Security Report on Vulnerabilities Identified Through Prisma Scan #287
Description
1. Introduction
This report summarizes the vulnerabilities identified through the Prisma scan conducted.
The identified vulnerabilities have been categorized based on their severity levels, potential impacts, and recommended actions for remediation.
2. Vulnerabilities
2.1 Critical Vulnerabilities
Vulnerability: CVE-2024-45337
Description: Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
Vulnerability: CVE-2023-23914
Description: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
Vulnerability: CVE-2025-21613
Description: An argument injection vulnerability was discovered in go-git versions prior to v5.13.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Vulnerability: CVE-2023-45853
Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Vulnerability: CVE-2019-8457
Description: SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
3. How to reproduce it (as minimally and precisely as possible):
Scan your image via Prisma and you will see the issues.
Affected versions: v0.11.4
4. Conclusion
The Prisma scan identified several vulnerabilities in the environment.
Immediate attention should be given to critical and high-severity vulnerabilities to mitigate potential risks.
Medium and low-severity vulnerabilities should also be addressed in a timely manner to strengthen the security posture.
Continuous monitoring and regular vulnerability assessments are recommended to ensure ongoing security.
See screenshot for more details
Please review this report and prioritize the remediation efforts accordingly.