diff --git a/.github/workflows/sca-integration-trivy.yml b/.github/workflows/sca-integration-trivy.yml new file mode 100644 index 0000000000..5e7306fd64 --- /dev/null +++ b/.github/workflows/sca-integration-trivy.yml @@ -0,0 +1,53 @@ +name: Generate SBOM with Trivy and load into ScanCode.io + +# This workflow: +# 1. Generates a CycloneDX SBOM for a container image using Trivy. +# 2. Uploads the SBOM as a GitHub artifact for future inspection. +# 3. Loads the SBOM into ScanCode.io for further analysis. +# 4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io. +# +# It runs on demand, and once a week (scheduled). + +on: + workflow_dispatch: + schedule: + # Run once a week (every 7 days) at 00:00 UTC on Sunday + - cron: "0 0 * * 0" + +permissions: + contents: read + +env: + IMAGE_REFERENCE: "python:3.13.0-slim" + +jobs: + generate-and-load-sbom: + runs-on: ubuntu-24.04 + steps: + - name: Generate CycloneDX SBOM with Trivy + uses: aquasecurity/trivy-action@0.32.0 + with: + scan-type: "image" + image-ref: ${{ env.IMAGE_REFERENCE }} + format: "cyclonedx" + output: "trivy-report.sbom.json" + scanners: "vuln,license" + version: "latest" + + - name: Upload SBOM as GitHub Artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-sbom-report + path: "trivy-report.sbom.json" + retention-days: 20 + + - name: Import SBOM into ScanCode.io + uses: aboutcode-org/scancode-action@main + with: + pipelines: "load_sbom" + inputs-path: "trivy-report.sbom.json" + + - name: Verify SBOM Analysis Results in ScanCode.io + shell: bash + run: | + scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190" diff --git a/scanpipe/tests/data/cyclonedx/python-3.13.0-vulnerabilities.cdx.json b/scanpipe/tests/data/cyclonedx/python-3.13.0-vulnerabilities.cdx.json index 68ad39f06d..3c2c18d2f3 100644 --- a/scanpipe/tests/data/cyclonedx/python-3.13.0-vulnerabilities.cdx.json +++ b/scanpipe/tests/data/cyclonedx/python-3.13.0-vulnerabilities.cdx.json @@ -94,4 +94,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/scanpipe/tests/data/sca-integrations/trivy-alpine-3.17-sbom.json b/scanpipe/tests/data/sca-integrations/trivy-alpine-3.17-sbom.json new file mode 100644 index 0000000000..e3071a7046 --- /dev/null +++ b/scanpipe/tests/data/sca-integrations/trivy-alpine-3.17-sbom.json @@ -0,0 +1,6896 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:644a6425-6d6b-43cd-948a-521f67e38157", + "version": 1, + "metadata": { + "timestamp": "2025-08-19T15:19:37+00:00", + "tools": { + "components": [ + { + "type": "application", + "manufacturer": { + "name": "Aqua Security Software Ltd." + }, + "group": "aquasecurity", + "name": "trivy", + "version": "0.65.0" + } + ] + }, + "component": { + "bom-ref": "pkg:oci/alpine@sha256%3A8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4?arch=amd64&repository_url=index.docker.io%2Flibrary%2Falpine", + "type": "container", + "name": "alpine:3.17.0", + "purl": "pkg:oci/alpine@sha256%3A8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4?arch=amd64&repository_url=index.docker.io%2Flibrary%2Falpine", + "properties": [ + { + "name": "aquasecurity:trivy:DiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:ImageID", + "value": "sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da" + }, + { + "name": "aquasecurity:trivy:RepoDigest", + "value": "alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4" + }, + { + "name": "aquasecurity:trivy:RepoTag", + "value": "alpine:3.17.0" + }, + { + "name": "aquasecurity:trivy:SchemaVersion", + "value": "2" + }, + { + "name": "aquasecurity:trivy:Size", + "value": "7337984" + } + ] + } + }, + "components": [ + { + "bom-ref": "631bcfb7-efef-4ded-9e5c-80e47a551330", + "type": "operating-system", + "name": "alpine", + "version": "3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:Class", + "value": "os-pkgs" + }, + { + "name": "aquasecurity:trivy:Type", + "value": "alpine" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "alpine-baselayout-data", + "version": "3.4.0-r0", + "hashes": [ + { + "alg": "SHA-1", + "content": "fc982933c27a0d623fe78d6d517fae1c4cd28eaa" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "alpine-baselayout-data@3.4.0-r0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "alpine-baselayout" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4.0-r0" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "alpine-baselayout", + "version": "3.4.0-r0", + "hashes": [ + { + "alg": "SHA-1", + "content": "fde5df99b613d565de9c54aa2a3ae86322bce0d1" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "alpine-baselayout@3.4.0-r0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "alpine-baselayout" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.4.0-r0" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "alpine-keys", + "version": "2.4-r1", + "hashes": [ + { + "alg": "SHA-1", + "content": "28cd3595f295a7e804667db76b0ba3aa34a4acdf" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "purl": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "alpine-keys@2.4-r1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "alpine-keys" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.4-r1" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "apk-tools", + "version": "2.12.10-r1", + "hashes": [ + { + "alg": "SHA-1", + "content": "11fde2c2df9c31d1a780481a16bd944482612b34" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "apk-tools@2.12.10-r1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "apk-tools" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "2.12.10-r1" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Sören Tempel " + }, + "name": "busybox-binsh", + "version": "1.35.0-r29", + "hashes": [ + { + "alg": "SHA-1", + "content": "9a25b0ca158a5d51224582e1980ad5d5328cb3a0" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "busybox-binsh@1.35.0-r29" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "busybox" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.35.0-r29" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Sören Tempel " + }, + "name": "busybox", + "version": "1.35.0-r29", + "hashes": [ + { + "alg": "SHA-1", + "content": "34ddeca74cabf7d6ed472b2ab72de7414ad61da6" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "busybox@1.35.0-r29" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "busybox" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.35.0-r29" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "ca-certificates-bundle", + "version": "20220614-r2", + "hashes": [ + { + "alg": "SHA-1", + "content": "9e3c4b432e3820273336d5c48c732fcf81615959" + } + ], + "licenses": [ + { + "license": { + "id": "MPL-2.0" + } + }, + { + "license": { + "id": "MIT" + } + } + ], + "purl": "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ca-certificates-bundle@20220614-r2" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "ca-certificates" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "20220614-r2" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "libc-utils", + "version": "0.7.2-r3", + "hashes": [ + { + "alg": "SHA-1", + "content": "f46834ea904f8a21bd50df78aa5eea226b074944" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + } + ], + "purl": "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libc-utils@0.7.2-r3" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "libc-dev" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "0.7.2-r3" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Ariadne Conill " + }, + "name": "libcrypto3", + "version": "3.0.7-r0", + "hashes": [ + { + "alg": "SHA-1", + "content": "4e39ab0046b93ca778d0f373e8e229a3e6c1796d" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libcrypto3@3.0.7-r0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7-r0" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Ariadne Conill " + }, + "name": "libssl3", + "version": "3.0.7-r0", + "hashes": [ + { + "alg": "SHA-1", + "content": "133e78acb5153e50229dcb89d9e0edc589eb7a4e" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "libssl3@3.0.7-r0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "openssl" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "3.0.7-r0" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Timo Teräs " + }, + "name": "musl-utils", + "version": "1.2.3-r4", + "hashes": [ + { + "alg": "SHA-1", + "content": "65624be1ec92c7c9cf4a3175140260432bee36ce" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "id": "GPL-2.0-or-later" + } + } + ], + "purl": "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "musl-utils@1.2.3-r4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "musl" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.3-r4" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Timo Teräs " + }, + "name": "musl", + "version": "1.2.3-r4", + "hashes": [ + { + "alg": "SHA-1", + "content": "3e4ef1d70a00adb0759f390c3c93ead53102c2eb" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "purl": "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "musl@1.2.3-r4" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "musl" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.3-r4" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "scanelf", + "version": "1.3.5-r1", + "hashes": [ + { + "alg": "SHA-1", + "content": "d5dc5816c1ef045033cc7183a3980e4c33490f24" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "scanelf@1.3.5-r1" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "pax-utils" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.3.5-r1" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Sören Tempel " + }, + "name": "ssl_client", + "version": "1.35.0-r29", + "hashes": [ + { + "alg": "SHA-1", + "content": "42ea998de3fa5c6f39236f6d3a2096a1f2fc0a3d" + } + ], + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + } + ], + "purl": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "ssl_client@1.35.0-r29" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "busybox" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.35.0-r29" + } + ] + }, + { + "bom-ref": "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0", + "type": "library", + "supplier": { + "name": "Natanael Copa " + }, + "name": "zlib", + "version": "1.2.13-r0", + "hashes": [ + { + "alg": "SHA-1", + "content": "ae39d74f4d65d4f0315e1794c5ee0e95d979ac59" + } + ], + "licenses": [ + { + "license": { + "id": "Zlib" + } + } + ], + "purl": "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0", + "properties": [ + { + "name": "aquasecurity:trivy:LayerDiffID", + "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf" + }, + { + "name": "aquasecurity:trivy:LayerDigest", + "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715" + }, + { + "name": "aquasecurity:trivy:PkgID", + "value": "zlib@1.2.13-r0" + }, + { + "name": "aquasecurity:trivy:PkgType", + "value": "alpine" + }, + { + "name": "aquasecurity:trivy:SrcName", + "value": "zlib" + }, + { + "name": "aquasecurity:trivy:SrcVersion", + "value": "1.2.13-r0" + } + ] + } + ], + "dependencies": [ + { + "ref": "631bcfb7-efef-4ded-9e5c-80e47a551330", + "dependsOn": [ + "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0", + "dependsOn": [] + }, + { + "ref": "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.17.0", + "dependsOn": [] + }, + { + "ref": "pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/ca-certificates-bundle@20220614-r2?arch=x86_64&distro=3.17.0", + "dependsOn": [] + }, + { + "ref": "pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "dependsOn": [] + }, + { + "ref": "pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&distro=3.17.0", + "dependsOn": [ + "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0" + ] + }, + { + "ref": "pkg:oci/alpine@sha256%3A8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4?arch=amd64&repository_url=index.docker.io%2Flibrary%2Falpine", + "dependsOn": [ + "631bcfb7-efef-4ded-9e5c-80e47a551330" + ] + } + ], + "vulnerabilities": [ + { + "id": "CVE-2022-3996", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "low" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 667 + ], + "description": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.", + "recommendation": "Upgrade libcrypto3 to version 3.0.7-r2; Upgrade libssl3 to version 3.0.7-r2", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-3996" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3996" + }, + { + "url": "https://github.com/alexcrichton/openssl-src-rs" + }, + { + "url": "https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230203-0003/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3996" + }, + { + "url": "https://www.openssl.org/news/secadv/20221213.txt" + } + ], + "published": "2022-12-13T16:15:22+00:00", + "updated": "2024-11-21T07:20:42+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-4203", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 9.1, + "severity": "critical", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 4.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 4.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 125 + ], + "description": "A read buffer overrun can be triggered in X.509 certificate verification,\nspecifically in name constraint checking. Note that this occurs\nafter certificate chain signature verification and requires either a\nCA to have signed the malicious certificate or for the application to\ncontinue certificate verification despite failure to construct a path\nto a trusted issuer.\n\nThe read buffer overrun might result in a crash which could lead to\na denial of service attack. In theory it could also result in the disclosure\nof private memory contents (such as private keys, or sensitive plaintext)\nalthough we are not aware of any working exploit leading to memory\ncontents disclosure as of the time of release of this advisory.\n\nIn a TLS client, this can be triggered by connecting to a malicious\nserver. In a TLS server, this can be triggered if the server requests\nclient authentication and a malicious client connects.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-4203" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4203" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164488" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/2164497" + }, + { + "url": "https://bugzilla.redhat.com/2164499" + }, + { + "url": "https://bugzilla.redhat.com/2164500" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0946.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c927a3492698c254637da836762f9b1f86cffabc" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2022-4203.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-12152.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4203" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0008.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4203" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-24T15:15:11+00:00", + "updated": "2025-03-20T21:15:14+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-4304", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "high" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "ghsa" + }, + "score": 5.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 203 + ], + "description": "A timing based side channel exists in the OpenSSL RSA Decryption implementation\nwhich could be sufficient to recover a plaintext across a network in a\nBleichenbacher style attack. To achieve a successful decryption an attacker\nwould have to be able to send a very large number of trial messages for\ndecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,\nRSA-OEAP and RSASVE.\n\nFor example, in a TLS connection, RSA is commonly used by a client to send an\nencrypted pre-master secret to the server. An attacker that had observed a\ngenuine connection between a client and a server could use this flaw to send\ntrial messages to the server and record the time taken to process them. After a\nsufficiently large number of messages the attacker could recover the pre-master\nsecret used for the original connection and thus be able to decrypt the\napplication data sent over that connection.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-4304" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2165" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4304" + }, + { + "url": "https://bugzilla.redhat.com/1960321" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-2165.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2022-4304.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-32791.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4304" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0007.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4304" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:23+00:00", + "updated": "2025-03-20T21:15:14+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2022-4450", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "high" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 415 + ], + "description": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2022-4450" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2165" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-4450" + }, + { + "url": "https://bugzilla.redhat.com/1960321" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-2165.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2022-4450.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-32791.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0010.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4450" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:23+00:00", + "updated": "2025-05-05T16:15:22+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0215", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "high" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 416 + ], + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0215" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2165" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0215" + }, + { + "url": "https://bugzilla.redhat.com/1960321" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-2165.