71311,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -71340,7 +71340,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.requests.cpu')", "references": [ @@ -71369,7 +71369,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.limits.memory')", "references": [ @@ -71398,7 +71398,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -71427,7 +71427,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -71456,7 +71456,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -71485,7 +71485,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -71546,7 +71546,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -71726,7 +71726,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -71884,7 +71884,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -72125,7 +72125,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -72224,7 +72224,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -72349,7 +72349,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -72472,7 +72472,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -72557,7 +72557,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -72670,7 +72670,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -72850,7 +72850,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -73008,7 +73008,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -73249,7 +73249,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -73348,7 +73348,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -73473,7 +73473,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -73596,7 +73596,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -73681,7 +73681,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -73794,7 +73794,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -73974,7 +73974,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -74132,7 +74132,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -74373,7 +74373,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -74472,7 +74472,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -74597,7 +74597,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -74720,7 +74720,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -74805,7 +74805,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -74918,7 +74918,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -75098,7 +75098,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -75256,7 +75256,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -75497,7 +75497,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -75596,7 +75596,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -75721,7 +75721,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -75844,7 +75844,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -75929,7 +75929,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -76010,7 +76010,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -76039,7 +76039,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'etcd' of Pod 'etcd-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -76068,7 +76068,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'etcd-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -76097,7 +76097,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -76126,7 +76126,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -76155,7 +76155,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -76184,7 +76184,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -76213,7 +76213,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -76242,7 +76242,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -76271,7 +76271,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'etcd-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -76300,7 +76300,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -76334,7 +76334,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -76391,7 +76391,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -76447,7 +76447,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -76510,7 +76510,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -76560,7 +76560,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Dpkg::Source::Archive in dpkg, the Debian package management system, b ...", "references": [ @@ -76650,7 +76650,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Signature spoofing via status line injection", "references": [ @@ -76774,7 +76774,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "denial of service issue (resource consumption) using compressed packets", "references": [ @@ -76855,7 +76855,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -76971,7 +76971,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -77021,7 +77021,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -77088,7 +77088,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -77183,7 +77183,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -77246,7 +77246,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -77308,7 +77308,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -77367,7 +77367,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -77431,7 +77431,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -77498,7 +77498,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -77558,7 +77558,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -77617,7 +77617,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -77712,7 +77712,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -77775,7 +77775,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -77837,7 +77837,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -77896,7 +77896,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -77960,7 +77960,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -78027,7 +78027,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -78087,7 +78087,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -78143,7 +78143,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "e2fsprogs: out-of-bounds read/write via crafted filesystem", "references": [ @@ -78243,7 +78243,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "sqlite: heap out-of-bound read in function rtreenode()", "references": [ @@ -78389,7 +78389,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm", "references": [ @@ -78511,7 +78511,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", "references": [ @@ -78583,7 +78583,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Double free during gnutls_pkcs7_verify", "references": [ @@ -78711,7 +78711,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "timing side-channel in the TLS RSA key exchange code", "references": [ @@ -78829,7 +78829,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "GnuTLS: Null pointer dereference in MD_UPDATE", "references": [ @@ -78993,7 +78993,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "references": [ @@ -79430,7 +79430,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -79562,7 +79562,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -79610,7 +79610,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -79658,7 +79658,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -79727,7 +79727,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -79859,7 +79859,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -79928,7 +79928,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -80060,7 +80060,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -80129,7 +80129,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -80261,7 +80261,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -80326,7 +80326,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -80459,7 +80459,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c", "references": [ @@ -80586,7 +80586,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c", "references": [ @@ -80682,7 +80682,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -80752,7 +80752,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -80826,7 +80826,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -80884,7 +80884,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -80954,7 +80954,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -81073,7 +81073,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -81196,7 +81196,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -81319,7 +81319,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -81443,7 +81443,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -81587,7 +81587,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "c_rehash script allows command injection", "references": [ @@ -81789,7 +81789,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "the c_rehash script allows command injection", "references": [ @@ -81982,7 +81982,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -82271,7 +82271,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -82551,7 +82551,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -82808,7 +82808,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -82941,7 +82941,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -83055,7 +83055,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -83262,7 +83262,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -83484,7 +83484,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -83588,7 +83588,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -83674,7 +83674,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -83750,7 +83750,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -83826,7 +83826,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -83934,7 +83934,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -84031,7 +84031,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -84093,7 +84093,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -84197,7 +84197,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -84322,7 +84322,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libtirpc: DoS vulnerability with lots of connections", "references": [ @@ -84435,7 +84435,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libtirpc: DoS vulnerability with lots of connections", "references": [ @@ -84547,7 +84547,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -84655,7 +84655,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -84752,7 +84752,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -84814,7 +84814,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -84902,7 +84902,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -84950,7 +84950,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "buffer overrun in util.c", "references": [ @@ -84999,7 +84999,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -85060,7 +85060,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -85148,7 +85148,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -85215,7 +85215,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -85276,7 +85276,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -85337,7 +85337,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -85425,7 +85425,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -85492,7 +85492,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -85558,7 +85558,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -85637,7 +85637,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -85716,7 +85716,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -85780,7 +85780,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standa ...", "references": [ @@ -85844,7 +85844,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -85904,7 +85904,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -86038,7 +86038,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "references": [ @@ -86280,7 +86280,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "A flaw found in zlib when compressing (not decompressing) certain inputs", "references": [ @@ -86493,7 +86493,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -86522,7 +86522,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-proxy' of DaemonSet 'kube-proxy' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -86551,7 +86551,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(DaemonSet 'kube-proxy' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -86580,7 +86580,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.cpu')", "references": [ @@ -86609,7 +86609,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -86638,7 +86638,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -86667,7 +86667,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.cpu')", "references": [ @@ -86696,7 +86696,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.memory')", "references": [ @@ -86725,7 +86725,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Change 'containers[].securityContext.privileged' to 'false'.", "name": "Privileged container(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.privileged' to false)", "references": [ @@ -86754,7 +86754,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.memory')", "references": [ @@ -86783,7 +86783,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -86812,7 +86812,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -86841,7 +86841,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(DaemonSet 'kube-proxy' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -86870,7 +86870,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -86899,7 +86899,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -86933,7 +86933,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -86990,7 +86990,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -87046,7 +87046,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -87109,7 +87109,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -87159,7 +87159,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Dpkg::Source::Archive in dpkg, the Debian package management system, b ...", "references": [ @@ -87249,7 +87249,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Signature spoofing via status line injection", "references": [ @@ -87373,7 +87373,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "denial of service issue (resource consumption) using compressed packets", "references": [ @@ -87454,7 +87454,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -87570,7 +87570,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -87620,7 +87620,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -87687,7 +87687,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -87782,7 +87782,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -87845,7 +87845,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -87907,7 +87907,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -87966,7 +87966,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -88030,7 +88030,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -88097,7 +88097,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -88157,7 +88157,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -88216,7 +88216,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -88311,7 +88311,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -88374,7 +88374,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -88436,7 +88436,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -88495,7 +88495,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -88559,7 +88559,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -88626,7 +88626,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -88686,7 +88686,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -88742,7 +88742,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "e2fsprogs: out-of-bounds read/write via crafted filesystem", "references": [ @@ -88842,7 +88842,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "sqlite: heap out-of-bound read in function rtreenode()", "references": [ @@ -88988,7 +88988,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm", "references": [ @@ -89110,7 +89110,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", "references": [ @@ -89182,7 +89182,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Double free during gnutls_pkcs7_verify", "references": [ @@ -89310,7 +89310,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "timing side-channel in the TLS RSA key exchange code", "references": [ @@ -89428,7 +89428,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "GnuTLS: Null pointer dereference in MD_UPDATE", "references": [ @@ -89592,7 +89592,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "references": [ @@ -90029,7 +90029,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -90161,7 +90161,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -90209,7 +90209,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -90257,7 +90257,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -90326,7 +90326,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -90458,7 +90458,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -90527,7 +90527,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -90659,7 +90659,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -90728,7 +90728,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -90860,7 +90860,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -90925,7 +90925,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -91058,7 +91058,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c", "references": [ @@ -91185,7 +91185,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c", "references": [ @@ -91281,7 +91281,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -91351,7 +91351,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -91425,7 +91425,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -91483,7 +91483,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -91553,7 +91553,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -91672,7 +91672,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -91795,7 +91795,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -91918,7 +91918,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -92042,7 +92042,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -92186,7 +92186,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "c_rehash script allows command injection", "references": [ @@ -92388,7 +92388,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "the c_rehash script allows command injection", "references": [ @@ -92581,7 +92581,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -92870,7 +92870,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -93150,7 +93150,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -93407,7 +93407,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -93540,7 +93540,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -93654,7 +93654,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -93861,7 +93861,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -94083,7 +94083,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -94187,7 +94187,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -94273,7 +94273,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -94349,7 +94349,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -94425,7 +94425,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -94533,7 +94533,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -94630,7 +94630,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -94692,7 +94692,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -94796,7 +94796,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -94921,7 +94921,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libtirpc: DoS vulnerability with lots of connections", "references": [ @@ -95034,7 +95034,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libtirpc: DoS vulnerability with lots of connections", "references": [ @@ -95146,7 +95146,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -95254,7 +95254,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -95351,7 +95351,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -95413,7 +95413,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -95501,7 +95501,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -95549,7 +95549,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "buffer overrun in util.c", "references": [ @@ -95598,7 +95598,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -95659,7 +95659,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -95747,7 +95747,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -95814,7 +95814,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -95875,7 +95875,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -95936,7 +95936,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -96024,7 +96024,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -96091,7 +96091,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -96157,7 +96157,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -96236,7 +96236,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -96315,7 +96315,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -96379,7 +96379,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standa ...", "references": [ @@ -96443,7 +96443,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -96503,7 +96503,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -96637,7 +96637,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "references": [ @@ -96879,7 +96879,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "A flaw found in zlib when compressing (not decompressing) certain inputs", "references": [ @@ -97109,7 +97109,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Authorization Bypass Through User-Controlled Key", "references": [ @@ -97259,7 +97259,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -97500,7 +97500,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -97599,7 +97599,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -97724,7 +97724,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -97849,7 +97849,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -97935,7 +97935,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "crash when attempting to deserialize invalid input", "references": [ @@ -97988,7 +97988,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -98017,7 +98017,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kindnet-cni' of DaemonSet 'kindnet' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -98046,7 +98046,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(DaemonSet 'kindnet' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -98075,7 +98075,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -98104,7 +98104,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -98133,7 +98133,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -98162,7 +98162,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -98191,7 +98191,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add", "name": "Non-default capabilities added(Container 'kindnet-cni' of DaemonSet 'kindnet' should not set 'securityContext.capabilities.add')", "references": [ @@ -98220,7 +98220,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(DaemonSet 'kindnet' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -98249,7 +98249,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -98278,7 +98278,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -98367,7 +98367,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -98508,7 +98508,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -98599,7 +98599,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": undefined, "name": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang", "references": [ @@ -98682,7 +98682,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": undefined, "name": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang", "references": [ @@ -98755,7 +98755,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'resources.limits.cpu')", "references": [ @@ -98784,7 +98784,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -98813,7 +98813,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -98842,7 +98842,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'resources.requests.cpu')", "references": [ @@ -98871,7 +98871,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'resources.requests.memory')", "references": [ @@ -98900,7 +98900,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'resources.limits.memory')", "references": [ @@ -98929,7 +98929,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'lurker' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -98958,7 +98958,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -98987,7 +98987,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'lurker' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -99016,7 +99016,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'trivy' of Job 'scan-trivy-k8s-kvmnm' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -99045,7 +99045,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -99074,7 +99074,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -99103,7 +99103,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -99132,7 +99132,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-kvmnm'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-kvmnm", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -99160,7 +99160,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "location": "Namespace: 'kube-system' / Kind: 'ConfigMap' / Name: 'extension-apiserver-authentication'", + "location": "scb://trivy/?Namespace=kube-system&Kind=ConfigMap&Name=extension-apiserver-authentication", "mitigation": "Remove sensitive content from configMap data value", "name": "ConfigMap with sensitive content(ConfigMap 'extension-apiserver-authentication' in 'kube-system' namespace stores sensitive contents in key(s) or value(s) '{"requestheader-username-headers"}')", "references": [ @@ -99185,7 +99185,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-public' / Kind: 'Role' / Name: 'system:controller:bootstrap-signer'", + "location": "scb://trivy/?Namespace=kube-public&Kind=Role&Name=system:controller:bootstrap-signer", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system:controller:bootstrap-signer' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99214,7 +99214,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system::leader-locking-kube-controller-manager'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system::leader-locking-kube-controller-manager", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system::leader-locking-kube-controller-manager' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99243,7 +99243,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system::leader-locking-kube-scheduler'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system::leader-locking-kube-scheduler", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system::leader-locking-kube-scheduler' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99272,7 +99272,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:cloud-provider'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:cloud-provider", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system:controller:cloud-provider' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99301,7 +99301,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:bootstrap-signer'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:bootstrap-signer", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99330,7 +99330,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Role' / Name: 'leader-election-role'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Role&Name=leader-election-role", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'leader-election-role' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99359,7 +99359,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:token-cleaner'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:token-cleaner", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99388,7 +99388,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits wildcard verb on wildcard resource", - "location": "Kind: 'ClusterRole' / Name: 'cluster-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=cluster-admin", "mitigation": "Create a role which does not permit wildcard verb on wildcard resource", "name": "No wildcard verb and resource roles(Role permits wildcard verb on wildcard resource)", "references": [ @@ -99417,7 +99417,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'cluster-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=cluster-admin", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -99446,7 +99446,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99475,7 +99475,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99504,7 +99504,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99533,7 +99533,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99562,7 +99562,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99591,7 +99591,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99620,7 +99620,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'admin' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99649,7 +99649,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99678,7 +99678,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99707,7 +99707,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99736,7 +99736,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99765,7 +99765,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99794,7 +99794,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -99823,7 +99823,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99852,7 +99852,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99881,7 +99881,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99910,7 +99910,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -99939,7 +99939,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99968,7 +99968,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -99997,7 +99997,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100026,7 +100026,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100055,7 +100055,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100084,7 +100084,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100113,7 +100113,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100142,7 +100142,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits wildcard verb on specific resources", - "location": "Kind: 'ClusterRole' / Name: 'local-path-provisioner-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=local-path-provisioner-role", "mitigation": "Create a role which does not permit wildcard verb on specific resources", "name": "No wildcard verb roles(Role permits wildcard verb on specific resources)", "references": [ @@ -100171,7 +100171,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'local-path-provisioner-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=local-path-provisioner-role", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'local-path-provisioner-role' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100200,7 +100200,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-admin", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'system:aggregate-to-admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100229,7 +100229,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -100258,7 +100258,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -100287,7 +100287,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100316,7 +100316,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100345,7 +100345,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100374,7 +100374,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100403,7 +100403,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'system:aggregate-to-edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100432,7 +100432,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100461,7 +100461,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100490,7 +100490,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100519,7 +100519,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:cronjob-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:cronjob-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100548,7 +100548,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:cronjob-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:cronjob-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100577,7 +100577,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:deployment-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:deployment-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100606,7 +100606,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:deployment-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:deployment-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100635,7 +100635,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpoint-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpoint-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpoint-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100664,7 +100664,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpointslice-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpointslice-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpointslice-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100693,7 +100693,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpointslicemirroring-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpointslicemirroring-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpointslicemirroring-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100722,7 +100722,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:generic-garbage-collector'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:generic-garbage-collector", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -100751,7 +100751,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:expand-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:expand-controller", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -100780,7 +100780,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:horizontal-pod-autoscaler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:horizontal-pod-autoscaler", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -100809,7 +100809,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:horizontal-pod-autoscaler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:horizontal-pod-autoscaler", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -100838,7 +100838,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:job-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:job-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100867,7 +100867,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:namespace-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:namespace-controller", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -100896,7 +100896,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -100925,7 +100925,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100954,7 +100954,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -100983,7 +100983,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:replicaset-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:replicaset-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -101012,7 +101012,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:resourcequota-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:resourcequota-controller", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -101041,7 +101041,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:replication-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:replication-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -101070,7 +101070,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:root-ca-cert-publisher'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:root-ca-cert-publisher", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'system:controller:root-ca-cert-publisher' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -101099,7 +101099,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -101128,7 +101128,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -101157,7 +101157,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -101186,7 +101186,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -101215,7 +101215,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -101244,7 +101244,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-controller-manager' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -101273,7 +101273,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-controller-manager' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -101302,7 +101302,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-scheduler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-scheduler", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-scheduler' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -101331,7 +101331,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-scheduler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-scheduler", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-scheduler' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -101360,7 +101360,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:node'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:node", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -101389,7 +101389,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.", - "location": "Kind: 'ClusterRoleBinding' / Name: 'trivy-k8s'", + "location": "scb://trivy/?Kind=ClusterRoleBinding&Name=trivy-k8s", "mitigation": "Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.", "name": "Ensure that the cluster-admin role is only used where required(ClusterRoleBinding 'trivy-k8s' with role 'cluster-admin' should be used only when required)", "references": [ @@ -101418,7 +101418,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that the container network interface file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the container network interface file path/to/cni/files permissions of 600 or more restrictive ", "name": "Ensure that the container network interface file permissions are set to 600 or more restrictive(Ensure that the Container Network Interface specification file permissions is set to 600 or more restrictive)", "references": [ @@ -101447,7 +101447,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that the etcd data directory ownership is set to etcd:etcd.