-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgl-container-scanning-report.json
1 lines (1 loc) · 191 KB
/
gl-container-scanning-report.json
1
{"vulnerabilities":[{"id":"bd1772d9770ba7c19e1ea708931848e8d8e42794","severity":"Low","location":{"dependency":{"package":{"name":"bash"},"version":"5.1-6ubuntu1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-3715","value":"CVE-2022-3715","url":"https://access.redhat.com/errata/RHSA-2023:0340"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:0340"},{"url":"https://access.redhat.com/security/cve/CVE-2022-3715"},{"url":"https://bugzilla.redhat.com/2126720"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2126720"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3715"},{"url":"https://errata.almalinux.org/9/ALSA-2023-0340.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:0340"},{"url":"https://linux.oracle.com/cve/CVE-2022-3715.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-0340.html"},{"url":"https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3715"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3715"}],"description":"A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.","solution":"No solution provided"},{"id":"62968d2ba1d4cfeecc21c123bb7980d77ee3ed27","severity":"Low","location":{"dependency":{"package":{"name":"coreutils"},"version":"8.32-4.1ubuntu1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2016-2781","value":"CVE-2016-2781","url":"http://seclists.org/oss-sec/2016/q1/452"}],"links":[{"url":"http://seclists.org/oss-sec/2016/q1/452"},{"url":"http://www.openwall.com/lists/oss-security/2016/02/28/2"},{"url":"http://www.openwall.com/lists/oss-security/2016/02/28/3"},{"url":"https://access.redhat.com/security/cve/CVE-2016-2781"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2781"},{"url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"},{"url":"https://lore.kernel.org/patchwork/patch/793178/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2781"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-2781"}],"description":"chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.","solution":"No solution provided"},{"id":"ac322cb0bb1f2860db3f2264443c709ae6b61934","severity":"High","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38545","value":"CVE-2023-38545","url":"https://access.redhat.com/security/cve/CVE-2023-38545"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-38545"},{"url":"https://curl.se/docs/CVE-2023-38545.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38545"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38545"}],"description":"A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to \"let the host resolve the name\" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.","solution":"No solution provided"},{"id":"8803fb8b72c1cc5c6fd3c60b3797fc8ad6b70d78","severity":"Medium","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27535","value":"CVE-2023-27535","url":"https://access.redhat.com/errata/RHSA-2023:3106"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3106"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27535"},{"url":"https://bugzilla.redhat.com/2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188029"},{"url":"https://curl.se/docs/CVE-2023-27535.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3106.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3106"},{"url":"https://hackerone.com/reports/1892780"},{"url":"https://linux.oracle.com/cve/CVE-2023-27535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3106.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27535"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27535"}],"description":"An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.","solution":"Upgrade curl to 7.81.0-1ubuntu1.10"},{"id":"a20e2d3fbc67f742402d473dac72634a2e366544","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27533","value":"CVE-2023-27533","url":"https://access.redhat.com/security/cve/CVE-2023-27533"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27533"},{"url":"https://curl.se/docs/CVE-2023-27533.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533"},{"url":"https://hackerone.com/reports/1891474"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27533"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0011/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27533"}],"description":"A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.","solution":"Upgrade curl to 7.81.0-1ubuntu1.10"},{"id":"a1c5c8b43bbdb90c7b8e17de92a33d8cb908403c","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27534","value":"CVE-2023-27534","url":"https://access.redhat.com/security/cve/CVE-2023-27534"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27534"},{"url":"https://curl.se/docs/CVE-2023-27534.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534"},{"url":"https://hackerone.com/reports/1892351"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0012/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27534"}],"description":"A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.","solution":"Upgrade curl to 7.81.0-1ubuntu1.10"},{"id":"855fb79020772adc253ef203251d04d036b42d71","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27536","value":"CVE-2023-27536","url":"https://access.redhat.com/errata/RHSA-2023:4523"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27536"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-27536.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1895135"},{"url":"https://linux.oracle.com/cve/CVE-2023-27536.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27536"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27536"}],"description":"An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.","solution":"Upgrade curl to 7.81.0-1ubuntu1.10"},{"id":"95b035697e5bda94706351b48042441354d86943","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27538","value":"CVE-2023-27538","url":"https://access.redhat.com/security/cve/CVE-2023-27538"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27538"},{"url":"https://curl.se/docs/CVE-2023-27538.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538"},{"url":"https://hackerone.com/reports/1898475"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27538"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27538"}],"description":"An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.","solution":"Upgrade curl to 7.81.0-1ubuntu1.10"},{"id":"39384ed39f6cd1b03cb54ae6914c2e55ee2fb472","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28321","value":"CVE-2023-28321","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28321"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-28321.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1950627"},{"url":"https://linux.oracle.com/cve/CVE-2023-28321.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28321"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28321"}],"description":"An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as \"Subject Alternative Name\" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.","solution":"Upgrade curl to 7.81.0-1ubuntu1.11"},{"id":"29b7a7165d1193962ca1dadd13bbe729b7347fd0","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28322","value":"CVE-2023-28322","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4354"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28322"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/2196793"},{"url":"https://curl.se/docs/CVE-2023-28322.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322"},{"url":"https://errata.almalinux.org/9/ALSA-2023-4354.html"},{"url":"https://hackerone.com/reports/1954658"},{"url":"https://linux.oracle.com/cve/CVE-2023-28322.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4354.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28322"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28322"}],"description":"An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.","solution":"Upgrade curl to 7.81.0-1ubuntu1.11"},{"id":"aa0ccda41f1f84d0e2fde0e6f6d1ad4bc8401831","severity":"Low","location":{"dependency":{"package":{"name":"curl"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38546","value":"CVE-2023-38546","url":"https://curl.se/docs/CVE-2023-38546.html"}],"links":[{"url":"https://curl.se/docs/CVE-2023-38546.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546"}],"description":"cookie injection with none file","solution":"No solution provided"},{"id":"e1e6411007676fd08030685f6220bc04640bce93","severity":"Low","location":{"dependency":{"package":{"name":"gcc-12-base"},"version":"12.1.0-2ubuntu1~22.04"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-27943","value":"CVE-2022-27943","url":"https://access.redhat.com/security/cve/CVE-2022-27943"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-27943"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27943"},{"url":"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039"},{"url":"https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79"},{"url":"https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27943"},{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-27943"}],"description":"libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.","solution":"No solution provided"},{"id":"6ad3562ab2b32ec1e4d487c907a37f6b5828823c","severity":"Medium","location":{"dependency":{"package":{"name":"git"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-25652","value":"CVE-2023-25652","url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"},{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-25652"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902"},{"url":"https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e"},{"url":"https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx"},{"url":"https://linux.oracle.com/cve/CVE-2023-25652.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3263.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25652"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://ubuntu.com/security/notices/USN-6050-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25652"}],"description":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.","solution":"Upgrade git to 1:2.34.1-1ubuntu1.9"},{"id":"5ab391eeed7c9aae9d446fa379a8521ec6c41e9b","severity":"Medium","location":{"dependency":{"package":{"name":"git"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-25815","value":"CVE-2023-25815","url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"},{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-25815"},{"url":"https://axcheron.github.io/exploit-101-format-strings/#writing-to-the-stack"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1"},{"url":"https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8"},{"url":"https://github.com/msys2/MINGW-packages/pull/10461"},{"url":"https://linux.oracle.com/cve/CVE-2023-25815.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3246.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25815"},{"url":"https://pubs.opengroup.org/onlinepubs/9699919799/functions/printf.html"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25815"}],"description":"In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\\mingw64\\share\\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\\` (and since `C:\\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.