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0215.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-32791.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0009.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0007/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0009" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230427-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0215" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:24+00:00", + "updated": "2025-05-05T16:15:24+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0216", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 476 + ], + "description": "An invalid pointer dereference on read can be triggered when an\napplication tries to load malformed PKCS7 data with the\nd2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.\n\nThe result of the dereference is an application crash which could\nlead to a denial of service attack. The TLS implementation in OpenSSL\ndoes not call this function however third party applications might\ncall these functions on untrusted data.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0216" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0216" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164488" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/2164497" + }, + { + "url": "https://bugzilla.redhat.com/2164499" + }, + { + "url": "https://bugzilla.redhat.com/2164500" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0946.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0216.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-12152.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0216" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0216" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:24+00:00", + "updated": "2025-05-05T16:15:25+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0217", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 476 + ], + "description": "An invalid pointer dereference on read can be triggered when an\napplication tries to check a malformed DSA public key by the\nEVP_PKEY_public_check() function. This will most likely lead\nto an application crash. This function can be called on public\nkeys supplied from untrusted sources which could allow an attacker\nto cause a denial of service attack.\n\nThe TLS implementation in OpenSSL does not call this function\nbut applications might call the function if there are additional\nsecurity requirements imposed by standards such as FIPS 140-3.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0217" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0217" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164488" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/2164497" + }, + { + "url": "https://bugzilla.redhat.com/2164499" + }, + { + "url": "https://bugzilla.redhat.com/2164500" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0946.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=23985bac83fd50c8e29431009302b5442f985096" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0217.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-12152.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0217" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0012.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0217" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:24+00:00", + "updated": "2025-05-05T16:15:25+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0286", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "high" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.4, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.4, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.4, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "high" + } + ], + "cwes": [ + 843 + ], + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0286" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2025:7937" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0286" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2023-0286" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2025-7937.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d" + }, + { + "url": "https://github.com/pyca/cryptography" + }, + { + "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0286.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2025-7937.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0006.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0286" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:24+00:00", + "updated": "2025-03-20T21:15:16+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0401", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "ghsa" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 476 + ], + "description": "A NULL pointer can be dereferenced when signatures are being\nverified on PKCS7 signed or signedAndEnveloped data. In case the hash\nalgorithm used for the signature is known to the OpenSSL library but\nthe implementation of the hash algorithm is not available the digest\ninitialization will fail. There is a missing check for the return\nvalue from the initialization function which later leads to invalid\nusage of the digest API most likely leading to a crash.\n\nThe unavailability of an algorithm can be caused by using FIPS\nenabled configuration of providers or more commonly by not loading\nthe legacy provider.\n\nPKCS7 data is processed by the SMIME library calls and also by the\ntime stamp (TS) library calls. The TLS implementation in OpenSSL does\nnot call these functions however third party applications would be\naffected if they call these functions to verify signatures on untrusted\ndata.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r0; Upgrade libssl3 to version 3.0.8-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0401" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0401" + }, + { + "url": "https://bugzilla.redhat.com/2164440" + }, + { + "url": "https://bugzilla.redhat.com/2164487" + }, + { + "url": "https://bugzilla.redhat.com/2164488" + }, + { + "url": "https://bugzilla.redhat.com/2164492" + }, + { + "url": "https://bugzilla.redhat.com/2164494" + }, + { + "url": "https://bugzilla.redhat.com/2164497" + }, + { + "url": "https://bugzilla.redhat.com/2164499" + }, + { + "url": "https://bugzilla.redhat.com/2164500" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144000" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144003" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144006" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144008" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144010" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144012" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144015" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144017" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144019" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145170" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158412" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164440" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164487" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164488" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164492" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164494" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164497" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164499" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164500" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4203" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0216" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0217" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0401" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-0946.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2023:0946" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674" + }, + { + "url": "https://github.com/alexcrichton/openssl-src-rs" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0401.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-12152.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0401" + }, + { + "url": "https://rustsec.org/advisories/RUSTSEC-2023-0013.html" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0401" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + } + ], + "published": "2023-02-08T20:15:24+00:00", + "updated": "2025-05-05T16:15:25+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0464", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.9, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 295 + ], + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r1; Upgrade libssl3 to version 3.0.8-r1", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0464" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0464" + }, + { + "url": "https://bugzilla.redhat.com/2181082" + }, + { + "url": "https://bugzilla.redhat.com/2182561" + }, + { + "url": "https://bugzilla.redhat.com/2182565" + }, + { + "url": "https://bugzilla.redhat.com/2188461" + }, + { + "url": "https://bugzilla.redhat.com/2207947" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-3722.