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the etcd data directory /var/lib/etcd ownership to etcd:etcd", "name": "Ensure that the etcd data directory ownership is set to etcd:etcd(Ensure that the etcd data directory ownership is set to etcd:etcd)", "references": [ @@ -101476,7 +101476,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that the Kubernetes PKI certificate file permission is set to 600.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the Kubernetes PKI certificate file /etc/kubernetes/pki/*.crt permission to 600", "name": "Ensure that the Kubernetes PKI certificate file permission is set to 600(Ensure that the Kubernetes PKI certificate file permission is set to 600)", "references": [ @@ -101505,7 +101505,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that the kubelet service file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf permissions of 600 or more restrictive ", "name": "Ensure that the kubelet service file permissions are set to 600 or more restrictive(Ensure that the kubelet service file permissions are set to 600 or more restrictive)", "references": [ @@ -101534,7 +101534,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that the certificate authorities file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the certificate authorities file permissions to 600 or more restrictive if exist", "name": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive(Ensure that the certificate authorities file permissions are set to 600 or more restrictive)", "references": [ @@ -101563,7 +101563,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the kubelet config yaml permissions to 600 or more restrictive if exist", "name": "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive(Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.)", "references": [ @@ -101601,7 +101601,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Finding in Dependency apk-tools (2.10.5-r1)", "references": [ @@ -101650,7 +101650,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "Finding in Dependency apk-tools (2.10.5-r1)", "references": [ @@ -101693,7 +101693,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: invalid free or segmentation fault via malformed gzip data", "references": [ @@ -101774,7 +101774,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "references": [ @@ -101847,7 +101847,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "references": [ @@ -101920,7 +101920,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "references": [ @@ -101993,7 +101993,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "references": [ @@ -102066,7 +102066,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "references": [ @@ -102137,7 +102137,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "references": [ @@ -102202,7 +102202,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "references": [ @@ -102275,7 +102275,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "references": [ @@ -102348,7 +102348,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "references": [ @@ -102418,7 +102418,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: remote attackers may execute arbitrary code if netstat is used", "references": [ @@ -102479,7 +102479,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "references": [ @@ -102565,7 +102565,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: SM2 Decryption Buffer Overflow", "references": [ @@ -102709,7 +102709,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: integer overflow in CipherUpdate", "references": [ @@ -102879,7 +102879,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "references": [ @@ -103060,7 +103060,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: Read buffer overruns processing ASN.1 strings", "references": [ @@ -103262,7 +103262,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates", "references": [ @@ -103490,7 +103490,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "references": [ @@ -103679,7 +103679,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "references": [ @@ -103877,7 +103877,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: NULL pointer dereference in signature_algorithms processing", "references": [ @@ -104068,7 +104068,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: incorrect SSLv2 rollback protection", "references": [ @@ -104162,7 +104162,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: SM2 Decryption Buffer Overflow", "references": [ @@ -104306,7 +104306,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: integer overflow in CipherUpdate", "references": [ @@ -104476,7 +104476,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT", "references": [ @@ -104657,7 +104657,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: Read buffer overruns processing ASN.1 strings", "references": [ @@ -104859,7 +104859,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates", "references": [ @@ -105087,7 +105087,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: EDIPARTYNAME NULL pointer de-reference", "references": [ @@ -105276,7 +105276,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "references": [ @@ -105474,7 +105474,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: NULL pointer dereference in signature_algorithms processing", "references": [ @@ -105665,7 +105665,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "openssl: incorrect SSLv2 rollback protection", "references": [ @@ -105749,7 +105749,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", "references": [ @@ -105837,7 +105837,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinati ...", "references": [ @@ -105924,7 +105924,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: invalid free or segmentation fault via malformed gzip data", "references": [ @@ -106005,7 +106005,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i()", "references": [ @@ -106078,7 +106078,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file()", "references": [ @@ -106151,7 +106151,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar()", "references": [ @@ -106224,7 +106224,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init()", "references": [ @@ -106297,7 +106297,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s()", "references": [ @@ -106368,7 +106368,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "references": [ @@ -106433,7 +106433,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special()", "references": [ @@ -106506,7 +106506,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()", "references": [ @@ -106579,7 +106579,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc()", "references": [ @@ -106649,7 +106649,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: remote attackers may execute arbitrary code if netstat is used", "references": [ @@ -106710,7 +106710,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "busybox: out-of-bounds read in unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed", "references": [ @@ -106816,7 +106816,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "references": [ @@ -107058,7 +107058,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": undefined, "name": "A flaw found in zlib when compressing (not decompressing) certain inputs", "references": [ @@ -107271,7 +107271,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -107300,7 +107300,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -107329,7 +107329,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.cpu')", "references": [ @@ -107358,7 +107358,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -107387,7 +107387,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -107416,7 +107416,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.cpu')", "references": [ @@ -107445,7 +107445,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.requests.memory')", "references": [ @@ -107474,7 +107474,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'resources.limits.memory')", "references": [ @@ -107503,7 +107503,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -107532,7 +107532,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'local-path-provisioner' of Deployment 'local-path-provisioner' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -107561,7 +107561,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -107590,7 +107590,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'local-path-storage' / Kind: 'Deployment' / Name: 'local-path-provisioner'", + "location": "scb://trivy/?Namespace=local-path-storage&Kind=Deployment&Name=local-path-provisioner", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -107636,7 +107636,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "Authorization Bypass Through User-Controlled Key", "references": [ @@ -107786,7 +107786,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -108021,7 +108021,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -108091,7 +108091,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -108194,7 +108194,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -108311,7 +108311,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -108392,7 +108392,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -108421,7 +108421,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'resources.limits.cpu')", "references": [ @@ -108450,7 +108450,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -108479,7 +108479,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'resources.requests.cpu')", "references": [ @@ -108508,7 +108508,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'resources.requests.memory')", "references": [ @@ -108537,7 +108537,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'resources.limits.memory')", "references": [ @@ -108566,7 +108566,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -108595,7 +108595,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'dashboard-metrics-scraper' of Deployment 'dashboard-metrics-scraper' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -108624,7 +108624,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'dashboard-metrics-scraper'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=dashboard-metrics-scraper", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -108658,7 +108658,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": undefined, "name": "crash when attempting to deserialize invalid input", "references": [ @@ -108711,7 +108711,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'manager' of Deployment 'securecodebox-controller-manager' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -108740,7 +108740,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'manager' of Deployment 'securecodebox-controller-manager' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -108769,7 +108769,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -108798,7 +108798,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-controller-manager'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-controller-manager", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -108837,7 +108837,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang", "references": [ @@ -108920,7 +108920,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang", "references": [ @@ -109004,7 +109004,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", "references": [ @@ -109158,7 +109158,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of \`promhttp.InstrumentHandler*\` middleware except \`RequestsInFlight\`; not filter any specific methods (e.g GET) before middleware; pass metric with \`method\` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown \`method\`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the \`method\` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "Denial of service using InstrumentHandlerCounter", "references": [ @@ -109508,7 +109508,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "etcd: DNS rebinding vulnerability in etcd server", "references": [ @@ -109589,7 +109589,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "etcd: DoS in wal/wal.go", "references": [ @@ -109682,7 +109682,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "etcd: Large slice causes panic in decodeRecord method", "references": [ @@ -109775,7 +109775,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", "references": [ @@ -109863,7 +109863,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang.org/x/crypto: empty plaintext packet causes panic", "references": [ @@ -109956,7 +109956,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -110127,7 +110127,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang: x/net/html: infinite loop in ParseFragment", "references": [ @@ -110218,7 +110218,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -110372,7 +110372,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -110614,7 +110614,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -110711,7 +110711,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header", "references": [ @@ -110810,7 +110810,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -110935,7 +110935,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -111058,7 +111058,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -111143,7 +111143,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -111232,7 +111232,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.3, <= v1.18.10, <= v1.17.13, < v1.20.0-alpha2.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": undefined, "name": "kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9", "references": [ @@ -111297,7 +111297,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'coredns' of Deployment 'coredns' should set 'resources.limits.cpu')", "references": [ @@ -111326,7 +111326,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -111355,7 +111355,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -111384,7 +111384,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'coredns' of Deployment 'coredns' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -111413,7 +111413,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add", "name": "Non-default capabilities added(Container 'coredns' of Deployment 'coredns' should not set 'securityContext.capabilities.add')", "references": [ @@ -111442,7 +111442,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -111471,7 +111471,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Deployment' / Name: 'coredns'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Deployment&Name=coredns", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -111497,7 +111497,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -111514,7 +111514,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -111531,7 +111531,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -111548,7 +111548,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -111568,7 +111568,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Disable anonymous requests to the API server.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set '--anonymous-auth' to 'false'.", "name": "Ensure that the --anonymous-auth argument is set to false(Ensure that the --anonymous-auth argument is set to false)", "references": [ @@ -111597,7 +111597,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Verify kubelet's certificate before establishing connection.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. ", "name": "Ensure that the --kubelet-certificate-authority argument is set as appropriate(Ensure that the --kubelet-certificate-authority argument is set as appropriate)", "references": [ @@ -111626,7 +111626,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Limit the rate at which the API server accepts requests.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Follow the Kubernetes documentation and set the desired limits in a configuration file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameters.", "name": "Ensure that the admission control plugin EventRateLimit is set(Ensure that the admission control plugin EventRateLimit is set)", "references": [ @@ -111655,7 +111655,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Always pull images.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages.", "name": "Ensure that the admission control plugin AlwaysPullImages is set(Ensure that the admission control plugin AlwaysPullImages is set)", "references": [ @@ -111684,7 +111684,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place.", "name": "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used(Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used)", "references": [ @@ -111713,7 +111713,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -111742,7 +111742,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enable auditing on the Kubernetes API Server and set the desired audit log path.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-path parameter.", "name": "Ensure that the --audit-log-path argument is set(Ensure that the --audit-log-path argument is set)", "references": [ @@ -111771,7 +111771,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Retain the logs for at least 30 days or as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days.", "name": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate(Ensure that the --audit-log-maxage argument is set to 30 or as appropriate)", "references": [ @@ -111800,7 +111800,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Retain 10 or an appropriate number of old log files.