\n\nThis vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\\`.","solution":"Upgrade git to 1:2.34.1-1ubuntu1.9"},{"id":"748afe802790ce86253da260ca1007d9a7a4ea53","severity":"Medium","location":{"dependency":{"package":{"name":"git"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29007","value":"CVE-2023-29007","url":"https://access.redhat.com/errata/RHSA-2023:3246"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29007"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt"},{"url":"https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4"},{"url":"https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844"},{"url":"https://linux.oracle.com/cve/CVE-2023-29007.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3263.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29007"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://ubuntu.com/security/notices/USN-6050-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29007"}],"description":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.","solution":"Upgrade git to 1:2.34.1-1ubuntu1.9"},{"id":"6e85bdeb4e8d2fccb7194bbc6904b3cfd960ca7d","severity":"Low","location":{"dependency":{"package":{"name":"git"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2018-1000021","value":"CVE-2018-1000021","url":"http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"}],"links":[{"url":"http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"},{"url":"https://access.redhat.com/security/cve/CVE-2018-1000021"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000021"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000021"},{"url":"https://public-inbox.org/git/[email protected]/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1000021"}],"description":"GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).","solution":"No solution provided"},{"id":"c0181031a0aaad728a90efa7dcd3a2f6ead1347c","severity":"Medium","location":{"dependency":{"package":{"name":"git-man"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-25652","value":"CVE-2023-25652","url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"},{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-25652"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902"},{"url":"https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e"},{"url":"https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx"},{"url":"https://linux.oracle.com/cve/CVE-2023-25652.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3263.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25652"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://ubuntu.com/security/notices/USN-6050-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25652"}],"description":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.","solution":"Upgrade git-man to 1:2.34.1-1ubuntu1.9"},{"id":"78ed8a1b3389f8bc018b888f726005a6172d0b5c","severity":"Medium","location":{"dependency":{"package":{"name":"git-man"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-25815","value":"CVE-2023-25815","url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/25/2"},{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-25815"},{"url":"https://axcheron.github.io/exploit-101-format-strings/#writing-to-the-stack"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git-for-windows/git/releases/tag/v2.40.1.windows.1"},{"url":"https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8"},{"url":"https://github.com/msys2/MINGW-packages/pull/10461"},{"url":"https://linux.oracle.com/cve/CVE-2023-25815.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3246.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25815"},{"url":"https://pubs.opengroup.org/onlinepubs/9699919799/functions/printf.html"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-25815"}],"description":"In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\\mingw64\\share\\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\\` (and since `C:\\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.\n\nThis vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\\`.","solution":"Upgrade git-man to 1:2.34.1-1ubuntu1.9"},{"id":"84f1b62ea6e65707467d1347766c327a81dd6e6b","severity":"Medium","location":{"dependency":{"package":{"name":"git-man"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29007","value":"CVE-2023-29007","url":"https://access.redhat.com/errata/RHSA-2023:3246"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3246"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29007"},{"url":"https://bugzilla.redhat.com/2168160"},{"url":"https://bugzilla.redhat.com/2168161"},{"url":"https://bugzilla.redhat.com/2188333"},{"url":"https://bugzilla.redhat.com/2188337"},{"url":"https://bugzilla.redhat.com/2188338"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168160"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168161"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188333"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188337"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188338"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25652"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25815"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29007"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3246.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3246"},{"url":"https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt"},{"url":"https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4"},{"url":"https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844"},{"url":"https://linux.oracle.com/cve/CVE-2023-29007.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3263.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29007"},{"url":"https://ubuntu.com/security/notices/USN-6050-1"},{"url":"https://ubuntu.com/security/notices/USN-6050-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29007"}],"description":"Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.","solution":"Upgrade git-man to 1:2.34.1-1ubuntu1.9"},{"id":"faa84222f6adeac3bbb16fa625bae545d925ec29","severity":"Low","location":{"dependency":{"package":{"name":"git-man"},"version":"1:2.34.1-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2018-1000021","value":"CVE-2018-1000021","url":"http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"}],"links":[{"url":"http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"},{"url":"https://access.redhat.com/security/cve/CVE-2018-1000021"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000021"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000021"},{"url":"https://public-inbox.org/git/[email protected]/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1000021"}],"description":"GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).","solution":"No solution provided"},{"id":"f2820cbeaf8ab9a3270e4b4c812bdea54fae27d6","severity":"Low","location":{"dependency":{"package":{"name":"gpgv"},"version":"2.2.27-3ubuntu2.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-3219","value":"CVE-2022-3219","url":"https://access.redhat.com/security/cve/CVE-2022-3219"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-3219"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2127010"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3219"},{"url":"https://dev.gnupg.org/D556"},{"url":"https://dev.gnupg.org/T5993"},{"url":"https://marc.info/?l=oss-security&m=165696590211434&w=4"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3219"},{"url":"https://security.netapp.com/advisory/ntap-20230324-0001/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3219"}],"description":"GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.","solution":"No solution provided"},{"id":"7fd812b86174e5ffadd5940e393fa939a0930c7a","severity":"High","location":{"dependency":{"package":{"name":"libc-bin"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-4911","value":"CVE-2023-4911","url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"}],"links":[{"url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"},{"url":"http://seclists.org/fulldisclosure/2023/Oct/11"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/05/1"},{"url":"https://access.redhat.com/errata/RHSA-2023:5453"},{"url":"https://access.redhat.com/errata/RHSA-2023:5454"},{"url":"https://access.redhat.com/errata/RHSA-2023:5455"},{"url":"https://access.redhat.com/errata/RHSA-2023:5476"},{"url":"https://access.redhat.com/security/cve/CVE-2023-4911"},{"url":"https://bugzilla.redhat.com/2234712"},{"url":"https://bugzilla.redhat.com/2237782"},{"url":"https://bugzilla.redhat.com/2237798"},{"url":"https://bugzilla.redhat.com/2238352"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2234712"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237782"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237798"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2238352"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5455.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:5455"},{"url":"https://linux.oracle.com/cve/CVE-2023-4911.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5455.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4911"},{"url":"https://security.gentoo.org/glsa/202310-03"},{"url":"https://ubuntu.com/security/notices/USN-6409-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-4911"},{"url":"https://www.debian.org/security/2023/dsa-5514"},{"url":"https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"},{"url":"https://www.qualys.com/cve-2023-4911/"}],"description":"A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.","solution":"Upgrade libc-bin to 2.35-0ubuntu3.4"},{"id":"9466604f476cc44fe4a2d46d31cc91a5f933d700","severity":"Low","location":{"dependency":{"package":{"name":"libc-bin"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2016-20013","value":"CVE-2016-20013","url":"https://akkadia.org/drepper/SHA-crypt.txt"}],"links":[{"url":"https://akkadia.org/drepper/SHA-crypt.txt"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20013"},{"url":"https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/"},{"url":"https://twitter.com/solardiz/status/795601240151457793"}],"description":"sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.","solution":"No solution provided"},{"id":"71d22fbd43692c70bc75cbda2d0cf540cd14737d","severity":"High","location":{"dependency":{"package":{"name":"libc6"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-4911","value":"CVE-2023-4911","url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"}],"links":[{"url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"},{"url":"http://seclists.org/fulldisclosure/2023/Oct/11"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/05/1"},{"url":"https://access.redhat.com/errata/RHSA-2023:5453"},{"url":"https://access.redhat.com/errata/RHSA-2023:5454"},{"url":"https://access.redhat.com/errata/RHSA-2023:5455"},{"url":"https://access.redhat.com/errata/RHSA-2023:5476"},{"url":"https://access.redhat.com/security/cve/CVE-2023-4911"},{"url":"https://bugzilla.redhat.com/2234712"},{"url":"https://bugzilla.redhat.com/2237782"},{"url":"https://bugzilla.redhat.com/2237798"},{"url":"https://bugzilla.redhat.com/2238352"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2234712"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237782"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237798"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2238352"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5455.