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0464.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-3722.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230406-0006/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://www.couchbase.com/alerts/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0464" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230322.txt" + } + ], + "published": "2023-03-22T17:15:13+00:00", + "updated": "2025-05-05T16:15:26+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0465", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 295 + ], + "description": "Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r2; Upgrade libssl3 to version 3.0.8-r2", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0465" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0465" + }, + { + "url": "https://bugzilla.redhat.com/2181082" + }, + { + "url": "https://bugzilla.redhat.com/2182561" + }, + { + "url": "https://bugzilla.redhat.com/2182565" + }, + { + "url": "https://bugzilla.redhat.com/2188461" + }, + { + "url": "https://bugzilla.redhat.com/2207947" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-3722.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0465.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-3722.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0465" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0465" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "published": "2023-03-28T15:15:06+00:00", + "updated": "2025-02-18T21:15:13+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-0466", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 295 + ], + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r3; Upgrade libssl3 to version 3.0.8-r3", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-0466" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/28/4" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0466" + }, + { + "url": "https://bugzilla.redhat.com/2181082" + }, + { + "url": "https://bugzilla.redhat.com/2182561" + }, + { + "url": "https://bugzilla.redhat.com/2182565" + }, + { + "url": "https://bugzilla.redhat.com/2188461" + }, + { + "url": "https://bugzilla.redhat.com/2207947" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-3722.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-0466.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-3722.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230414-0001/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0466" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + } + ], + "published": "2023-03-28T15:15:06+00:00", + "updated": "2025-02-19T18:15:22+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-1255", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.1, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 125 + ], + "description": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.", + "recommendation": "Upgrade libcrypto3 to version 3.0.8-r4; Upgrade libssl3 to version 3.0.8-r4", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-1255" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-1255" + }, + { + "url": "https://bugzilla.redhat.com/2181082" + }, + { + "url": "https://bugzilla.redhat.com/2182561" + }, + { + "url": "https://bugzilla.redhat.com/2182565" + }, + { + "url": "https://bugzilla.redhat.com/2188461" + }, + { + "url": "https://bugzilla.redhat.com/2207947" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-3722.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-1255.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-3722.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1255" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230908-0006/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6119-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1255" + }, + { + "url": "https://www.openssl.org/news/secadv/20230419.txt" + }, + { + "url": "https://www.openssl.org/news/secadv/20230420.txt" + } + ], + "published": "2023-04-20T17:15:06+00:00", + "updated": "2025-02-04T22:15:39+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-2650", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 6.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 770 + ], + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "recommendation": "Upgrade libcrypto3 to version 3.0.9-r0; Upgrade libssl3 to version 3.0.9-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-2650" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/05/30/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6330" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-2650" + }, + { + "url": "https://bugzilla.redhat.com/1858038" + }, + { + "url": "https://bugzilla.redhat.com/2207947" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2023-6330.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-2650.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2023-6330.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650" + }, + { + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230703-0001/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6119-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6188-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6672-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2650" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://www.openssl.org/news/secadv/20230530.txt" + } + ], + "published": "2023-05-30T14:15:09+00:00", + "updated": "2025-03-19T16:15:21+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-2975", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 354, + 287 + ], + "description": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be misled by removing,\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.9-r2; Upgrade libssl3 to version 3.0.9-r2", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-2975" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/15/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/19/5" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-2975" + }, + { + "url": "https://bugzilla.redhat.com/2223016" + }, + { + "url": "https://bugzilla.redhat.com/2224962" + }, + { + "url": "https://bugzilla.redhat.com/2227852" + }, + { + "url": "https://bugzilla.redhat.com/2248616" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-2447.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-2975.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-2447.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230725-0004/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2975" + }, + { + "url": "https://www.openssl.org/news/secadv/20230714.txt" + } + ], + "published": "2023-07-14T12:15:09+00:00", + "updated": "2025-04-23T17:16:32+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-3446", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "rocky" + }, + "severity": "high" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 606, + 1333 + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.9-r3; Upgrade libssl3 to version 3.0.9-r3", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-3446" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/19/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/19/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/19/6" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/31/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/16/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3446" + }, + { + "url": "https://bugzilla.redhat.com/2223016" + }, + { + "url": "https://bugzilla.redhat.com/2224962" + }, + { + "url": "https://bugzilla.redhat.com/2227852" + }, + { + "url": "https://bugzilla.redhat.com/2248616" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224962" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257582" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257583" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258677" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258688" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258691" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258694" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258700" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36763" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36764" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45229" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45231" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45232" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45233" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45235" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-2447.