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value.", "name": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate(Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate)", "references": [ @@ -111829,7 +111829,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Rotate log files on reaching 100 MB or as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --audit-log-maxsize parameter to an appropriate size in MB", "name": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate(Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate)", "references": [ @@ -111858,7 +111858,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -111887,7 +111887,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -111916,7 +111916,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -111945,7 +111945,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -111974,7 +111974,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -112003,7 +112003,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -112032,7 +112032,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -112061,7 +112061,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -112090,7 +112090,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -112119,7 +112119,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-apiserver' of Pod 'kube-apiserver-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -112148,7 +112148,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-apiserver-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -112177,7 +112177,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -112206,7 +112206,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-apiserver-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-apiserver-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -112240,7 +112240,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A flaw was found in the \`/v2/_catalog\` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: \`n\`). This vulnerability allows a malicious user to submit an unreasonably large value for \`n,\` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "DoS from malicious API request", "references": [ @@ -112342,7 +112342,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -112577,7 +112577,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -112647,7 +112647,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -112750,7 +112750,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -112867,7 +112867,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -112948,7 +112948,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Use COPY instead of ADD", "name": "ADD instead of COPY(Consider using 'COPY . /' command instead of 'ADD . /')", "references": [ @@ -112977,7 +112977,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Add HEALTHCHECK instruction in Dockerfile", "name": "No HEALTHCHECK defined(Add HEALTHCHECK instruction in your Dockerfile)", "references": [ @@ -113006,7 +113006,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -113035,7 +113035,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'resources.limits.cpu')", "references": [ @@ -113064,7 +113064,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -113093,7 +113093,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'resources.requests.cpu')", "references": [ @@ -113122,7 +113122,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'resources.requests.memory')", "references": [ @@ -113151,7 +113151,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'resources.limits.memory')", "references": [ @@ -113180,7 +113180,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -113209,7 +113209,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kubernetes-dashboard' of Deployment 'kubernetes-dashboard' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -113238,7 +113238,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Deployment' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Deployment&Name=kubernetes-dashboard", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -113272,7 +113272,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -113335,7 +113335,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "a heap-buffer-overflow in valid_parameter_transform", "references": [ @@ -113412,7 +113412,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -113468,7 +113468,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -113531,7 +113531,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -113596,7 +113596,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (\`CURLOPT_READFUNCTION\`) to ask for data to send, even when the \`CURLOPT_POSTFIELDS\` option has been set, if the same handle previously was used to issue a \`PUT\` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent \`POST\` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "POST following PUT confusion", "references": [ @@ -113731,7 +113731,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A cleartext transmission of sensitive information vulnerability exists in curl n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -119280,7 +119280,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -119412,7 +119412,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -119481,7 +119481,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -119613,7 +119613,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -119682,7 +119682,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow vulnerabilities in PAC parsing", "references": [ @@ -119814,7 +119814,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "krb5: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c", "references": [ @@ -119862,7 +119862,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "null pointer dereference in ber_memalloc_x function", "references": [ @@ -119914,7 +119914,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "incorrect multi-keyword mode cipherstring parsing", "references": [ @@ -119978,7 +119978,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill \`cat /pathname\`" command, as demonstrated by openldap-initscript.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: Privilege escalation via PID file manipulation", "references": [ @@ -120029,7 +120029,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: contrib/slapd-modules/nops/nops.c attempts to free stack buffer allowing remote attackers to cause a denial of service", "references": [ @@ -120094,7 +120094,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openldap: Certificate validation incorrectly matches name against CN-ID", "references": [ @@ -120163,7 +120163,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -120222,7 +120222,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -120305,7 +120305,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -120388,7 +120388,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -120471,7 +120471,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -120564,7 +120564,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c", "references": [ @@ -120691,7 +120691,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c", "references": [ @@ -120787,7 +120787,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -120857,7 +120857,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -120931,7 +120931,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -120989,7 +120989,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -121059,7 +121059,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -121178,7 +121178,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -121301,7 +121301,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -121424,7 +121424,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -121548,7 +121548,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -121661,7 +121661,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -121754,7 +121754,7 @@ exports[`should parse a trivy-k8s scan result of a cluster running secureCodeBox }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -122043,7 +122043,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -122323,7 +122323,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -122582,7 +122582,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -122726,7 +122726,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -122852,7 +122852,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -123059,7 +123059,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -123283,7 +123283,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -123397,7 +123397,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -123491,7 +123491,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -123567,7 +123567,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -123643,7 +123643,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -123751,7 +123751,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -123848,7 +123848,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -123910,7 +123910,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -123996,7 +123996,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -124034,7 +124034,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -124072,7 +124072,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -124128,7 +124128,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -124247,7 +124247,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -124330,7 +124330,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -124418,7 +124418,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -124526,7 +124526,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -124623,7 +124623,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -124685,7 +124685,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -124771,7 +124771,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -124809,7 +124809,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -124847,7 +124847,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -124888,7 +124888,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -124940,7 +124940,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "buffer overrun in util.c", "references": [ @@ -124989,7 +124989,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -125050,7 +125050,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -125138,7 +125138,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -125205,7 +125205,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -125266,7 +125266,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -125325,7 +125325,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ncurses: segfaulting OOB read", "references": [ @@ -125408,7 +125408,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Local users can trigger security-relevant memory corruption via malformed data", "references": [ @@ -125525,7 +125525,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -125814,7 +125814,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -126094,7 +126094,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -126353,7 +126353,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -126497,7 +126497,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -126623,7 +126623,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -126830,7 +126830,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -127054,7 +127054,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -127168,7 +127168,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -127262,7 +127262,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -127338,7 +127338,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -127403,7 +127403,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -127464,7 +127464,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -127552,7 +127552,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -127619,7 +127619,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -127685,7 +127685,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -127764,7 +127764,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -127843,7 +127843,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -127908,7 +127908,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available ...", "references": [ @@ -127976,7 +127976,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -128036,7 +128036,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -128133,7 +128133,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -128196,7 +128196,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "volume mount race condition (regression of CVE-2019-19921)", "references": [ @@ -128295,7 +128295,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the \`C\` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration", "references": [ @@ -128388,7 +128388,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where \`runc exec --cap\` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes \`runc exec --cap\` behavior such that the additional capabilities granted to the process being executed (as specified via \`--cap\` arguments) do not include inheritable capabilities. In addition, \`runc spec\` is changed to not set any inheritable capabilities in the created example OCI spec (\`config.json\`) file.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "runc: incorrect handling of inheritable capabilities", "references": [ @@ -128508,7 +128508,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when \`/proc\` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked \`/proc\`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "AppArmor can be bypassed when \`/proc\` inside the container is symlinked with a specific mount configuration", "references": [ @@ -128577,7 +128577,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes \`/sys/fs/cgroup\` writable in following conditons: 1. when runc is executed inside the user namespace, and the \`config.json\` does not specify the cgroup namespace to be unshared (e.g.., \`(docker|podman|nerdctl) run --cgroupns=host\`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and \`/sys\` is mounted with \`rbind, ro\` (e.g., \`runc spec --rootless\`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy \`/sys/fs/cgroup/user.slice/...\` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (\`(docker|podman|nerdctl) run --cgroupns=private)\`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add \`/sys/fs/cgroup\` to \`maskedPaths\`.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Rootless runc makes \`/sys/fs/cgroup\` writable", "references": [ @@ -128662,7 +128662,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -128795,7 +128795,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -128912,7 +128912,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack", "references": [ @@ -129006,7 +129006,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -129241,7 +129241,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -129311,7 +129311,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -129414,7 +129414,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -129531,7 +129531,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -129615,7 +129615,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of ..svc.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "coreDNS: DNS Redirection of Internal Services", "references": [ @@ -129663,7 +129663,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "DNS Redirection of Top-Level Domains", "references": [ @@ -129712,7 +129712,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack", "references": [ @@ -129762,7 +129762,7 @@ commonly used by applications.", "description": "Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. ", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "Minio console object names with RIGHT-TO-LEFT OVERRIDE unicode character can be exploited", "references": [ @@ -129856,7 +129856,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -130091,7 +130091,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "request smuggling", "references": [ @@ -130161,7 +130161,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -130264,7 +130264,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -130381,7 +130381,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -130462,7 +130462,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -130491,7 +130491,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'minio' of Deployment 'securecodebox-operator-minio' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -130520,7 +130520,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.limits.cpu')", "references": [ @@ -130549,7 +130549,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -130578,7 +130578,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.requests.cpu')", "references": [ @@ -130607,7 +130607,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'resources.limits.memory')", "references": [ @@ -130636,7 +130636,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -130665,7 +130665,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'minio' of Deployment 'securecodebox-operator-minio' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -130694,7 +130694,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -130723,7 +130723,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Deployment' / Name: 'securecodebox-operator-minio'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Deployment&Name=securecodebox-operator-minio", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -130749,7 +130749,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -130766,7 +130766,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -130783,7 +130783,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -130800,7 +130800,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -130820,7 +130820,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Edit the Scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml file on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -130849,7 +130849,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -130878,7 +130878,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -130907,7 +130907,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -130936,7 +130936,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -130965,7 +130965,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -130994,7 +130994,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -131023,7 +131023,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -131052,7 +131052,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -131081,7 +131081,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -131110,7 +131110,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-scheduler' of Pod 'kube-scheduler-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -131139,7 +131139,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-scheduler-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -131168,7 +131168,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -131197,7 +131197,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-scheduler-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-scheduler-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -131223,7 +131223,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -131240,7 +131240,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -131257,7 +131257,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -131274,7 +131274,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -131294,7 +131294,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Activate garbage collector on pod termination, as appropriate.