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:5455"},{"url":"https://linux.oracle.com/cve/CVE-2023-4911.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5455.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4911"},{"url":"https://security.gentoo.org/glsa/202310-03"},{"url":"https://ubuntu.com/security/notices/USN-6409-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-4911"},{"url":"https://www.debian.org/security/2023/dsa-5514"},{"url":"https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"},{"url":"https://www.qualys.com/cve-2023-4911/"}],"description":"A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.","solution":"Upgrade libc6 to 2.35-0ubuntu3.4"},{"id":"f45743cba04ee8a5ade440133da916ea6f35e450","severity":"Low","location":{"dependency":{"package":{"name":"libc6"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2016-20013","value":"CVE-2016-20013","url":"https://akkadia.org/drepper/SHA-crypt.txt"}],"links":[{"url":"https://akkadia.org/drepper/SHA-crypt.txt"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20013"},{"url":"https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/"},{"url":"https://twitter.com/solardiz/status/795601240151457793"}],"description":"sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.","solution":"No solution provided"},{"id":"4fcc5bb5ab0c50133553a91b1dd82c6d22703a96","severity":"Medium","location":{"dependency":{"package":{"name":"libcap2"},"version":"1:2.44-1build3"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2603","value":"CVE-2023-2603","url":"https://access.redhat.com/errata/RHSA-2023:4524"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:4524"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2603"},{"url":"https://bugzilla.redhat.com/2209113"},{"url":"https://bugzilla.redhat.com/2209114"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2209113"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2209114"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2602"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2603"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4524.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4524"},{"url":"https://linux.oracle.com/cve/CVE-2023-2603.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5071.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2603"},{"url":"https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe"},{"url":"https://ubuntu.com/security/notices/USN-6166-1"},{"url":"https://ubuntu.com/security/notices/USN-6166-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2603"},{"url":"https://www.openwall.com/lists/oss-security/2023/05/15/4"},{"url":"https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf"}],"description":"A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.","solution":"Upgrade libcap2 to 1:2.44-1ubuntu0.22.04.1"},{"id":"ac6ec3d7812de71ca4247ab55220c0664ac3c634","severity":"Low","location":{"dependency":{"package":{"name":"libcap2"},"version":"1:2.44-1build3"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2602","value":"CVE-2023-2602","url":"https://access.redhat.com/errata/RHSA-2023:4524"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:4524"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2602"},{"url":"https://bugzilla.redhat.com/2209113"},{"url":"https://bugzilla.redhat.com/2209114"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2209113"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2209114"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2602"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2603"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4524.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4524"},{"url":"https://linux.oracle.com/cve/CVE-2023-2602.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5071.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2602"},{"url":"https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe"},{"url":"https://ubuntu.com/security/notices/USN-6166-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2602"},{"url":"https://www.openwall.com/lists/oss-security/2023/05/15/4"},{"url":"https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf"}],"description":"A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.","solution":"Upgrade libcap2 to 1:2.44-1ubuntu0.22.04.1"},{"id":"da42a3e8b0f08c11f24e665e022696eb339601dd","severity":"High","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38545","value":"CVE-2023-38545","url":"https://access.redhat.com/security/cve/CVE-2023-38545"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-38545"},{"url":"https://curl.se/docs/CVE-2023-38545.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38545"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38545"}],"description":"A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to \"let the host resolve the name\" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.","solution":"No solution provided"},{"id":"bb4c3a01397d91e62157fb7f6c99a6488c0dd5d2","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27535","value":"CVE-2023-27535","url":"https://access.redhat.com/errata/RHSA-2023:3106"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3106"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27535"},{"url":"https://bugzilla.redhat.com/2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188029"},{"url":"https://curl.se/docs/CVE-2023-27535.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3106.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3106"},{"url":"https://hackerone.com/reports/1892780"},{"url":"https://linux.oracle.com/cve/CVE-2023-27535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3106.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27535"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27535"}],"description":"An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.10"},{"id":"67dee8d012e1d77de5d020e359968016ffe9da22","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27533","value":"CVE-2023-27533","url":"https://access.redhat.com/security/cve/CVE-2023-27533"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27533"},{"url":"https://curl.se/docs/CVE-2023-27533.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533"},{"url":"https://hackerone.com/reports/1891474"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27533"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0011/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27533"}],"description":"A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.10"},{"id":"26e65d8699d52950a984a46435662cc45d0e883c","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27534","value":"CVE-2023-27534","url":"https://access.redhat.com/security/cve/CVE-2023-27534"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27534"},{"url":"https://curl.se/docs/CVE-2023-27534.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534"},{"url":"https://hackerone.com/reports/1892351"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0012/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27534"}],"description":"A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.10"},{"id":"b55f17ccd3fc24fe08b4ae07510b32f8084ff3d4","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27536","value":"CVE-2023-27536","url":"https://access.redhat.com/errata/RHSA-2023:4523"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27536"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-27536.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1895135"},{"url":"https://linux.oracle.com/cve/CVE-2023-27536.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27536"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27536"}],"description":"An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.10"},{"id":"4c0f3769fa86c0c978a9bb92b824dea0703dfef6","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27538","value":"CVE-2023-27538","url":"https://access.redhat.com/security/cve/CVE-2023-27538"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27538"},{"url":"https://curl.se/docs/CVE-2023-27538.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538"},{"url":"https://hackerone.com/reports/1898475"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27538"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27538"}],"description":"An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.10"},{"id":"1aca82b488ebb1eb21349e316e47c75d343cee57","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28321","value":"CVE-2023-28321","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28321"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-28321.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1950627"},{"url":"https://linux.oracle.com/cve/CVE-2023-28321.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28321"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28321"}],"description":"An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as \"Subject Alternative Name\" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.11"},{"id":"c05fc4b29de117188b26e56bdd4abd4480a74795","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28322","value":"CVE-2023-28322","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4354"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28322"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/2196793"},{"url":"https://curl.se/docs/CVE-2023-28322.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322"},{"url":"https://errata.almalinux.org/9/ALSA-2023-4354.html"},{"url":"https://hackerone.com/reports/1954658"},{"url":"https://linux.oracle.com/cve/CVE-2023-28322.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4354.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28322"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28322"}],"description":"An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.","solution":"Upgrade libcurl3-gnutls to 7.81.0-1ubuntu1.11"},{"id":"735efec65df93fccb6b6d395981136840399ad87","severity":"Low","location":{"dependency":{"package":{"name":"libcurl3-gnutls"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38546","value":"CVE-2023-38546","url":"https://curl.se/docs/CVE-2023-38546.html"}],"links":[{"url":"https://curl.se/docs/CVE-2023-38546.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546"}],"description":"cookie injection with none file","solution":"No solution provided"},{"id":"3c9d564d81ad84e1e6f6756af4755477fca40367","severity":"High","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38545","value":"CVE-2023-38545","url":"https://access.redhat.com/security/cve/CVE-2023-38545"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-38545"},{"url":"https://curl.se/docs/CVE-2023-38545.