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2024:2264" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-3446.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-2447.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230803-0011/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6435-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6435-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-7018-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3446" + }, + { + "url": "https://www.openssl.org/news/secadv/20230719.txt" + } + ], + "published": "2023-07-19T12:15:10+00:00", + "updated": "2025-04-23T17:16:36+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-3817", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 606, + 834 + ], + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.10-r0; Upgrade libssl3 to version 3.0.10-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-3817" + }, + { + "url": "http://seclists.org/fulldisclosure/2023/Jul/43" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/07/31/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/11/06/2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3817" + }, + { + "url": "https://bugzilla.redhat.com/2223016" + }, + { + "url": "https://bugzilla.redhat.com/2224962" + }, + { + "url": "https://bugzilla.redhat.com/2227852" + }, + { + "url": "https://bugzilla.redhat.com/2248616" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-2447.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-3817.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-2447.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20230818-0014/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0006/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6435-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6435-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3817" + }, + { + "url": "https://www.openssl.org/news/secadv/20230731.txt" + } + ], + "published": "2023-07-31T16:15:10+00:00", + "updated": "2025-05-05T16:15:47+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-42363", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.8, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 416 + ], + "description": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.", + "recommendation": "Upgrade busybox to version 1.35.0-r31; Upgrade busybox-binsh to version 1.35.0-r31; Upgrade ssl_client to version 1.35.0-r31", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-42363" + }, + { + "url": "http://lists.busybox.net/pipermail/busybox/2024-May/090760.html" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-42363" + }, + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15865" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42363" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6961-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42363" + } + ], + "published": "2023-11-27T22:15:07+00:00", + "updated": "2024-11-21T08:22:28+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-42364", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.8, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 416 + ], + "description": "A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.", + "recommendation": "Upgrade busybox to version 1.35.0-r31; Upgrade busybox-binsh to version 1.35.0-r31; Upgrade ssl_client to version 1.35.0-r31", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-42364" + }, + { + "url": "http://lists.busybox.net/pipermail/busybox/2024-May/090762.html" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-42364" + }, + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15868" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42364" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6961-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42364" + } + ], + "published": "2023-11-27T23:15:07+00:00", + "updated": "2024-11-21T08:22:28+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-42365", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.8, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 416 + ], + "description": "A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.", + "recommendation": "Upgrade busybox to version 1.35.0-r31; Upgrade busybox-binsh to version 1.35.0-r31; Upgrade ssl_client to version 1.35.0-r31", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-42365" + }, + { + "url": "http://lists.busybox.net/pipermail/busybox/2024-May/090762.html" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-42365" + }, + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15871" + }, + { + "url": "https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/busybox/CVE-2023-42364-CVE-2023-42365.patch" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42365" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6961-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42365" + } + ], + "published": "2023-11-27T23:15:07+00:00", + "updated": "2024-11-21T08:22:28+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-42366", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.1, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 787 + ], + "description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", + "recommendation": "Upgrade busybox to version 1.35.0-r30; Upgrade busybox-binsh to version 1.35.0-r30; Upgrade ssl_client to version 1.35.0-r30", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-42366" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-42366" + }, + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15874" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20241206-0007/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42366" + } + ], + "published": "2023-11-27T23:15:07+00:00", + "updated": "2024-12-06T14:15:19+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.35.0-r29", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-5363", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 7.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 684 + ], + "description": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r0; Upgrade libssl3 to version 3.0.12-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-5363" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2023/10/24/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0310" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-5363" + }, + { + "url": "https://bugzilla.redhat.com/2243839" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-0310.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-5363.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-12093.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231027-0010/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240201-0003/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240201-0004/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5363" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5532" + }, + { + "url": "https://www.openssl.org/news/secadv/20231024.txt" + } + ], + "published": "2023-10-25T18:17:43+00:00", + "updated": "2024-11-21T08:41:36+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-5678", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.3, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 606, + 754 + ], + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r1; Upgrade libssl3 to version 3.0.12-r1", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-5678" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-5678" + }, + { + "url": "https://bugzilla.redhat.com/2223016" + }, + { + "url": "https://bugzilla.redhat.com/2224962" + }, + { + "url": "https://bugzilla.redhat.com/2227852" + }, + { + "url": "https://bugzilla.redhat.com/2248616" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-2447.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-5678.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-2447.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20231130-0010/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + } + ], + "published": "2023-11-06T16:15:42+00:00", + "updated": "2024-11-21T08:42:15+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-6129", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "nvd" + }, + "score": 6.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 6.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 440, + 787 + ], + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r2; Upgrade libssl3 to version 3.0.12-r2", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-6129" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9088" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6129" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://bugzilla.redhat.com/2284243" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9088.html" + }, + { + "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35" + }, + { + "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04" + }, + { + "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-6129.