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --terminated-pod-gc-threshold to an appropriate threshold.", "name": "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate(Ensure that the --terminated-pod-gc-threshold argument is set as appropriate)", "references": [ @@ -131323,7 +131323,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Disable profiling, if not needed.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the below parameter.", "name": "Ensure that the --profiling argument is set to false(Ensure that the --profiling argument is set to false)", "references": [ @@ -131352,7 +131352,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enable kubelet server certificate rotation on controller-manager.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml on the Control Plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true .", "name": "Ensure that the RotateKubeletServerCertificate argument is set to true(Ensure that the RotateKubeletServerCertificate argument is set to true)", "references": [ @@ -131381,7 +131381,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -131410,7 +131410,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -131439,7 +131439,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -131468,7 +131468,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -131497,7 +131497,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -131526,7 +131526,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -131555,7 +131555,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.requests.memory')", "references": [ @@ -131584,7 +131584,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -131613,7 +131613,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -131642,7 +131642,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-controller-manager' of Pod 'kube-controller-manager-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -131671,7 +131671,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'kube-controller-manager-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -131700,7 +131700,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -131729,7 +131729,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'kube-controller-manager-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=kube-controller-manager-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -131763,7 +131763,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -131820,7 +131820,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c", "references": [ @@ -131873,7 +131873,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -131929,7 +131929,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -131992,7 +131992,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -132042,7 +132042,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Dpkg::Source::Archive in dpkg, the Debian package management system, b ...", "references": [ @@ -132114,7 +132114,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -132166,7 +132166,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -132248,7 +132248,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Signature spoofing via status line injection", "references": [ @@ -132374,7 +132374,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", "references": [ @@ -132450,7 +132450,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "denial of service issue (resource consumption) using compressed packets", "references": [ @@ -132531,7 +132531,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -132647,7 +132647,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -132695,7 +132695,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -132745,7 +132745,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -132795,7 +132795,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "bzip2 - bugfix update", "references": [], @@ -132825,7 +132825,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: mq_notify does not handle separately allocated thread attributes", "references": [ @@ -132911,7 +132911,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Arbitrary read in wordexp()", "references": [ @@ -133006,7 +133006,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in svcunix_create via long pathnames", "references": [ @@ -133089,7 +133089,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname", "references": [ @@ -133172,7 +133172,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: array overflow in backtrace functions for powerpc", "references": [ @@ -133259,7 +133259,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: use-after-free in glob() function when expanding ~user", "references": [ @@ -133361,7 +133361,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: signed comparison vulnerability in the ARMv7 memcpy function", "references": [ @@ -133462,7 +133462,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters", "references": [ @@ -133573,7 +133573,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -133677,7 +133677,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: iconv program can hang when invoked with the -c option", "references": [ @@ -133793,7 +133793,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding", "references": [ @@ -133933,7 +133933,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", "references": [ @@ -134039,7 +134039,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop", "references": [ @@ -134130,7 +134130,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -134193,7 +134193,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -134255,7 +134255,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -134314,7 +134314,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -134378,7 +134378,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -134445,7 +134445,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -134513,7 +134513,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", "references": [ @@ -134593,7 +134593,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -134648,7 +134648,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c", "references": [ @@ -134731,7 +134731,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: mq_notify does not handle separately allocated thread attributes", "references": [ @@ -134817,7 +134817,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Arbitrary read in wordexp()", "references": [ @@ -134912,7 +134912,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in svcunix_create via long pathnames", "references": [ @@ -134995,7 +134995,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname", "references": [ @@ -135078,7 +135078,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: array overflow in backtrace functions for powerpc", "references": [ @@ -135165,7 +135165,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: use-after-free in glob() function when expanding ~user", "references": [ @@ -135267,7 +135267,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: signed comparison vulnerability in the ARMv7 memcpy function", "references": [ @@ -135368,7 +135368,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters", "references": [ @@ -135479,7 +135479,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -135583,7 +135583,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: iconv program can hang when invoked with the -c option", "references": [ @@ -135699,7 +135699,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding", "references": [ @@ -135839,7 +135839,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", "references": [ @@ -135945,7 +135945,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop", "references": [ @@ -136036,7 +136036,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -136099,7 +136099,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -136161,7 +136161,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -136220,7 +136220,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -136284,7 +136284,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -136351,7 +136351,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -136419,7 +136419,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", "references": [ @@ -136499,7 +136499,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -136554,7 +136554,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c", "references": [ @@ -136650,7 +136650,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "sqlite: heap out-of-bound read in function rtreenode()", "references": [ @@ -136778,7 +136778,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -136830,7 +136830,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -136912,7 +136912,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm", "references": [ @@ -137049,7 +137049,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libgcrypt: ECDSA timing attack allowing private key leak", "references": [ @@ -137179,7 +137179,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "ElGamal implementation allows plaintext recovery", "references": [ @@ -137285,7 +137285,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", "references": [ @@ -137349,7 +137349,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Integer overflow and resultant buffer overflow via crafted input", "references": [ @@ -137454,7 +137454,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gnutls: Use after free in client key_share extension", "references": [ @@ -137627,7 +137627,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gnutls: Use after free in client_send_params in lib/ext/pre_shared_key.c", "references": [ @@ -137786,7 +137786,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gnutls: Heap buffer overflow in handshake with no_renegotiation alert sent", "references": [ @@ -137894,7 +137894,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Double free during gnutls_pkcs7_verify", "references": [ @@ -138022,7 +138022,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "timing side-channel in the TLS RSA key exchange code", "references": [ @@ -138140,7 +138140,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "GnuTLS: Null pointer dereference in MD_UPDATE", "references": [ @@ -138304,7 +138304,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "references": [ @@ -138729,7 +138729,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "nettle: Out of bounds memory access in signature verification", "references": [ @@ -138828,7 +138828,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "nettle: Remote crash in RSA decryption via manipulated ciphertext", "references": [ @@ -138945,7 +138945,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specifi ...", "references": [ @@ -139029,7 +139029,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -139077,7 +139077,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -139125,7 +139125,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -139173,7 +139173,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -139232,7 +139232,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "memory corruption due to an integer overflow bug caused by memmove argument", "references": [ @@ -139341,7 +139341,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "lz4: heap-based buffer overflow in LZ4_write32", "references": [ @@ -139474,7 +139474,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -139599,7 +139599,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "nettle: Out of bounds memory access in signature verification", "references": [ @@ -139698,7 +139698,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "nettle: Remote crash in RSA decryption via manipulated ciphertext", "references": [ @@ -139823,7 +139823,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: Integer overflow when parsing callout numeric arguments", "references": [ @@ -139943,7 +139943,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -140013,7 +140013,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -140087,7 +140087,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -140145,7 +140145,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -140215,7 +140215,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -140332,7 +140332,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libseccomp: incorrect generation of syscall filters in libseccomp", "references": [ @@ -140447,7 +140447,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -140570,7 +140570,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -140693,7 +140693,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -140817,7 +140817,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -140947,7 +140947,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: SM2 Decryption Buffer Overflow", "references": [ @@ -141099,7 +141099,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "c_rehash script allows command injection", "references": [ @@ -141301,7 +141301,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "the c_rehash script allows command injection", "references": [ @@ -141477,7 +141477,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: integer overflow in CipherUpdate", "references": [ @@ -141650,7 +141650,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: Read buffer overruns processing ASN.1 strings", "references": [ @@ -141852,7 +141852,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates", "references": [ @@ -142093,7 +142093,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -142382,7 +142382,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -142662,7 +142662,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -142921,7 +142921,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -143065,7 +143065,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -143189,7 +143189,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64", "references": [ @@ -143378,7 +143378,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: NULL pointer dereference in X509_issuer_and_serial_hash()", "references": [ @@ -143576,7 +143576,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: NULL pointer dereference in signature_algorithms processing", "references": [ @@ -143767,7 +143767,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: Carry propagation bug in the MIPS32 and MIPS64 squaring procedure", "references": [ @@ -143873,7 +143873,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -144080,7 +144080,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -144304,7 +144304,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -144418,7 +144418,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -144512,7 +144512,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -144588,7 +144588,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -144652,7 +144652,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -144704,7 +144704,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -144778,7 +144778,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: services with DynamicUser can create SUID/SGID binaries", "references": [ @@ -144874,7 +144874,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "references": [ @@ -144959,7 +144959,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "privilege escalation via the less pager", "references": [ @@ -145049,7 +145049,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash", "references": [ @@ -145189,7 +145189,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: Uncontrolled recursion in systemd-tmpfiles when removing files", "references": [ @@ -145265,7 +145265,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -145373,7 +145373,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -145470,7 +145470,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -145529,7 +145529,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: memory leak in button_open() in login/logind-button.c when udev events are received", "references": [ @@ -145615,7 +145615,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -145701,7 +145701,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -145739,7 +145739,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -145777,7 +145777,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -145833,7 +145833,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -145950,7 +145950,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", "references": [ @@ -146028,7 +146028,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: services with DynamicUser can create SUID/SGID binaries", "references": [ @@ -146124,7 +146124,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "references": [ @@ -146209,7 +146209,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "privilege escalation via the less pager", "references": [ @@ -146299,7 +146299,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash", "references": [ @@ -146439,7 +146439,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: Uncontrolled recursion in systemd-tmpfiles when removing files", "references": [ @@ -146515,7 +146515,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -146623,7 +146623,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -146720,7 +146720,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -146779,7 +146779,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: memory leak in button_open() in login/logind-button.c when udev events are received", "references": [ @@ -146865,7 +146865,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -146951,7 +146951,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -146989,7 +146989,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -147027,7 +147027,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -147067,7 +147067,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -147115,7 +147115,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -147167,7 +147167,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "zstd: adds read permissions to files while being