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38545"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38545"}],"description":"A heap-based buffer overflow flaw was found in the SOCKS5 proxy handshake in the Curl package. If Curl is unable to resolve the address itself, it passes the hostname to the SOCKS5 proxy. However, the maximum length of the hostname that can be passed is 255 bytes. If the hostname is longer, then Curl switches to the local name resolving and passes the resolved address only to the proxy. The local variable that instructs Curl to \"let the host resolve the name\" could obtain the wrong value during a slow SOCKS5 handshake, resulting in the too-long hostname being copied to the target buffer instead of the resolved address, which was not the intended behavior.","solution":"No solution provided"},{"id":"d023ff3050c63e72578c3ae79faad34720dae141","severity":"Medium","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27535","value":"CVE-2023-27535","url":"https://access.redhat.com/errata/RHSA-2023:3106"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3106"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27535"},{"url":"https://bugzilla.redhat.com/2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179073"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2188029"},{"url":"https://curl.se/docs/CVE-2023-27535.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3106.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3106"},{"url":"https://hackerone.com/reports/1892780"},{"url":"https://linux.oracle.com/cve/CVE-2023-27535.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3106.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27535"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27535"}],"description":"An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.10"},{"id":"39ec8b513b8135d893abb2598c44faf6ae79ff22","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27533","value":"CVE-2023-27533","url":"https://access.redhat.com/security/cve/CVE-2023-27533"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27533"},{"url":"https://curl.se/docs/CVE-2023-27533.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533"},{"url":"https://hackerone.com/reports/1891474"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27533"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0011/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27533"}],"description":"A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.10"},{"id":"de741da748abbb14d49e84663a1b29d40808fe0c","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27534","value":"CVE-2023-27534","url":"https://access.redhat.com/security/cve/CVE-2023-27534"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27534"},{"url":"https://curl.se/docs/CVE-2023-27534.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534"},{"url":"https://hackerone.com/reports/1892351"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0012/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27534"}],"description":"A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.10"},{"id":"e02ad41666971676390f70148dda68bee33fc6a6","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27536","value":"CVE-2023-27536","url":"https://access.redhat.com/errata/RHSA-2023:4523"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-27536"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-27536.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1895135"},{"url":"https://linux.oracle.com/cve/CVE-2023-27536.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27536"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://ubuntu.com/security/notices/USN-5964-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27536"}],"description":"An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.10"},{"id":"1a22b256b09ab52214897e3fb9f02119aa477c5b","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-27538","value":"CVE-2023-27538","url":"https://access.redhat.com/security/cve/CVE-2023-27538"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-27538"},{"url":"https://curl.se/docs/CVE-2023-27538.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538"},{"url":"https://hackerone.com/reports/1898475"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27538"},{"url":"https://security.netapp.com/advisory/ntap-20230420-0010/"},{"url":"https://ubuntu.com/security/notices/USN-5964-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27538"}],"description":"An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.10"},{"id":"118d902d47599f7576ec9d00cade4d9785740997","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28321","value":"CVE-2023-28321","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4523"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28321"},{"url":"https://bugzilla.redhat.com/2179092"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179092"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2196786"},{"url":"https://curl.se/docs/CVE-2023-28321.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321"},{"url":"https://errata.almalinux.org/8/ALSA-2023-4523.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:4523"},{"url":"https://hackerone.com/reports/1950627"},{"url":"https://linux.oracle.com/cve/CVE-2023-28321.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4523.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28321"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28321"}],"description":"An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as \"Subject Alternative Name\" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.11"},{"id":"9b30cb70b48b66ecf00fefe4abe9a713e025df94","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-28322","value":"CVE-2023-28322","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/errata/RHSA-2023:4354"},{"url":"https://access.redhat.com/security/cve/CVE-2023-28322"},{"url":"https://bugzilla.redhat.com/2196786"},{"url":"https://bugzilla.redhat.com/2196793"},{"url":"https://curl.se/docs/CVE-2023-28322.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322"},{"url":"https://errata.almalinux.org/9/ALSA-2023-4354.html"},{"url":"https://hackerone.com/reports/1954658"},{"url":"https://linux.oracle.com/cve/CVE-2023-28322.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-4354.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28322"},{"url":"https://security.netapp.com/advisory/ntap-20230609-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6237-1"},{"url":"https://ubuntu.com/security/notices/USN-6237-3"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28322"}],"description":"An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.","solution":"Upgrade libcurl4 to 7.81.0-1ubuntu1.11"},{"id":"35f8fda891974945b4b3d8c01ffe3da23b0d5a39","severity":"Low","location":{"dependency":{"package":{"name":"libcurl4"},"version":"7.81.0-1ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-38546","value":"CVE-2023-38546","url":"https://curl.se/docs/CVE-2023-38546.html"}],"links":[{"url":"https://curl.se/docs/CVE-2023-38546.html"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546"}],"description":"cookie injection with none file","solution":"No solution provided"},{"id":"62153e3b3b97755106b72a514544b19bcdee86da","severity":"Low","location":{"dependency":{"package":{"name":"libgcc-s1"},"version":"12.1.0-2ubuntu1~22.04"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-27943","value":"CVE-2022-27943","url":"https://access.redhat.com/security/cve/CVE-2022-27943"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-27943"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27943"},{"url":"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039"},{"url":"https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79"},{"url":"https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27943"},{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-27943"}],"description":"libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.","solution":"No solution provided"},{"id":"de438f1992e5d25066b24e5450c59b596a2797b3","severity":"Medium","location":{"dependency":{"package":{"name":"libgssapi-krb5-2"},"version":"1.19.2-2ubuntu0.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-36054","value":"CVE-2023-36054","url":"https://access.redhat.com/security/cve/CVE-2023-36054"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-36054"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054"},{"url":"https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36054"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0004/"},{"url":"https://web.mit.edu/kerberos/www/advisories/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-36054"}],"description":"lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.","solution":"No solution provided"},{"id":"dbf240acae318f0d678fe714b788b9fde75614cf","severity":"Medium","location":{"dependency":{"package":{"name":"libk5crypto3"},"version":"1.19.2-2ubuntu0.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-36054","value":"CVE-2023-36054","url":"https://access.redhat.com/security/cve/CVE-2023-36054"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-36054"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054"},{"url":"https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36054"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0004/"},{"url":"https://web.mit.edu/kerberos/www/advisories/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-36054"}],"description":"lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.","solution":"No solution provided"},{"id":"49ccb87bc9f96a1be16765a0f9b71c791e968d5e","severity":"Medium","location":{"dependency":{"package":{"name":"libkrb5-3"},"version":"1.19.2-2ubuntu0.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-36054","value":"CVE-2023-36054","url":"https://access.redhat.com/security/cve/CVE-2023-36054"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-36054"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054"},{"url":"https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36054"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0004/"},{"url":"https://web.mit.edu/kerberos/www/advisories/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-36054"}],"description":"lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.","solution":"No solution provided"},{"id":"9a76d047d922d5cb30d342696725911a706c4bba","severity":"Medium","location":{"dependency":{"package":{"name":"libkrb5support0"},"version":"1.19.2-2ubuntu0.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-36054","value":"CVE-2023-36054","url":"https://access.redhat.com/security/cve/CVE-2023-36054"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-36054"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054"},{"url":"https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final"},{"url":"https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36054"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0004/"},{"url":"https://web.mit.edu/kerberos/www/advisories/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-36054"}],"description":"lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.","solution":"No solution provided"},{"id":"67ac5e1e3990b775fe70faaffeec16189e0cbb5a","severity":"Low","location":{"dependency":{"package":{"name":"libldap-2.5-0"},"version":"2.5.13+dfsg-0ubuntu0.22.04.