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9088.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240216-0009/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240426-0008/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240426-0013/" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0011/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2024/01/09/1" + } + ], + "published": "2024-01-09T17:15:12+00:00", + "updated": "2025-06-20T16:15:27+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2023-6237", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.9, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 606 + ], + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r3; Upgrade libssl3 to version 3.0.12-r3", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2023-6237" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9088" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6237" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://bugzilla.redhat.com/2284243" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9088.html" + }, + { + "url": "https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d" + }, + { + "url": "https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a" + }, + { + "url": "https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2023-6237.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9088.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240531-0007/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" + }, + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2024/01/15/2" + } + ], + "published": "2024-04-25T07:15:45+00:00", + "updated": "2024-11-21T08:43:25+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-0727", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "ghsa" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "nvd" + }, + "score": 5.5, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.5, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 476 + ], + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r4; Upgrade libssl3 to version 3.0.12-r4", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-0727" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9088" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0727" + }, + { + "url": "https://bugzilla.redhat.com/2257571" + }, + { + "url": "https://bugzilla.redhat.com/2258502" + }, + { + "url": "https://bugzilla.redhat.com/2259944" + }, + { + "url": "https://bugzilla.redhat.com/2284243" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9088.html" + }, + { + "url": "https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2" + }, + { + "url": "https://github.com/github/advisory-database/pull/3472" + }, + { + "url": "https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2" + }, + { + "url": "https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a" + }, + { + "url": "https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c" + }, + { + "url": "https://github.com/openssl/openssl/pull/23362" + }, + { + "url": "https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-0727.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9088.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240208-0006" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240208-0006/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-7018-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt" + } + ], + "published": "2024-01-26T09:15:07+00:00", + "updated": "2025-05-29T16:15:31+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-2511", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 3.7, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 1325 + ], + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.12-r5; Upgrade libssl3 to version 3.0.12-r5", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-2511" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/04/08/5" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9333" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-2511" + }, + { + "url": "https://bugzilla.redhat.com/2274020" + }, + { + "url": "https://bugzilla.redhat.com/2281029" + }, + { + "url": "https://bugzilla.redhat.com/2283757" + }, + { + "url": "https://bugzilla.redhat.com/2294581" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9333.html" + }, + { + "url": "https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce" + }, + { + "url": "https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d" + }, + { + "url": "https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-2511.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9333.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240503-0013/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6937-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2511" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + }, + { + "url": "https://www.openssl.org/news/vulnerabilities.html" + } + ], + "published": "2024-04-08T14:15:07+00:00", + "updated": "2025-03-28T20:15:22+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-4603", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "medium" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "medium" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.3, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 606, + 834 + ], + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.13-r0; Upgrade libssl3 to version 3.0.13-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-4603" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/05/16/2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9333" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-4603" + }, + { + "url": "https://bugzilla.redhat.com/2274020" + }, + { + "url": "https://bugzilla.redhat.com/2281029" + }, + { + "url": "https://bugzilla.redhat.com/2283757" + }, + { + "url": "https://bugzilla.redhat.com/2294581" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9333.html" + }, + { + "url": "https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397" + }, + { + "url": "https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e" + }, + { + "url": "https://github.com/openssl/openssl/commit/9c39b3858091c152f52513c066ff2c5a47969f0d" + }, + { + "url": "https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-4603.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9333.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240621-0001/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6937-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-4603" + }, + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + } + ], + "published": "2024-05-16T16:15:10+00:00", + "updated": "2024-11-21T09:43:11+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-4741", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "low" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "low" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.6, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 416 + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.14-r0; Upgrade libssl3 to version 3.0.14-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-4741" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:9333" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-4741" + }, + { + "url": "https://bugzilla.redhat.com/2274020" + }, + { + "url": "https://bugzilla.redhat.com/2281029" + }, + { + "url": "https://bugzilla.redhat.com/2283757" + }, + { + "url": "https://bugzilla.redhat.com/2294581" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-9333.html" + }, + { + "url": "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177" + }, + { + "url": "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d" + }, + { + "url": "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac" + }, + { + "url": "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-4741.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-9333.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4741" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6937-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-4741" + }, + { + "url": "https://www.openssl.org/news/secadv/20240528.txt" + } + ], + "published": "2024-11-13T11:15:04+00:00", + "updated": "2024-11-13T17:01:16+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-5535", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "high" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "critical" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "critical" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "critical" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.9, + "severity": "low", + "method": "CVSSv3", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "low" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 200 + ], + "description": "Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an\nempty supported client protocols buffer may cause a crash or memory contents to\nbe sent to the peer.