compressed or uncompressed", "references": [ @@ -147235,7 +147235,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "zstd: Race condition allows attacker to access world-readable destination file", "references": [ @@ -147300,7 +147300,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -147361,7 +147361,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -147448,7 +147448,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "references": [ @@ -147512,7 +147512,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -147579,7 +147579,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -147640,7 +147640,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -147701,7 +147701,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -147788,7 +147788,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "references": [ @@ -147852,7 +147852,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -147919,7 +147919,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -147985,7 +147985,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -148064,7 +148064,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -148143,7 +148143,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -148208,7 +148208,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available ...", "references": [ @@ -148276,7 +148276,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -148330,7 +148330,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "tar: null-pointer dereference in pax_decode_header in sparse.c", "references": [ @@ -148406,7 +148406,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "tar: Memory leak in read_header() in list.c", "references": [ @@ -148482,7 +148482,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -148616,7 +148616,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "references": [ @@ -148858,7 +148858,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "A flaw found in zlib when compressing (not decompressing) certain inputs", "references": [ @@ -149082,7 +149082,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation", "references": [ @@ -149171,7 +149171,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "golang: crypto/ssh: crafted authentication request can lead to nil pointer dereference", "references": [ @@ -149259,7 +149259,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "golang.org/x/crypto: empty plaintext packet causes panic", "references": [ @@ -149352,7 +149352,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "crash in a golang.org/x/crypto/ssh server", "references": [ @@ -149523,7 +149523,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "golang: x/net/html: infinite loop in ParseFragment", "references": [ @@ -149614,7 +149614,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "golang: net/http: limit growth of header canonicalization cache", "references": [ @@ -149768,7 +149768,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "handle server errors after sending GOAWAY", "references": [ @@ -150010,7 +150010,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "avoid quadratic complexity in HPACK decoding", "references": [ @@ -150107,7 +150107,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header", "references": [ @@ -150206,7 +150206,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "excessive memory growth in a Go server accepting HTTP/2 requests", "references": [ @@ -150331,7 +150331,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "faccessat checks wrong group", "references": [ @@ -150454,7 +150454,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "out-of-bounds read in golang.org/x/text/language leads to DoS", "references": [ @@ -150539,7 +150539,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": undefined, "name": "ParseAcceptLanguage takes a long time to parse complex tags", "references": [ @@ -150620,7 +150620,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -150649,7 +150649,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kindnet-cni' of DaemonSet 'kindnet' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -150678,7 +150678,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(DaemonSet 'kindnet' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -150707,7 +150707,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -150736,7 +150736,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -150765,7 +150765,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -150794,7 +150794,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kindnet-cni' of DaemonSet 'kindnet' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -150823,7 +150823,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Adding NET_RAW or capabilities beyond the default set must be disallowed.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set spec.containers[*].securityContext.capabilities.add and spec.initContainers[*].securityContext.capabilities.add", "name": "Non-default capabilities added(Container 'kindnet-cni' of DaemonSet 'kindnet' should not set 'securityContext.capabilities.add')", "references": [ @@ -150852,7 +150852,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(DaemonSet 'kindnet' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -150881,7 +150881,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -150910,7 +150910,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kindnet'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kindnet", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -150938,7 +150938,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "location": "Namespace: 'kube-system' / Kind: 'ConfigMap' / Name: 'extension-apiserver-authentication'", + "location": "scb://trivy/?Namespace=kube-system&Kind=ConfigMap&Name=extension-apiserver-authentication", "mitigation": "Remove sensitive content from configMap data value", "name": "ConfigMap with sensitive content(ConfigMap 'extension-apiserver-authentication' in 'kube-system' namespace stores sensitive contents in key(s) or value(s) '{"requestheader-username-headers"}')", "references": [ @@ -151026,7 +151026,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -151182,7 +151182,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -151285,7 +151285,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": undefined, "name": "aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang", "references": [ @@ -151368,7 +151368,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": undefined, "name": "aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang", "references": [ @@ -151446,7 +151446,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": undefined, "name": "crash when attempting to deserialize invalid input", "references": [ @@ -151499,7 +151499,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'resources.limits.cpu')", "references": [ @@ -151528,7 +151528,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -151557,7 +151557,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -151586,7 +151586,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'resources.requests.cpu')", "references": [ @@ -151615,7 +151615,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'resources.requests.memory')", "references": [ @@ -151644,7 +151644,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'resources.limits.memory')", "references": [ @@ -151673,7 +151673,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'lurker' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -151702,7 +151702,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -151731,7 +151731,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'lurker' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -151760,7 +151760,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'trivy' of Job 'scan-trivy-k8s-dnnfb' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -151789,7 +151789,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -151818,7 +151818,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -151847,7 +151847,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -151876,7 +151876,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'integration-tests' / Kind: 'Job' / Name: 'scan-trivy-k8s-dnnfb'", + "location": "scb://trivy/?Namespace=integration-tests&Kind=Job&Name=scan-trivy-k8s-dnnfb", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -151905,7 +151905,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-public' / Kind: 'Role' / Name: 'system:controller:bootstrap-signer'", + "location": "scb://trivy/?Namespace=kube-public&Kind=Role&Name=system:controller:bootstrap-signer", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system:controller:bootstrap-signer' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -151934,7 +151934,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system::leader-locking-kube-controller-manager'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system::leader-locking-kube-controller-manager", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system::leader-locking-kube-controller-manager' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -151963,7 +151963,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system::leader-locking-kube-scheduler'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system::leader-locking-kube-scheduler", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system::leader-locking-kube-scheduler' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -151992,7 +151992,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:bootstrap-signer'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:bootstrap-signer", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152021,7 +152021,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:cloud-provider'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:cloud-provider", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'system:controller:cloud-provider' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152050,7 +152050,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Namespace: 'kube-system' / Kind: 'Role' / Name: 'system:controller:token-cleaner'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Role&Name=system:controller:token-cleaner", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152079,7 +152079,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Role' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Role&Name=kubernetes-dashboard", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152108,7 +152108,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'kubernetes-dashboard' / Kind: 'Role' / Name: 'kubernetes-dashboard'", + "location": "scb://trivy/?Namespace=kubernetes-dashboard&Kind=Role&Name=kubernetes-dashboard", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'kubernetes-dashboard' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152137,7 +152137,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Namespace: 'securecodebox-system' / Kind: 'Role' / Name: 'leader-election-role'", + "location": "scb://trivy/?Namespace=securecodebox-system&Kind=Role&Name=leader-election-role", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(Role 'leader-election-role' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152166,7 +152166,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits wildcard verb on wildcard resource", - "location": "Kind: 'ClusterRole' / Name: 'cluster-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=cluster-admin", "mitigation": "Create a role which does not permit wildcard verb on wildcard resource", "name": "No wildcard verb and resource roles(Role permits wildcard verb on wildcard resource)", "references": [ @@ -152195,7 +152195,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'cluster-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=cluster-admin", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -152224,7 +152224,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152253,7 +152253,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152282,7 +152282,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152311,7 +152311,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152340,7 +152340,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152369,7 +152369,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152398,7 +152398,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'admin' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152427,7 +152427,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152456,7 +152456,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152485,7 +152485,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152514,7 +152514,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=admin", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'admin' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152543,7 +152543,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152572,7 +152572,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -152601,7 +152601,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152630,7 +152630,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152659,7 +152659,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152688,7 +152688,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152717,7 +152717,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152746,7 +152746,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152775,7 +152775,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152804,7 +152804,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152833,7 +152833,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits wildcard verb on specific resources", - "location": "Kind: 'ClusterRole' / Name: 'local-path-provisioner-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=local-path-provisioner-role", "mitigation": "Create a role which does not permit wildcard verb on specific resources", "name": "No wildcard verb roles(Role permits wildcard verb on specific resources)", "references": [ @@ -152862,7 +152862,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'local-path-provisioner-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=local-path-provisioner-role", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'local-path-provisioner-role' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152891,7 +152891,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152920,7 +152920,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152949,7 +152949,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'manager-role'", + "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -152983,7 +152983,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -153040,7 +153040,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c", "references": [ @@ -153093,7 +153093,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "util-linux: partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline", "references": [ @@ -153149,7 +153149,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "coreutils: Non-privileged session can escape to the parent session in chroot", "references": [ @@ -153212,7 +153212,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "coreutils: race condition vulnerability in chown and chgrp", "references": [ @@ -153262,7 +153262,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Dpkg::Source::Archive in dpkg, the Debian package management system, b ...", "references": [ @@ -153334,7 +153334,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -153386,7 +153386,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -153468,7 +153468,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Signature spoofing via status line injection", "references": [ @@ -153594,7 +153594,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gnupg2: OpenPGP Key Certification Forgeries with SHA-1", "references": [ @@ -153670,7 +153670,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "denial of service issue (resource consumption) using compressed packets", "references": [ @@ -153751,7 +153751,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -153867,7 +153867,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -153915,7 +153915,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -153965,7 +153965,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "It was found that apt-key in apt, all versions, do not correctly valid ...", "references": [ @@ -154015,7 +154015,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "bzip2 - bugfix update", "references": [], @@ -154045,7 +154045,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: mq_notify does not handle separately allocated thread attributes", "references": [ @@ -154131,7 +154131,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Arbitrary read in wordexp()", "references": [ @@ -154226,7 +154226,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in svcunix_create via long pathnames", "references": [ @@ -154309,7 +154309,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname", "references": [ @@ -154392,7 +154392,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: array overflow in backtrace functions for powerpc", "references": [ @@ -154479,7 +154479,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: use-after-free in glob() function when expanding ~user", "references": [ @@ -154581,7 +154581,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: signed comparison vulnerability in the ARMv7 memcpy function", "references": [ @@ -154682,7 +154682,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters", "references": [ @@ -154793,7 +154793,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -154897,7 +154897,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: iconv program can hang when invoked with the -c option", "references": [ @@ -155013,7 +155013,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding", "references": [ @@ -155153,7 +155153,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", "references": [ @@ -155259,7 +155259,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop", "references": [ @@ -155350,7 +155350,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -155413,7 +155413,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -155475,7 +155475,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -155534,7 +155534,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -155598,7 +155598,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -155665,7 +155665,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -155733,7 +155733,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", "references": [ @@ -155813,7 +155813,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -155868,7 +155868,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c", "references": [ @@ -155951,7 +155951,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: mq_notify does not handle separately allocated thread attributes", "references": [ @@ -156037,7 +156037,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Arbitrary read in wordexp()", "references": [ @@ -156132,7 +156132,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in svcunix_create via long pathnames", "references": [ @@ -156215,7 +156215,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname", "references": [ @@ -156298,7 +156298,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: array overflow in backtrace functions for powerpc", "references": [ @@ -156385,7 +156385,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: use-after-free in glob() function when expanding ~user", "references": [ @@ -156487,7 +156487,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: signed comparison vulnerability in the ARMv7 memcpy function", "references": [ @@ -156588,7 +156588,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Assertion failure in ISO-2022-JP-3 gconv module related to combining characters", "references": [ @@ -156699,7 +156699,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Off-by-one buffer overflow/underflow in getcwd()", "references": [ @@ -156803,7 +156803,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: iconv program can hang when invoked with the -c option", "references": [ @@ -156919,7 +156919,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding", "references": [ @@ -157059,7 +157059,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions", "references": [ @@ -157165,7 +157165,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop", "references": [ @@ -157256,7 +157256,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: glob implementation can cause excessive CPU and memory consumption due to crafted glob expressions", "references": [ @@ -157319,7 +157319,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -157381,7 +157381,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: stack guard protection bypass", "references": [ @@ -157440,7 +157440,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: running ldd on malicious ELF leads to code execution because of wrong size computation", "references": [ @@ -157504,7 +157504,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: ASLR bypass using cache of thread stack and heap", "references": [ @@ -157571,7 +157571,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: information disclosure of heap addresses of pthread_created thread", "references": [ @@ -157639,7 +157639,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries", "references": [ @@ -157719,7 +157719,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: uncontrolled recursion in function check_dst_limits_calc_pos_1 in posix/regexec.c", "references": [ @@ -157774,7 +157774,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "glibc: Use-after-free in addgetnetgrentX function in netgroupcache.c", "references": [ @@ -157870,7 +157870,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "sqlite: heap out-of-bound read in function rtreenode()", "references": [ @@ -157998,7 +157998,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -158050,7 +158050,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -158132,7 +158132,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm", "references": [ @@ -158269,7 +158269,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libgcrypt: ECDSA timing attack allowing private key leak", "references": [ @@ -158399,7 +158399,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "ElGamal implementation allows plaintext recovery", "references": [ @@ -158505,7 +158505,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libgcrypt: ElGamal implementation doesn't have semantic security due to incorrectly encoded plaintexts possibly allowing to obtain sensitive information", "references": [ @@ -158569,7 +158569,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Integer overflow and resultant buffer overflow via crafted input", "references": [ @@ -158674,7 +158674,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gnutls: Use after free in client key_share extension", "references": [ @@ -158847,7 +158847,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gnutls: Use after free in client_send_params in lib/ext/pre_shared_key.c", "references": [ @@ -159006,7 +159006,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gnutls: Heap buffer overflow in handshake with no_renegotiation alert sent", "references": [ @@ -159114,7 +159114,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Double free during gnutls_pkcs7_verify", "references": [ @@ -159242,7 +159242,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "timing side-channel in the TLS RSA key exchange code", "references": [ @@ -159360,7 +159360,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "GnuTLS: Null pointer dereference in MD_UPDATE", "references": [ @@ -159524,7 +159524,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)", "references": [ @@ -159949,7 +159949,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "nettle: Out of bounds memory access in signature verification", "references": [ @@ -160048,7 +160048,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "nettle: Remote crash in RSA decryption via manipulated ciphertext", "references": [ @@ -160165,7 +160165,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specifi ...", "references": [ @@ -160249,7 +160249,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -160297,7 +160297,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -160345,7 +160345,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -160393,7 +160393,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -160452,7 +160452,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "memory corruption due to an integer overflow bug caused by memmove argument", "references": [ @@ -160561,7 +160561,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "lz4: heap-based buffer overflow in LZ4_write32", "references": [ @@ -160694,7 +160694,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "arbitrary-file-write vulnerability", "references": [ @@ -160819,7 +160819,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "nettle: Out of bounds memory access in signature verification", "references": [ @@ -160918,7 +160918,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "nettle: Remote crash in RSA decryption via manipulated ciphertext", "references": [ @@ -161043,7 +161043,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: Integer overflow when parsing callout numeric arguments", "references": [ @@ -161163,7 +161163,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: OP_KETRMAX feature in the match function in pcre_exec.c", "references": [ @@ -161233,7 +161233,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: self-recursive call in match() in pcre_exec.c leads to denial of service", "references": [ @@ -161307,7 +161307,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -161365,7 +161365,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: stack-based buffer overflow write in pcre32_copy_substring", "references": [ @@ -161435,7 +161435,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "pcre: Buffer over-read in JIT when UTF is disabled and \\X or \\R has fixed quantifier greater than 1", "references": [ @@ -161552,7 +161552,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libseccomp: incorrect generation of syscall filters in libseccomp", "references": [ @@ -161667,7 +161667,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -161790,7 +161790,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: use-after-free in __cil_verify_classperms()", "references": [ @@ -161913,7 +161913,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "use-after-free in cil_reset_classpermission()", "references": [ @@ -162037,7 +162037,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libsepol: heap-based buffer overflow in ebitmap_match_any()", "references": [ @@ -162167,7 +162167,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: SM2 Decryption Buffer Overflow", "references": [ @@ -162319,7 +162319,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "c_rehash script allows command injection", "references": [ @@ -162521,7 +162521,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "the c_rehash script allows command injection", "references": [ @@ -162702,7 +162702,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: Read buffer overruns processing ASN.1 strings", "references": [ @@ -162904,7 +162904,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates", "references": [ @@ -163145,7 +163145,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "double free after calling PEM_read_bio_ex", "references": [ @@ -163434,7 +163434,7 @@ The OpenSSL cms and smime command line applications are similarly affected. ", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "use-after-free following BIO_new_NDEF", "references": [ @@ -163714,7 +163714,7 @@ The OpenSSL cms and smime command line applications are similarly affected. }, "category": "Vulnerability", "description": "There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "X.400 address type confusion in X.509 GeneralName", "references": [ @@ -163973,7 +163973,7 @@ exponential use of computational resources, leading to a denial-of-service Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Denial of service by excessive resource usage in verifying X509 policy constraints", "references": [ @@ -164117,7 +164117,7 @@ such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Possible DoS translating ASN.1 object identifiers", "references": [ @@ -164220,7 +164220,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: Carry propagation bug in the MIPS32 and MIPS64 squaring procedure", "references": [ @@ -164326,7 +164326,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "AES OCB fails to encrypt some bytes", "references": [ @@ -164533,7 +164533,7 @@ and the severity is therefore considered low.", }, "category": "Vulnerability", "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "timing attack in RSA Decryption implementation", "references": [ @@ -164757,7 +164757,7 @@ in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the \`-policy' argument to the command line utilities or by calling the \`X509_VERIFY_PARAM_set1_policies()' function.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Invalid certificate policies in leaf certificates are silently ignored", "references": [ @@ -164871,7 +164871,7 @@ the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Certificate policy check not enabled", "references": [ @@ -164965,7 +164965,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Dual_EC_DRBG: weak pseudo random number generator", "references": [ @@ -165041,7 +165041,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "openssl: RSA authentication weakness", "references": [ @@ -165105,7 +165105,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: spilling of stack protection address in cfgexpand.c and function.c leads to stack-overflow protection bypass", "references": [ @@ -165157,7 +165157,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "gcc: POWER9 "DARN" RNG intrinsic produces repeated output", "references": [ @@ -165231,7 +165231,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: services with DynamicUser can create SUID/SGID binaries", "references": [ @@ -165327,7 +165327,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "references": [ @@ -165412,7 +165412,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "privilege escalation via the less pager", "references": [ @@ -165502,7 +165502,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash", "references": [ @@ -165642,7 +165642,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: Uncontrolled recursion in systemd-tmpfiles when removing files", "references": [ @@ -165718,7 +165718,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -165826,7 +165826,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -165923,7 +165923,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -165982,7 +165982,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: memory leak in button_open() in login/logind-button.c when udev events are received", "references": [ @@ -166068,7 +166068,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -166154,7 +166154,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -166192,7 +166192,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -166230,7 +166230,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -166286,7 +166286,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libtasn1: Out-of-bound access in ETYPE_OK", "references": [ @@ -166403,7 +166403,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion", "references": [ @@ -166481,7 +166481,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: services with DynamicUser can create SUID/SGID binaries", "references": [ @@ -166577,7 +166577,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: services with DynamicUser can get new privileges and create SGID binaries", "references": [ @@ -166662,7 +166662,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "privilege escalation via the less pager", "references": [ @@ -166752,7 +166752,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: uncontrolled allocation on the stack in function unit_name_path_escape leads to crash", "references": [ @@ -166892,7 +166892,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: Uncontrolled recursion in systemd-tmpfiles when removing files", "references": [ @@ -166968,7 +166968,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "buffer overrun in format_timespan() function", "references": [ @@ -167076,7 +167076,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting", "references": [ @@ -167173,7 +167173,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "TOCTOU race condition when updating file permissions and SELinux security contexts", "references": [ @@ -167232,7 +167232,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: memory leak in button_open() in login/logind-button.c when udev events are received", "references": [ @@ -167318,7 +167318,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to have its network reconfigured", "references": [ @@ -167404,7 +167404,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify a seale ...", "references": [ @@ -167442,7 +167442,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can truncate a sea ...", "references": [ @@ -167480,7 +167480,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "** DISPUTED ** An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "An issue was discovered in systemd 253. An attacker can modify the con ...", "references": [ @@ -167520,7 +167520,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: --syn flag bypass", "references": [ @@ -167568,7 +167568,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "iptables: buffer overflow in iptables-restore", "references": [ @@ -167617,7 +167617,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -167678,7 +167678,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -167765,7 +167765,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "references": [ @@ -167829,7 +167829,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -167896,7 +167896,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -167957,7 +167957,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "initscripts in rPath Linux 1 sets insecure permissions for the /var/lo ...", "references": [ @@ -168018,7 +168018,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: TOCTOU race conditions by copying and removing directory trees", "references": [ @@ -168105,7 +168105,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: newgidmap allows unprivileged user to drop supplementary groups potentially allowing privilege escalation", "references": [ @@ -168169,7 +168169,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "shadow-utils: local users can obtain root access because setuid programs are misconfigured", "references": [ @@ -168236,7 +168236,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "Improper input validation in shadow-utils package utility chfn", "references": [ @@ -168302,7 +168302,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN 2.28 allows Signature Verification Bypass.