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2953","value":"CVE-2023-2953","url":"http://seclists.org/fulldisclosure/2023/Jul/47"}],"links":[{"url":"http://seclists.org/fulldisclosure/2023/Jul/47"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/48"},{"url":"http://seclists.org/fulldisclosure/2023/Jul/52"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2953"},{"url":"https://bugs.openldap.org/show_bug.cgi?id=9904"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2953"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2953"},{"url":"https://security.netapp.com/advisory/ntap-20230703-0005/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6197-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2953"}],"description":"A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.","solution":"No solution provided"},{"id":"f2556b54235a80184b1e01b5b70fb7fd947b9217","severity":"Medium","location":{"dependency":{"package":{"name":"liblzma5"},"version":"5.2.5-2ubuntu1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2020-22916","value":"CVE-2020-22916","url":"http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability"}],"links":[{"url":"http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability"},{"url":"https://access.redhat.com/security/cve/CVE-2020-22916"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2234987"},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1214590"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22916"},{"url":"https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability"},{"url":"https://github.com/tukaani-project/xz/issues/61"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-22916"},{"url":"https://security-tracker.debian.org/tracker/CVE-2020-22916"},{"url":"https://tukaani.org/xz/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-22916"}],"description":"** DISPUTED ** An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.","solution":"No solution provided"},{"id":"35abf6a296f03f4c49f9ae9dc5fa53db29760c5e","severity":"Medium","location":{"dependency":{"package":{"name":"libncurses6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29491","value":"CVE-2023-29491","url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"}],"links":[{"url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/10"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/11"},{"url":"https://access.redhat.com/errata/RHSA-2023:5249"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29491"},{"url":"https://bugzilla.redhat.com/2191704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5249.html"},{"url":"https://invisible-island.net/ncurses/NEWS.html#index-t20230408"},{"url":"https://linux.oracle.com/cve/CVE-2023-29491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5249.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29491"},{"url":"https://security.netapp.com/advisory/ntap-20230517-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29491"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/12/5"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/13/4"}],"description":"ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.","solution":"Upgrade libncurses6 to 6.3-2ubuntu0.1"},{"id":"42142cdc962f6fde4154598cd40d741d29d2348e","severity":"Low","location":{"dependency":{"package":{"name":"libncurses6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-29458","value":"CVE-2022-29458","url":"http://seclists.org/fulldisclosure/2022/Oct/41"}],"links":[{"url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"url":"https://access.redhat.com/security/cve/CVE-2022-29458"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458"},{"url":"https://invisible-island.net/ncurses/NEWS.html#t20220416"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29458"},{"url":"https://support.apple.com/kb/HT213488"},{"url":"https://ubuntu.com/security/notices/USN-5477-1"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-29458"}],"description":"ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.","solution":"Upgrade libncurses6 to 6.3-2ubuntu0.1"},{"id":"52ad8f9e9123df0122852800c0076db846e5cac9","severity":"Medium","location":{"dependency":{"package":{"name":"libncursesw6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29491","value":"CVE-2023-29491","url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"}],"links":[{"url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/10"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/11"},{"url":"https://access.redhat.com/errata/RHSA-2023:5249"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29491"},{"url":"https://bugzilla.redhat.com/2191704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5249.html"},{"url":"https://invisible-island.net/ncurses/NEWS.html#index-t20230408"},{"url":"https://linux.oracle.com/cve/CVE-2023-29491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5249.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29491"},{"url":"https://security.netapp.com/advisory/ntap-20230517-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29491"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/12/5"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/13/4"}],"description":"ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.","solution":"Upgrade libncursesw6 to 6.3-2ubuntu0.1"},{"id":"09c8cda11bbb5cc05150d119d686530a56835802","severity":"Low","location":{"dependency":{"package":{"name":"libncursesw6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-29458","value":"CVE-2022-29458","url":"http://seclists.org/fulldisclosure/2022/Oct/41"}],"links":[{"url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"url":"https://access.redhat.com/security/cve/CVE-2022-29458"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458"},{"url":"https://invisible-island.net/ncurses/NEWS.html#t20220416"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29458"},{"url":"https://support.apple.com/kb/HT213488"},{"url":"https://ubuntu.com/security/notices/USN-5477-1"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-29458"}],"description":"ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.","solution":"Upgrade libncursesw6 to 6.3-2ubuntu0.1"},{"id":"93c907a20bc919808817d0a256bedb035d3c301c","severity":"Low","location":{"dependency":{"package":{"name":"libpcre3"},"version":"2:8.39-13ubuntu0.22.04.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2017-11164","value":"CVE-2017-11164","url":"http://openwall.com/lists/oss-security/2017/07/11/3"}],"links":[{"url":"http://openwall.com/lists/oss-security/2017/07/11/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/11/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/12/1"},{"url":"http://www.securityfocus.com/bid/99575"},{"url":"https://access.redhat.com/security/cve/CVE-2017-11164"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11164"},{"url":"https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-11164"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-11164"}],"description":"In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.","solution":"No solution provided"},{"id":"6eefffaabd356e202e47b306ddb8b5985cf6a1c6","severity":"Medium","location":{"dependency":{"package":{"name":"libperl5.34"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-48522","value":"CVE-2022-48522","url":"https://access.redhat.com/security/cve/CVE-2022-48522"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-48522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522"},{"url":"https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48522"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-48522"}],"description":"In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.","solution":"No solution provided"},{"id":"0c8d744c471c557ec7c8809bf4c113c06bbf660b","severity":"Medium","location":{"dependency":{"package":{"name":"libperl5.34"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-31484","value":"CVE-2023-31484","url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/5"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/07/2"},{"url":"https://access.redhat.com/security/cve/CVE-2023-31484"},{"url":"https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484"},{"url":"https://github.com/andk/cpanpm/pull/175"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"},{"url":"https://metacpan.org/dist/CPAN/changes"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31484"},{"url":"https://ubuntu.com/security/notices/USN-6112-1"},{"url":"https://ubuntu.com/security/notices/USN-6112-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31484"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/18/14"}],"description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","solution":"Upgrade libperl5.34 to 5.34.0-3ubuntu1.2"},{"id":"fe7cdbe1cab0ffaf1d294ec87e9e01b9d5810174","severity":"Low","location":{"dependency":{"package":{"name":"libpng16-16"},"version":"1.6.37-3build5"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-3857","value":"CVE-2022-3857","url":"https://access.redhat.com/security/cve/CVE-2022-3857"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-3857"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3857"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3857"},{"url":"https://security.netapp.com/advisory/ntap-20230406-0004/"},{"url":"https://sourceforge.net/p/libpng/bugs/300/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3857"}],"description":"A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.","solution":"No solution provided"},{"id":"b6e9fdc613671909206808806bfe270983d3c2a2","severity":"Low","location":{"dependency":{"package":{"name":"libprocps8"},"version":"2:3.3.17-6ubuntu2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-4016","value":"CVE-2023-4016","url":"https://access.redhat.com/security/cve/CVE-2023-4016"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-4016"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4016"},{"url":"https://gitlab.com/procps-ng/procps"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4016"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-4016"}],"description":"Under some circumstances, this weakness allows a user who has access to run the “ps†utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.","solution":"No solution provided"},{"id":"7bcdd6034851140d3eaaea4a08fcbba6866c78e5","severity":"Medium","location":{"dependency":{"package":{"name":"libssh-4"},"version":"0.9.6-2build1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-1667","value":"CVE-2023-1667","url":"http://www.libssh.org/security/advisories/CVE-2023-1667.txt"}],"links":[{"url":"http://www.libssh.org/security/advisories/CVE-2023-1667.txt"},{"url":"https://access.redhat.com/errata/RHSA-2023:3839"},{"url":"https://access.redhat.com/security/cve/CVE-2023-1667"},{"url":"https://bugzilla.redhat.com/2182199"},{"url":"https://bugzilla.redhat.com/2189736"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182199"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2189736"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1667"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2283"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3839.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3839"},{"url":"https://linux.oracle.com/cve/CVE-2023-1667.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3839.