\n\nImpact summary: A buffer overread can have a range of potential consequences\nsuch as unexpected application beahviour or a crash. In particular this issue\ncould result in up to 255 bytes of arbitrary private data from memory being sent\nto the peer leading to a loss of confidentiality. However, only applications\nthat directly call the SSL_select_next_proto function with a 0 length list of\nsupported client protocols are affected by this issue. This would normally never\nbe a valid scenario and is typically not under attacker control but may occur by\naccident in the case of a configuration or programming error in the calling\napplication.\n\nThe OpenSSL API function SSL_select_next_proto is typically used by TLS\napplications that support ALPN (Application Layer Protocol Negotiation) or NPN\n(Next Protocol Negotiation). NPN is older, was never standardised and\nis deprecated in favour of ALPN. We believe that ALPN is significantly more\nwidely deployed than NPN. The SSL_select_next_proto function accepts a list of\nprotocols from the server and a list of protocols from the client and returns\nthe first protocol that appears in the server list that also appears in the\nclient list. In the case of no overlap between the two lists it returns the\nfirst item in the client list. In either case it will signal whether an overlap\nbetween the two lists was found. In the case where SSL_select_next_proto is\ncalled with a zero length client list it fails to notice this condition and\nreturns the memory immediately following the client list pointer (and reports\nthat there was no overlap in the lists).\n\nThis function is typically called from a server side application callback for\nALPN or a client side application callback for NPN. In the case of ALPN the list\nof protocols supplied by the client is guaranteed by libssl to never be zero in\nlength. The list of server protocols comes from the application and should never\nnormally be expected to be of zero length. In this case if the\nSSL_select_next_proto function has been called as expected (with the list\nsupplied by the client passed in the client/client_len parameters), then the\napplication will not be vulnerable to this issue. If the application has\naccidentally been configured with a zero length server list, and has\naccidentally passed that zero length server list in the client/client_len\nparameters, and has additionally failed to correctly handle a \"no overlap\"\nresponse (which would normally result in a handshake failure in ALPN) then it\nwill be vulnerable to this problem.\n\nIn the case of NPN, the protocol permits the client to opportunistically select\na protocol when there is no overlap. OpenSSL returns the first client protocol\nin the no overlap case in support of this. The list of client protocols comes\nfrom the application and should never normally be expected to be of zero length.\nHowever if the SSL_select_next_proto function is accidentally called with a\nclient_len of 0 then an invalid memory pointer will be returned instead. If the\napplication uses this output as the opportunistic protocol then the loss of\nconfidentiality will occur.\n\nThis issue has been assessed as Low severity because applications are most\nlikely to be vulnerable if they are using NPN instead of ALPN - but NPN is not\nwidely used. It also requires an application configuration or programming error.\nFinally, this issue would not typically be under attacker control making active\nexploitation unlikely.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.\n\nDue to the low severity of this issue we are not issuing new releases of\nOpenSSL at this time. The fix will be included in the next releases when they\nbecome available.", + "recommendation": "Upgrade libcrypto3 to version 3.0.14-r0; Upgrade libssl3 to version 3.0.14-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-5535" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/27/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/08/15/1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2025:1671" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-5535" + }, + { + "url": "https://bugzilla.redhat.com/2294581" + }, + { + "url": "https://bugzilla.redhat.com/2294676" + }, + { + "url": "https://bugzilla.redhat.com/2301888" + }, + { + "url": "https://bugzilla.redhat.com/2318857" + }, + { + "url": "https://bugzilla.redhat.com/2318858" + }, + { + "url": "https://bugzilla.redhat.com/2318870" + }, + { + "url": "https://bugzilla.redhat.com/2318873" + }, + { + "url": "https://bugzilla.redhat.com/2318874" + }, + { + "url": "https://bugzilla.redhat.com/2318876" + }, + { + "url": "https://bugzilla.redhat.com/2318882" + }, + { + "url": "https://bugzilla.redhat.com/2318883" + }, + { + "url": "https://bugzilla.redhat.com/2318884" + }, + { + "url": "https://bugzilla.redhat.com/2318885" + }, + { + "url": "https://bugzilla.redhat.com/2318886" + }, + { + "url": "https://bugzilla.redhat.com/2318897" + }, + { + "url": "https://bugzilla.redhat.com/2318900" + }, + { + "url": "https://bugzilla.redhat.com/2318905" + }, + { + "url": "https://bugzilla.redhat.com/2318914" + }, + { + "url": "https://bugzilla.redhat.com/2318922" + }, + { + "url": "https://bugzilla.redhat.com/2318923" + }, + { + "url": "https://bugzilla.redhat.com/2318925" + }, + { + "url": "https://bugzilla.redhat.com/2318926" + }, + { + "url": "https://bugzilla.redhat.com/2318927" + }, + { + "url": "https://bugzilla.redhat.com/2331191" + }, + { + "url": "https://bugzilla.redhat.com/2339218" + }, + { + "url": "https://bugzilla.redhat.com/2339220" + }, + { + "url": "https://bugzilla.redhat.com/2339221" + }, + { + "url": "https://bugzilla.redhat.com/2339226" + }, + { + "url": "https://bugzilla.redhat.com/2339231" + }, + { + "url": "https://bugzilla.redhat.com/2339236" + }, + { + "url": "https://bugzilla.redhat.com/2339238" + }, + { + "url": "https://bugzilla.redhat.com/2339243" + }, + { + "url": "https://bugzilla.redhat.com/2339247" + }, + { + "url": "https://bugzilla.redhat.com/2339252" + }, + { + "url": "https://bugzilla.redhat.com/2339259" + }, + { + "url": "https://bugzilla.redhat.com/2339266" + }, + { + "url": "https://bugzilla.redhat.com/2339270" + }, + { + "url": "https://bugzilla.redhat.com/2339271" + }, + { + "url": "https://bugzilla.redhat.com/2339275" + }, + { + "url": "https://bugzilla.redhat.com/2339277" + }, + { + "url": "https://bugzilla.redhat.com/2339281" + }, + { + "url": "https://bugzilla.redhat.com/2339284" + }, + { + "url": "https://bugzilla.redhat.com/2339291" + }, + { + "url": "https://bugzilla.redhat.com/2339293" + }, + { + "url": "https://bugzilla.redhat.com/2339295" + }, + { + "url": "https://bugzilla.redhat.com/2339299" + }, + { + "url": "https://bugzilla.redhat.com/2339300" + }, + { + "url": "https://bugzilla.redhat.com/2339304" + }, + { + "url": "https://bugzilla.redhat.com/2339305" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294581" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5535" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2025-1671.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2024:7848" + }, + { + "url": "https://github.com/openssl/openssl/commit/4ada436a1946cbb24db5ab4ca082b69c1bc10f37" + }, + { + "url": "https://github.com/openssl/openssl/commit/99fb785a5f85315b95288921a321a935ea29a51e" + }, + { + "url": "https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c" + }, + { + "url": "https://github.com/openssl/openssl/commit/e86ac436f0bd54d4517745483e2315650fae7b2c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9947251413065a05189a63c9b7a6c1d4e224c21c" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/b78ec0824da857223486660177d3b1f255c65d87" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-5535.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2025-1673.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5535" + }, + { + "url": "https://openssl.org/news/secadv/20240627.txt" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240712-0005/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6937-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-5535" + }, + { + "url": "https://www.openssl.org/news/secadv/20240627.