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "references": [ @@ -168381,7 +168381,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "CPAN.pm before 2.35 does not verify TLS certificates when downloading ...", "references": [ @@ -168460,7 +168460,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "perl: File::Temp insecure temporary file handling", "references": [ @@ -168525,7 +168525,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available ...", "references": [ @@ -168593,7 +168593,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "tar: does not properly warn the user when extracting setuid or setgid files", "references": [ @@ -168647,7 +168647,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "tar: null-pointer dereference in pax_decode_header in sparse.c", "references": [ @@ -168723,7 +168723,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "tar: Memory leak in read_header() in list.c", "references": [ @@ -168799,7 +168799,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "heap buffer overflow at from_header() in list.c via specially crafted checksum", "references": [ @@ -168933,7 +168933,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field", "references": [ @@ -169175,7 +169175,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": undefined, "name": "A flaw found in zlib when compressing (not decompressing) certain inputs", "references": [ @@ -169388,7 +169388,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -169417,7 +169417,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'kube-proxy' of DaemonSet 'kube-proxy' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -169446,7 +169446,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(DaemonSet 'kube-proxy' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -169475,7 +169475,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.cpu')", "references": [ @@ -169504,7 +169504,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -169533,7 +169533,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -169562,7 +169562,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].resources.requests.cpu'.", "name": "CPU requests not specified(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.cpu')", "references": [ @@ -169591,7 +169591,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].resources.requests.memory'.", "name": "Memory requests not specified(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.requests.memory')", "references": [ @@ -169620,7 +169620,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Change 'containers[].securityContext.privileged' to 'false'.", "name": "Privileged container(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.privileged' to false)", "references": [ @@ -169649,7 +169649,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'resources.limits.memory')", "references": [ @@ -169678,7 +169678,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -169707,7 +169707,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'kube-proxy' of DaemonSet 'kube-proxy' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -169736,7 +169736,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(DaemonSet 'kube-proxy' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -169765,7 +169765,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -169794,7 +169794,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'DaemonSet' / Name: 'kube-proxy'", + "location": "scb://trivy/?Namespace=kube-system&Kind=DaemonSet&Name=kube-proxy", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -169823,7 +169823,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-admin'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-admin", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", "name": "Do not allow management of RBAC resources(ClusterRole 'system:aggregate-to-admin' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -169852,7 +169852,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -169881,7 +169881,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -169910,7 +169910,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -169939,7 +169939,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -169968,7 +169968,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -169997,7 +169997,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170026,7 +170026,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'system:aggregate-to-edit' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170055,7 +170055,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170084,7 +170084,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170113,7 +170113,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:aggregate-to-edit'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:aggregate-to-edit", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:aggregate-to-edit' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170139,7 +170139,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new upstream version", "references": [], @@ -170156,7 +170156,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new upstream version", "references": [], @@ -170173,7 +170173,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new upstream version", "references": [], @@ -170190,7 +170190,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new upstream version", "references": [], @@ -170207,7 +170207,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -170224,7 +170224,7 @@ commonly used by applications.", }, "category": "Vulnerability", "description": undefined, - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": undefined, "name": "tzdata - new timezone database", "references": [], @@ -170244,7 +170244,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", "name": "Process can elevate its own privileges(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.allowPrivilegeEscalation' to false)", "references": [ @@ -170273,7 +170273,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Add 'ALL' to containers[].securityContext.capabilities.drop.", "name": "Default capabilities not dropped(Container 'etcd' of Pod 'etcd-kind-control-plane' should add 'ALL' to 'securityContext.capabilities.drop')", "references": [ @@ -170302,7 +170302,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Do not set 'spec.template.spec.hostNetwork' to true.", "name": "Access to host network(Pod 'etcd-kind-control-plane' should not set 'spec.template.spec.hostNetwork' to true)", "references": [ @@ -170331,7 +170331,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.cpu'.", "name": "CPU not limited(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.cpu')", "references": [ @@ -170360,7 +170360,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsNonRoot' to true.", "name": "Runs as root user(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsNonRoot' to true)", "references": [ @@ -170389,7 +170389,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", "name": "Root file system is not read-only(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.readOnlyRootFilesystem' to true)", "references": [ @@ -170418,7 +170418,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set a limit value under 'containers[].resources.limits.memory'.", "name": "Memory not limited(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'resources.limits.memory')", "references": [ @@ -170447,7 +170447,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsUser' to an integer > 10000.", "name": "Runs with low user ID(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsUser' > 10000)", "references": [ @@ -170476,7 +170476,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'containers[].securityContext.runAsGroup' to an integer > 10000.", "name": "Runs with low group ID(Container 'etcd' of Pod 'etcd-kind-control-plane' should set 'securityContext.runAsGroup' > 10000)", "references": [ @@ -170505,7 +170505,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "HostPath volumes must be forbidden.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Do not set 'spec.volumes[*].hostPath'.", "name": "hostPath volumes mounted(Pod 'etcd-kind-control-plane' should not set 'spec.template.volumes.hostPath')", "references": [ @@ -170534,7 +170534,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RuntimeDefault/Localhost seccomp profile must be required, or allow specific additional profiles.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", "name": "Default Seccomp profile not set(Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault')", "references": [ @@ -170563,7 +170563,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "location": "Namespace: 'kube-system' / Kind: 'Pod' / Name: 'etcd-kind-control-plane'", + "location": "scb://trivy/?Namespace=kube-system&Kind=Pod&Name=etcd-kind-control-plane", "mitigation": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", "name": "Container capabilities must only include NET_BIND_SERVICE(container should drop all)", "references": [ @@ -170592,7 +170592,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:cronjob-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:cronjob-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170621,7 +170621,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:cronjob-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:cronjob-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170650,7 +170650,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:deployment-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:deployment-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170679,7 +170679,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:deployment-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:deployment-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170708,7 +170708,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpoint-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpoint-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpoint-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170737,7 +170737,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpointslice-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpointslice-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpointslice-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170766,7 +170766,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:endpointslicemirroring-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:endpointslicemirroring-controller", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:endpointslicemirroring-controller' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170795,7 +170795,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:generic-garbage-collector'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:generic-garbage-collector", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -170824,7 +170824,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:expand-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:expand-controller", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -170853,7 +170853,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:horizontal-pod-autoscaler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:horizontal-pod-autoscaler", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -170882,7 +170882,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:job-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:job-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -170911,7 +170911,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:namespace-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:namespace-controller", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -170940,7 +170940,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -170969,7 +170969,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -170998,7 +170998,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:persistent-volume-binder'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:persistent-volume-binder", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:controller:persistent-volume-binder' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171027,7 +171027,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:replicaset-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:replicaset-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -171056,7 +171056,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:replication-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:replication-controller", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -171085,7 +171085,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:resourcequota-controller'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:resourcequota-controller", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -171114,7 +171114,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "location": "Kind: 'ClusterRole' / Name: 'system:controller:root-ca-cert-publisher'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:controller:root-ca-cert-publisher", "mitigation": "Remove write permission verbs for resource 'configmaps'", "name": "Do not allow management of configmaps(ClusterRole 'system:controller:root-ca-cert-publisher' should not have access to resource 'configmaps' for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171143,7 +171143,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -171172,7 +171172,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -171201,7 +171201,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -171230,7 +171230,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -171259,7 +171259,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits specific verb on wildcard resources", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Create a role which does not permit specific verb on wildcard resources", "name": "No wildcard resource roles(Role permits specific verb on wildcard resource)", "references": [ @@ -171288,7 +171288,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-controller-manager' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171317,7 +171317,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-controller-manager'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-controller-manager", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-controller-manager' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171346,7 +171346,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-scheduler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-scheduler", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-scheduler' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171375,7 +171375,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "location": "Kind: 'ClusterRole' / Name: 'system:kube-scheduler'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:kube-scheduler", "mitigation": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", "name": "Do not allow management of networking resources(ClusterRole 'system:kube-scheduler' should not have access to resources ["services", "endpoints", "endpointslices", "networkpolicies", "ingresses"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"])", "references": [ @@ -171404,7 +171404,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Check whether role permits managing secrets", - "location": "Kind: 'ClusterRole' / Name: 'system:node'", + "location": "scb://trivy/?Kind=ClusterRole&Name=system:node", "mitigation": "Create a role which does not permit to manage secrets if not needed", "name": "Do not allow management of secrets(Role permits management of secret(s))", "references": [ @@ -171433,7 +171433,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.", - "location": "Kind: 'ClusterRoleBinding' / Name: 'admin-user'", + "location": "scb://trivy/?Kind=ClusterRoleBinding&Name=admin-user", "mitigation": "Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.", "name": "Ensure that the cluster-admin role is only used where required(ClusterRoleBinding 'admin-user' with role 'cluster-admin' should be used only when required)", "references": [ @@ -171462,7 +171462,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed.", - "location": "Kind: 'ClusterRoleBinding' / Name: 'trivy-k8s'", + "location": "scb://trivy/?Kind=ClusterRoleBinding&Name=trivy-k8s", "mitigation": "Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.", "name": "Ensure that the cluster-admin role is only used where required(ClusterRoleBinding 'trivy-k8s' with role 'cluster-admin' should be used only when required)", "references": [ @@ -171491,7 +171491,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that the container network interface file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the container network interface file path/to/cni/files permissions of 600 or more restrictive ", "name": "Ensure that the container network interface file permissions are set to 600 or more restrictive(Ensure that the Container Network Interface specification file permissions is set to 600 or more restrictive)", "references": [ @@ -171520,7 +171520,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that the etcd data directory ownership is set to etcd:etcd.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the etcd data directory /var/lib/etcd ownership to etcd:etcd", "name": "Ensure that the etcd data directory ownership is set to etcd:etcd(Ensure that the etcd data directory ownership is set to etcd:etcd)", "references": [ @@ -171549,7 +171549,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that the Kubernetes PKI certificate file permission is set to 600.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the Kubernetes PKI certificate file /etc/kubernetes/pki/*.crt permission to 600", "name": "Ensure that the Kubernetes PKI certificate file permission is set to 600(Ensure that the Kubernetes PKI certificate file permission is set to 600)", "references": [ @@ -171578,7 +171578,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that the kubelet service file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf permissions of 600 or more restrictive ", "name": "Ensure that the kubelet service file permissions are set to 600 or more restrictive(Ensure that the kubelet service file permissions are set to 600 or more restrictive)", "references": [ @@ -171607,7 +171607,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that the certificate authorities file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the certificate authorities file permissions to 600 or more restrictive if exist", "name": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive(Ensure that the certificate authorities file permissions are set to 600 or more restrictive)", "references": [ @@ -171636,7 +171636,7 @@ commonly used by applications.", }, "category": "Misconfiguration", "description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.", - "location": "Kind: 'NodeInfo' / Name: 'kind-control-plane'", + "location": "scb://trivy/?Kind=NodeInfo&Name=kind-control-plane", "mitigation": "Change the kubelet config yaml permissions to 600 or more restrictive if exist", "name": "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive(Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive.)", "references": [ diff --git a/scanners/trivy/parser/parser.js b/scanners/trivy/parser/parser.js index 56b4134aec..973aecf8f4 100644 --- a/scanners/trivy/parser/parser.js +++ b/scanners/trivy/parser/parser.js @@ -61,7 +61,7 @@ const findings = imageScanResults.Results.flatMap(({ Target: target, Vulnerabili name: vulnerability.Title || `Vulnerability in Dependency ${vulnerability.PkgName} (${vulnerability.InstalledVersion})`, description: vulnerability.Description, category, - location: imageId, + location: `scb://trivy/?ArtifactName=${imageId}`, osi_layer: "NOT_APPLICABLE", severity: getAdjustedSeverity(vulnerability.Severity), mitigation: `Update the affected package ${vulnerability.PkgName} to the fixed version: ${vulnerability.FixedVersion} or remove the package from the image.`, @@ -173,13 +173,13 @@ function convertTrivyK8sFindingToSCBFinding(trivyK8sFinding, clusterName, namesp } } - let location = `Kind: '${kind}' / Name: '${k8sName}'`; - if (namespace) { - location = `Namespace: '${namespace}' / ${location}`; - } - if (clusterName) { - location = `Cluster: '${clusterName}' / ${location}`; - } + const baseUrl = `scb://trivy/?`; + const urlParams = []; + if (clusterName) urlParams.push(`ClusterName=${clusterName}`); + if (namespace) urlParams.push(`Namespace=${namespace}`); + urlParams.push(`Kind=${kind}`, `Name=${k8sName}`); + + const location = baseUrl + urlParams.join('&'); let foundIn = `Target: '${target}'` if (clazz) {