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1667"},{"url":"https://ubuntu.com/security/notices/USN-6138-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-1667"},{"url":"https://www.libssh.org/security/advisories/CVE-2023-1667.txt"}],"description":"A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.","solution":"Upgrade libssh-4 to 0.9.6-2ubuntu0.22.04.1"},{"id":"031bfe2a57f3a990021ec1d4019dca3d16f64874","severity":"Medium","location":{"dependency":{"package":{"name":"libssh-4"},"version":"0.9.6-2build1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2283","value":"CVE-2023-2283","url":"http://packetstormsecurity.com/files/172861/libssh-0.9.6-0.10.4-pki_verify_data_signature-Authorization-Bypass.html"}],"links":[{"url":"http://packetstormsecurity.com/files/172861/libssh-0.9.6-0.10.4-pki_verify_data_signature-Authorization-Bypass.html"},{"url":"https://access.redhat.com/errata/RHSA-2023:3839"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2283"},{"url":"https://bugzilla.redhat.com/2182199"},{"url":"https://bugzilla.redhat.com/2189736"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2182199"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2189736"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1667"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2283"},{"url":"https://errata.almalinux.org/8/ALSA-2023-3839.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:3839"},{"url":"https://linux.oracle.com/cve/CVE-2023-2283.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3839.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2283"},{"url":"https://ubuntu.com/security/notices/USN-6138-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2283"},{"url":"https://www.libssh.org/security/advisories/CVE-2023-2283.txt"}],"description":"A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.","solution":"Upgrade libssh-4 to 0.9.6-2ubuntu0.22.04.1"},{"id":"aba05f0a6235dd6d025f4256c74669ac6538bb98","severity":"Medium","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2650","value":"CVE-2023-2650","url":"http://www.openwall.com/lists/oss-security/2023/05/30/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/05/30/1"},{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2650"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a"},{"url":"https://linux.oracle.com/cve/CVE-2023-2650.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2650"},{"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009"},{"url":"https://security.netapp.com/advisory/ntap-20230703-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6119-1"},{"url":"https://ubuntu.com/security/notices/USN-6188-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2650"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230530.txt"}],"description":"Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.10"},{"id":"d6ded9f72f43ff8b9543c6aa96ef557bd9fd1c58","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-3996","value":"CVE-2022-3996","url":"https://access.redhat.com/security/cve/CVE-2022-3996"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-3996"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"},{"url":"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3996"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3996"},{"url":"https://www.openssl.org/news/secadv/20221213.txt"}],"description":"If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.9"},{"id":"ab72008eb305156751fc868457cd2d5b596b19e1","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0464","value":"CVE-2023-0464","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0464"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"},{"url":"https://linux.oracle.com/cve/CVE-2023-0464.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0464"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0464"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230322.txt"}],"description":"A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.9"},{"id":"8d71eb1f82bcd397358ae7cf478dd9c411701e93","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0465","value":"CVE-2023-0465","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0465"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c"},{"url":"https://linux.oracle.com/cve/CVE-2023-0465.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0465"},{"url":"https://security.netapp.com/advisory/ntap-20230414-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0465"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230328.txt"}],"description":"Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.9"},{"id":"e43d67df6cea5327df7d81af1e2dc7950306afdf","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0466","value":"CVE-2023-0466","url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"},{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0466"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061"},{"url":"https://linux.oracle.com/cve/CVE-2023-0466.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0466"},{"url":"https://security.netapp.com/advisory/ntap-20230414-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0466"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230328.txt"}],"description":"The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.9"},{"id":"62a0eb7f06bc88b003c9cfae8fc3c6c625e0b97c","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-1255","value":"CVE-2023-1255","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-1255"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1255"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a"},{"url":"https://linux.oracle.com/cve/CVE-2023-1255.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1255"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6119-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-1255"},{"url":"https://www.openssl.org/news/secadv/20230419.txt"},{"url":"https://www.openssl.org/news/secadv/20230420.txt"}],"description":"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.","solution":"Upgrade libssl3 to 3.0.2-0ubuntu1.10"},{"id":"4ecd741775b93ef2151bf2c678a1d8d8de98eb6a","severity":"Low","location":{"dependency":{"package":{"name":"libssl3"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2975","value":"CVE-2023-2975","url":"http://www.openwall.com/lists/oss-security/2023/07/15/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/07/15/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/19/5"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2975"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2975"},{"url":"https://security.netapp.com/advisory/ntap-20230725-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2975"},{"url":"https://www.openssl.org/news/secadv/20230714.txt"}],"description":"Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.","solution":"No solution provided"},{"id":"6d0804b6775844658bf1e048a1bf03b79d69f6ca","severity":"Low","location":{"dependency":{"package":{"name":"libstdc++6"},"version":"12.1.0-2ubuntu1~22.04"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-27943","value":"CVE-2022-27943","url":"https://access.redhat.com/security/cve/CVE-2022-27943"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-27943"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27943"},{"url":"https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039"},{"url":"https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79"},{"url":"https://gcc.gnu.org/pipermail/gcc-patches/2022-March/592244.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/H424YXGW7OKXS2NCAP35OP6Y4P4AW6VG/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27943"},{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=28995"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-27943"}],"description":"libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.","solution":"No solution provided"},{"id":"aff33f6ca22aaefa3246087a99dba62d7f41dcc2","severity":"Medium","location":{"dependency":{"package":{"name":"libtinfo6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29491","value":"CVE-2023-29491","url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"}],"links":[{"url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/10"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/11"},{"url":"https://access.redhat.com/errata/RHSA-2023:5249"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29491"},{"url":"https://bugzilla.redhat.com/2191704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5249.html"},{"url":"https://invisible-island.net/ncurses/NEWS.html#index-t20230408"},{"url":"https://linux.oracle.com/cve/CVE-2023-29491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5249.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29491"},{"url":"https://security.netapp.com/advisory/ntap-20230517-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29491"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/12/5"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/13/4"}],"description":"ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.","solution":"Upgrade libtinfo6 to 6.3-2ubuntu0.1"},{"id":"3664c62e9e9e0b46c0da0d3d4b0dc7faea6fcc2b","severity":"Low","location":{"dependency":{"package":{"name":"libtinfo6"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-29458","value":"CVE-2022-29458","url":"http://seclists.org/fulldisclosure/2022/Oct/41"}],"links":[{"url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"url":"https://access.redhat.com/security/cve/CVE-2022-29458"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458"},{"url":"https://invisible-island.net/ncurses/NEWS.html#t20220416"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29458"},{"url":"https://support.apple.com/kb/HT213488"},{"url":"https://ubuntu.com/security/notices/USN-5477-1"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-29458"}],"description":"ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.","solution":"Upgrade libtinfo6 to 6.3-2ubuntu0.1"},{"id":"f78869f64262744b529ce2ed3b40e8d3fbc30c3d","severity":"Low","location":{"dependency":{"package":{"name":"libzstd1"},"version":"1.4.8+dfsg-3build1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-4899","value":"CVE-2022-4899","url":"https://access.redhat.com/security/cve/CVE-2022-4899"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-4899"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4899"},{"url":"https://github.com/facebook/zstd"},{"url":"https://github.com/facebook/zstd/issues/3200"},{"url":"https://github.com/facebook/zstd/pull/3220"},{"url":"https://github.com/pypa/advisory-database/tree/main/vulns/zstd/PYSEC-2023-121.yaml"},{"url":"https://github.com/sergey-dryabzhinsky/python-zstd/commit/c8a619aebdbd6b838fbfef6e19325a70f631a4c6"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-4899"},{"url":"https://security.netapp.com/advisory/ntap-20230725-0005/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-4899"}],"description":"A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.","solution":"No solution provided"},{"id":"6d6ac6e1281bf9b978dd4e5bbe83cccdce5ff616","severity":"High","location":{"dependency":{"package":{"name":"locales"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-4911","value":"CVE-2023-4911","url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"}],"links":[{"url":"http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"},{"url":"http://seclists.org/fulldisclosure/2023/Oct/11"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/2"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/10/05/1"},{"url":"https://access.redhat.com/errata/RHSA-2023:5453"},{"url":"https://access.redhat.com/errata/RHSA-2023:5454"},{"url":"https://access.redhat.com/errata/RHSA-2023:5455"},{"url":"https://access.redhat.com/errata/RHSA-2023:5476"},{"url":"https://access.redhat.com/security/cve/CVE-2023-4911"},{"url":"https://bugzilla.redhat.com/2234712"},{"url":"https://bugzilla.redhat.com/2237782"},{"url":"https://bugzilla.redhat.com/2237798"},{"url":"https://bugzilla.redhat.com/2238352"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2234712"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237782"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2237798"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2238352"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4527"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4806"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4813"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5455.html"},{"url":"https://errata.rockylinux.org/RLSA-2023:5455"},{"url":"https://linux.oracle.com/cve/CVE-2023-4911.