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL" + } + ], + "published": "2024-06-27T11:15:24+00:00", + "updated": "2024-11-21T09:47:53+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-6119", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "alma" + }, + "severity": "medium" + }, + { + "source": { + "name": "amazon" + }, + "severity": "medium" + }, + { + "source": { + "name": "azure" + }, + "severity": "high" + }, + { + "source": { + "name": "cbl-mariner" + }, + "severity": "high" + }, + { + "source": { + "name": "nvd" + }, + "score": 7.5, + "severity": "high", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "oracle-oval" + }, + "severity": "medium" + }, + { + "source": { + "name": "photon" + }, + "severity": "high" + }, + { + "source": { + "name": "redhat" + }, + "score": 5.9, + "severity": "medium", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "source": { + "name": "rocky" + }, + "severity": "medium" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "medium" + } + ], + "cwes": [ + 843 + ], + "description": "Issue summary: Applications performing certificate name checks (e.g., TLS\nclients checking server certificates) may attempt to read an invalid memory\naddress resulting in abnormal termination of the application process.\n\nImpact summary: Abnormal termination of an application can a cause a denial of\nservice.\n\nApplications performing certificate name checks (e.g., TLS clients checking\nserver certificates) may attempt to read an invalid memory address when\ncomparing the expected name with an `otherName` subject alternative name of an\nX.509 certificate. This may result in an exception that terminates the\napplication program.\n\nNote that basic certificate chain validation (signatures, dates, ...) is not\naffected, the denial of service can occur only when the application also\nspecifies an expected DNS name, Email address or IP address.\n\nTLS servers rarely solicit client certificates, and even when they do, they\ngenerally don't perform a name check against a reference identifier (expected\nidentity), but rather extract the presented identity after checking the\ncertificate chain. So TLS servers are generally not affected and the severity\nof the issue is Moderate.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.15-r0; Upgrade libssl3 to version 3.0.15-r0", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-6119" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/09/03/4" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:8935" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-6119" + }, + { + "url": "https://bugzilla.redhat.com/2306158" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2306158" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6119" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2024-8935.html" + }, + { + "url": "https://errata.rockylinux.org/RLSA-2024:6783" + }, + { + "url": "https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f" + }, + { + "url": "https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6" + }, + { + "url": "https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2" + }, + { + "url": "https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0" + }, + { + "url": "https://github.com/openssl/openssl/security/advisories/GHSA-5qrj-vq78-58fj" + }, + { + "url": "https://linux.oracle.com/cve/CVE-2024-6119.html" + }, + { + "url": "https://linux.oracle.com/errata/ELSA-2024-8935.html" + }, + { + "url": "https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6119" + }, + { + "url": "https://openssl-library.org/news/secadv/20240903.txt" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20240912-0001/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6986-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-6119" + } + ], + "published": "2024-09-03T16:15:07+00:00", + "updated": "2025-06-03T10:51:54+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2024-9143", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [ + { + "source": { + "name": "amazon" + }, + "severity": "high" + }, + { + "source": { + "name": "photon" + }, + "severity": "medium" + }, + { + "source": { + "name": "redhat" + }, + "score": 3.7, + "severity": "low", + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "source": { + "name": "ubuntu" + }, + "severity": "low" + } + ], + "cwes": [ + 787 + ], + "description": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we're aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can't represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.", + "recommendation": "Upgrade libcrypto3 to version 3.0.15-r1; Upgrade libssl3 to version 3.0.15-r1", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2024-9143" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/10/16/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/10/23/1" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2024/10/24/1" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-9143" + }, + { + "url": "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712" + }, + { + "url": "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700" + }, + { + "url": "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4" + }, + { + "url": "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41" + }, + { + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9143" + }, + { + "url": "https://openssl-library.org/news/secadv/20241016.txt" + }, + { + "url": "https://security.netapp.com/advisory/ntap-20241101-0001/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-7264-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-7278-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-9143" + } + ], + "published": "2024-10-16T17:15:18+00:00", + "updated": "2024-11-21T09:54:04+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/libcrypto3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/libssl3@3.0.7-r0?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "3.0.7-r0", + "status": "affected" + } + ] + } + ] + }, + { + "id": "CVE-2025-26519", + "source": { + "name": "alpine", + "url": "https://secdb.alpinelinux.org/" + }, + "ratings": [], + "cwes": [ + 787 + ], + "description": "musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.", + "recommendation": "Upgrade musl to version 1.2.3-r6; Upgrade musl-utils to version 1.2.3-r6", + "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2025-26519" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/13/2" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/13/3" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/13/4" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/13/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/14/5" + }, + { + "url": "http://www.openwall.com/lists/oss-security/2025/02/14/6" + }, + { + "url": "https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da" + }, + { + "url": "https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659" + }, + { + "url": "https://www.openwall.com/lists/oss-security/2025/02/13/2" + } + ], + "published": "2025-02-14T04:15:09+00:00", + "updated": "2025-02-14T17:15:23+00:00", + "affects": [ + { + "ref": "pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.2.3-r4", + "status": "affected" + } + ] + }, + { + "ref": "pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&distro=3.17.0", + "versions": [ + { + "version": "1.2.3-r4", + "status": "affected" + } + ] + } + ] + } + ] +} diff --git a/scanpipe/tests/test_scan_integrations.py b/scanpipe/tests/test_scan_integrations.py new file mode 100644 index 0000000000..6095b975fa --- /dev/null +++ b/scanpipe/tests/test_scan_integrations.py @@ -0,0 +1,52 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# http://nexb.com and https://github.com/nexB/scancode.io +# The ScanCode.io software is licensed under the Apache License version 2.0. +# Data generated with ScanCode.io is provided as-is without warranties. +# ScanCode is a trademark of nexB Inc. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# ScanCode.io should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# +# ScanCode.io is a free software code scanning tool from nexB Inc. and others. +# Visit https://github.com/nexB/scancode.io for support and download. + +from pathlib import Path + +from django.test import TestCase + +from scanpipe.tests import make_project + + +class ScanPipeSCAIntegrationsTest(TestCase): + data = Path(__file__).parent / "data" + + def test_scanpipe_scan_integrations_load_sbom_trivy(self): + # Input file generated with: + # $ trivy image --scanners vuln,license --format cyclonedx \ + # --output trivy-alpine-3.17-sbom.json alpine:3.17.0 + input_location = self.data / "sca-integrations" / "trivy-alpine-3.17-sbom.json" + + pipeline_name = "load_sbom" + project1 = make_project() + project1.copy_input_from(input_location) + + run = project1.add_pipeline(pipeline_name) + pipeline = run.make_pipeline_instance() + + exitcode, out = pipeline.execute() + self.assertEqual(0, exitcode, msg=out) + + self.assertEqual(1, project1.codebaseresources.count()) + self.assertEqual(16, project1.discoveredpackages.count()) + self.assertEqual(7, project1.discoveredpackages.vulnerable().count()) + self.assertEqual(25, project1.discovereddependencies.count())