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5455.html"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4911"},{"url":"https://security.gentoo.org/glsa/202310-03"},{"url":"https://ubuntu.com/security/notices/USN-6409-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-4911"},{"url":"https://www.debian.org/security/2023/dsa-5514"},{"url":"https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"},{"url":"https://www.qualys.com/cve-2023-4911/"}],"description":"A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.","solution":"Upgrade locales to 2.35-0ubuntu3.4"},{"id":"4644540da3b71974a406a5f25394e3e436efc7e6","severity":"Low","location":{"dependency":{"package":{"name":"locales"},"version":"2.35-0ubuntu3.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2016-20013","value":"CVE-2016-20013","url":"https://akkadia.org/drepper/SHA-crypt.txt"}],"links":[{"url":"https://akkadia.org/drepper/SHA-crypt.txt"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-20013"},{"url":"https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/"},{"url":"https://twitter.com/solardiz/status/795601240151457793"}],"description":"sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.","solution":"No solution provided"},{"id":"89008f5a9fe4a989a44fb6716ec8d9569ba4c05c","severity":"Low","location":{"dependency":{"package":{"name":"login"},"version":"1:4.8.1-2ubuntu2.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29383","value":"CVE-2023-29383","url":"https://access.redhat.com/security/cve/CVE-2023-29383"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-29383"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29383"},{"url":"https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d"},{"url":"https://github.com/shadow-maint/shadow/pull/687"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29383"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29383"},{"url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/"},{"url":"https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797"}],"description":"In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.","solution":"No solution provided"},{"id":"dfa93b8e081b3eb9a55368e6b835a89a667e215d","severity":"Medium","location":{"dependency":{"package":{"name":"ncurses-base"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29491","value":"CVE-2023-29491","url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"}],"links":[{"url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/10"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/11"},{"url":"https://access.redhat.com/errata/RHSA-2023:5249"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29491"},{"url":"https://bugzilla.redhat.com/2191704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5249.html"},{"url":"https://invisible-island.net/ncurses/NEWS.html#index-t20230408"},{"url":"https://linux.oracle.com/cve/CVE-2023-29491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5249.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29491"},{"url":"https://security.netapp.com/advisory/ntap-20230517-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29491"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/12/5"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/13/4"}],"description":"ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.","solution":"Upgrade ncurses-base to 6.3-2ubuntu0.1"},{"id":"c77e7a0457e60bc765e550e4cb8b7644480ebd34","severity":"Low","location":{"dependency":{"package":{"name":"ncurses-base"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-29458","value":"CVE-2022-29458","url":"http://seclists.org/fulldisclosure/2022/Oct/41"}],"links":[{"url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"url":"https://access.redhat.com/security/cve/CVE-2022-29458"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458"},{"url":"https://invisible-island.net/ncurses/NEWS.html#t20220416"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29458"},{"url":"https://support.apple.com/kb/HT213488"},{"url":"https://ubuntu.com/security/notices/USN-5477-1"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-29458"}],"description":"ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.","solution":"Upgrade ncurses-base to 6.3-2ubuntu0.1"},{"id":"108376062b4ced88df3c8eec42513c16e8fc0958","severity":"Medium","location":{"dependency":{"package":{"name":"ncurses-bin"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29491","value":"CVE-2023-29491","url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"}],"links":[{"url":"http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/10"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/11"},{"url":"https://access.redhat.com/errata/RHSA-2023:5249"},{"url":"https://access.redhat.com/security/cve/CVE-2023-29491"},{"url":"https://bugzilla.redhat.com/2191704"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491"},{"url":"https://errata.almalinux.org/8/ALSA-2023-5249.html"},{"url":"https://invisible-island.net/ncurses/NEWS.html#index-t20230408"},{"url":"https://linux.oracle.com/cve/CVE-2023-29491.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-5249.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29491"},{"url":"https://security.netapp.com/advisory/ntap-20230517-0009/"},{"url":"https://support.apple.com/kb/HT213843"},{"url":"https://support.apple.com/kb/HT213844"},{"url":"https://support.apple.com/kb/HT213845"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29491"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/12/5"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/13/4"}],"description":"ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.","solution":"Upgrade ncurses-bin to 6.3-2ubuntu0.1"},{"id":"205e6a0304963870f0cd44d244269f50b8887510","severity":"Low","location":{"dependency":{"package":{"name":"ncurses-bin"},"version":"6.3-2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-29458","value":"CVE-2022-29458","url":"http://seclists.org/fulldisclosure/2022/Oct/41"}],"links":[{"url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"url":"https://access.redhat.com/security/cve/CVE-2022-29458"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458"},{"url":"https://invisible-island.net/ncurses/NEWS.html#t20220416"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"},{"url":"https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29458"},{"url":"https://support.apple.com/kb/HT213488"},{"url":"https://ubuntu.com/security/notices/USN-5477-1"},{"url":"https://ubuntu.com/security/notices/USN-6099-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-29458"}],"description":"ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.","solution":"Upgrade ncurses-bin to 6.3-2ubuntu0.1"},{"id":"5334c823f85474fe3e119bf738b6026a1faf5a64","severity":"Medium","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2650","value":"CVE-2023-2650","url":"http://www.openwall.com/lists/oss-security/2023/05/30/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/05/30/1"},{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2650"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a"},{"url":"https://linux.oracle.com/cve/CVE-2023-2650.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2650"},{"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009"},{"url":"https://security.netapp.com/advisory/ntap-20230703-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6119-1"},{"url":"https://ubuntu.com/security/notices/USN-6188-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2650"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230530.txt"}],"description":"Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.10"},{"id":"0236c7dd32f079c2897d8c42186704a68804593e","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-3996","value":"CVE-2022-3996","url":"https://access.redhat.com/security/cve/CVE-2022-3996"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-3996"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3996"},{"url":"https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3996"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-3996"},{"url":"https://www.openssl.org/news/secadv/20221213.txt"}],"description":"If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.9"},{"id":"0ad5e355727efc80d748d5ae0d95310e80e667d9","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0464","value":"CVE-2023-0464","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0464"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"},{"url":"https://linux.oracle.com/cve/CVE-2023-0464.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0464"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0464"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230322.txt"}],"description":"A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.9"},{"id":"5362656f4b07bc98cff93bf72f9e7a45b411667c","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0465","value":"CVE-2023-0465","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0465"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c"},{"url":"https://linux.oracle.com/cve/CVE-2023-0465.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0465"},{"url":"https://security.netapp.com/advisory/ntap-20230414-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0465"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230328.txt"}],"description":"Applications that use a non-default option when verifying certificates may be\nvulnerable to an attack from a malicious CA to circumvent certain checks.\n\nInvalid certificate policies in leaf certificates are silently ignored by\nOpenSSL and other certificate policy checks are skipped for that certificate.\nA malicious CA could use this to deliberately assert invalid certificate policies\nin order to circumvent policy checking on the certificate altogether.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.9"},{"id":"61d80b8c0a61d1f4bf445ae078d27a1191b964fd","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-0466","value":"CVE-2023-0466","url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"},{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-0466"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061"},{"url":"https://linux.oracle.com/cve/CVE-2023-0466.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0466"},{"url":"https://security.netapp.com/advisory/ntap-20230414-0001/"},{"url":"https://ubuntu.com/security/notices/USN-6039-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-0466"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://www.openssl.org/news/secadv/20230328.txt"}],"description":"The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.9"},{"id":"ce8d68ea8bcc342019002a6d80dcfc76fd8dc25b","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-1255","value":"CVE-2023-1255","url":"https://access.redhat.com/errata/RHSA-2023:3722"}],"links":[{"url":"https://access.redhat.com/errata/RHSA-2023:3722"},{"url":"https://access.redhat.com/security/cve/CVE-2023-1255"},{"url":"https://bugzilla.redhat.com/2181082"},{"url":"https://bugzilla.redhat.com/2182561"},{"url":"https://bugzilla.redhat.com/2182565"},{"url":"https://bugzilla.redhat.com/2188461"},{"url":"https://bugzilla.redhat.com/2207947"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1255"},{"url":"https://errata.almalinux.org/9/ALSA-2023-3722.html"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a"},{"url":"https://linux.oracle.com/cve/CVE-2023-1255.html"},{"url":"https://linux.oracle.com/errata/ELSA-2023-3722.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1255"},{"url":"https://security.netapp.com/advisory/ntap-20230908-0006/"},{"url":"https://ubuntu.com/security/notices/USN-6119-1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-1255"},{"url":"https://www.openssl.org/news/secadv/20230419.txt"},{"url":"https://www.openssl.org/news/secadv/20230420.txt"}],"description":"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.","solution":"Upgrade openssl to 3.0.2-0ubuntu1.10"},{"id":"d4f9ca3bc8eee8dd3fede46c40d575f7f290f367","severity":"Low","location":{"dependency":{"package":{"name":"openssl"},"version":"3.0.2-0ubuntu1.8"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-2975","value":"CVE-2023-2975","url":"http://www.openwall.com/lists/oss-security/2023/07/15/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/07/15/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/19/5"},{"url":"https://access.redhat.com/security/cve/CVE-2023-2975"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2975"},{"url":"https://security.netapp.com/advisory/ntap-20230725-0004/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2975"},{"url":"https://www.openssl.org/news/secadv/20230714.txt"}],"description":"Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.","solution":"No solution provided"},{"id":"f8474f43168346f3f247fc47c056b5e962d021cb","severity":"Low","location":{"dependency":{"package":{"name":"passwd"},"version":"1:4.8.1-2ubuntu2.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-29383","value":"CVE-2023-29383","url":"https://access.redhat.com/security/cve/CVE-2023-29383"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-29383"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29383"},{"url":"https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d"},{"url":"https://github.com/shadow-maint/shadow/pull/687"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29383"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29383"},{"url":"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/"},{"url":"https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797"}],"description":"In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \\n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \\r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that \"cat /etc/passwd\" shows a rogue user account.","solution":"No solution provided"},{"id":"1141a224c764f912e0d8fc6afb428e29c48b30ee","severity":"Medium","location":{"dependency":{"package":{"name":"perl"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-48522","value":"CVE-2022-48522","url":"https://access.redhat.com/security/cve/CVE-2022-48522"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-48522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522"},{"url":"https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48522"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-48522"}],"description":"In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.","solution":"No solution provided"},{"id":"e8f6ce2cf006c46556fbfafdfa7e37383addff5c","severity":"Medium","location":{"dependency":{"package":{"name":"perl"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-31484","value":"CVE-2023-31484","url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/5"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/07/2"},{"url":"https://access.redhat.com/security/cve/CVE-2023-31484"},{"url":"https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484"},{"url":"https://github.com/andk/cpanpm/pull/175"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"},{"url":"https://metacpan.org/dist/CPAN/changes"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31484"},{"url":"https://ubuntu.com/security/notices/USN-6112-1"},{"url":"https://ubuntu.com/security/notices/USN-6112-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31484"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/18/14"}],"description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","solution":"Upgrade perl to 5.34.0-3ubuntu1.2"},{"id":"72baf70b525cc7b0bce448f327b3718ad8de7e40","severity":"Medium","location":{"dependency":{"package":{"name":"perl-base"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-48522","value":"CVE-2022-48522","url":"https://access.redhat.com/security/cve/CVE-2022-48522"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-48522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522"},{"url":"https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48522"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-48522"}],"description":"In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.","solution":"No solution provided"},{"id":"46f2306ce7265c955097123678d2b655169f7113","severity":"Medium","location":{"dependency":{"package":{"name":"perl-base"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-31484","value":"CVE-2023-31484","url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/5"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/07/2"},{"url":"https://access.redhat.com/security/cve/CVE-2023-31484"},{"url":"https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484"},{"url":"https://github.com/andk/cpanpm/pull/175"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"},{"url":"https://metacpan.org/dist/CPAN/changes"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31484"},{"url":"https://ubuntu.com/security/notices/USN-6112-1"},{"url":"https://ubuntu.com/security/notices/USN-6112-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31484"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/18/14"}],"description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","solution":"Upgrade perl-base to 5.34.0-3ubuntu1.2"},{"id":"0c31a11144d803f8de44cb3ef5d4b18b852495dd","severity":"Medium","location":{"dependency":{"package":{"name":"perl-modules-5.34"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2022-48522","value":"CVE-2022-48522","url":"https://access.redhat.com/security/cve/CVE-2022-48522"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2022-48522"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522"},{"url":"https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48522"},{"url":"https://security.netapp.com/advisory/ntap-20230915-0008/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-48522"}],"description":"In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or local privilege escalation.","solution":"No solution provided"},{"id":"0fd5ebf0169dcf254566efa1049d08f79a8a6ca8","severity":"Medium","location":{"dependency":{"package":{"name":"perl-modules-5.34"},"version":"5.34.0-3ubuntu1.1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-31484","value":"CVE-2023-31484","url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"}],"links":[{"url":"http://www.openwall.com/lists/oss-security/2023/04/29/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/3"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/03/5"},{"url":"http://www.openwall.com/lists/oss-security/2023/05/07/2"},{"url":"https://access.redhat.com/security/cve/CVE-2023-31484"},{"url":"https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484"},{"url":"https://github.com/andk/cpanpm/pull/175"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"},{"url":"https://metacpan.org/dist/CPAN/changes"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31484"},{"url":"https://ubuntu.com/security/notices/USN-6112-1"},{"url":"https://ubuntu.com/security/notices/USN-6112-2"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31484"},{"url":"https://www.openwall.com/lists/oss-security/2023/04/18/14"}],"description":"CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.","solution":"Upgrade perl-modules-5.34 to 5.34.0-3ubuntu1.2"},{"id":"a6080046a27afcaeee887796e6aaf6597cda6bf9","severity":"Low","location":{"dependency":{"package":{"name":"procps"},"version":"2:3.3.17-6ubuntu2"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2023-4016","value":"CVE-2023-4016","url":"https://access.redhat.com/security/cve/CVE-2023-4016"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2023-4016"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4016"},{"url":"https://gitlab.com/procps-ng/procps"},{"url":"https://lists.fedoraproject.org/archives/list/[email protected]/message/SUETRRT24OFGPYK6ACPM5VUGHNKH5CQ5/"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4016"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-4016"}],"description":"Under some circumstances, this weakness allows a user who has access to run the “ps†utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.","solution":"No solution provided"},{"id":"f127b7b99965af7c35e5e4d8d7ceac7487b75950","severity":"Medium","location":{"dependency":{"package":{"name":"wget"},"version":"1.21.2-2ubuntu1"},"operating_system":"ubuntu 22.04","image":"registry.gitlab.com/agilefactory/witboost.mesh/provisioning/witboost.mesh.provisioning.javaspecificprovisioner"},"identifiers":[{"type":"cve","name":"CVE-2021-31879","value":"CVE-2021-31879","url":"https://access.redhat.com/security/cve/CVE-2021-31879"}],"links":[{"url":"https://access.redhat.com/security/cve/CVE-2021-31879"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31879"},{"url":"https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31879"},{"url":"https://savannah.gnu.org/bugs/?56909"},{"url":"https://security.netapp.com/advisory/ntap-20210618-0002/"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-31879"}],"description":"GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.","solution":"No solution provided"}],"remediations":[],"scan":{"scanner":{"id":"trivy","name":"Trivy","url":"https://github.com/aquasecurity/trivy/","vendor":{"name":"GitLab"},"version":"0.36.1"},"analyzer":{"id":"gcs","name":"GitLab Container Scanning","vendor":{"name":"GitLab"},"version":"6.2.0"},"type":"container_scanning","start_time":"2023-10-12T12:23:15","end_time":"2023-10-12T12:23:26","status":"success"},"version":"15.0.6"}