jenkins.json

{"target_id": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e", "findings": {"vulnerabilities": {"matches": [{"vulnerability": {"id": "CVE-2004-0971", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2004-0971"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2004-0971", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2004-0971", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.securityfocus.com/bid/11289", "http://www.gentoo.org/security/en/glsa/glsa-200410-24.xml", "http://www.redhat.com/support/errata/RHSA-2005-012.html", "http://www.trustix.org/errata/2004/0050", "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17583", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10497", "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libgssapi-krb5-2", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libgssapi-krb5-2/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libgssapi-krb5-2:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libgssapi-krb5-2@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2004-0971", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2004-0971"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2004-0971", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2004-0971", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.securityfocus.com/bid/11289", "http://www.gentoo.org/security/en/glsa/glsa-200410-24.xml", "http://www.redhat.com/support/errata/RHSA-2005-012.html", "http://www.trustix.org/errata/2004/0050", "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17583", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10497", "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libk5crypto3", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libk5crypto3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libk5crypto3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libk5crypto3:libk5crypto3:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libk5crypto3@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2004-0971", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2004-0971"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2004-0971", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2004-0971", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.securityfocus.com/bid/11289", "http://www.gentoo.org/security/en/glsa/glsa-200410-24.xml", "http://www.redhat.com/support/errata/RHSA-2005-012.html", "http://www.trustix.org/errata/2004/0050", "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17583", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10497", "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libkrb5-3", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libkrb5-3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libkrb5-3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libkrb5-3:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5-3:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5_3:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5_3:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libkrb5-3@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2004-0971", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2004-0971"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2004-0971", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2004-0971", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.securityfocus.com/bid/11289", "http://www.gentoo.org/security/en/glsa/glsa-200410-24.xml", "http://www.redhat.com/support/errata/RHSA-2005-012.html", "http://www.trustix.org/errata/2004/0050", "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17583", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10497", "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"], "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libkrb5support0", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libkrb5support0/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libkrb5support0:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libkrb5support0:libkrb5support0:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libkrb5support0@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2005-2541", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2005-2541", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2005-2541"], "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2005-2541", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://marc.info/?l=bugtraq&m=112327628230258&w=2", "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"], "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 10, "exploitabilityScore": 10, "impactScore": 10}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "tar", "version": "1.34+dfsg-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "tar", "version": "1.34+dfsg-1", "type": "deb", "locations": [{"path": "/usr/share/doc/tar/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/tar.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPL-3"], "cpes": ["cpe:2.3:a:tar:tar:1.34+dfsg-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/tar@1.34+dfsg-1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2007-2243", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-2243", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-2243"], "description": "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-2243", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-2243", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html", "http://www.securityfocus.com/bid/23601", "http://www.osvdb.org/34600", "http://securityreason.com/securityalert/2631", "https://exchange.xforce.ibmcloud.com/vulnerabilities/33794", "https://security.netapp.com/advisory/ntap-20191107-0003/"], "description": "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2007-2768", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-2768", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-2768"], "description": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-2768", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-2768", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html", "http://www.osvdb.org/34601", "https://security.netapp.com/advisory/ntap-20191107-0002/"], "description": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2007-5686", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-5686", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-5686"], "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-5686", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://issues.rpath.com/browse/RPL-1825", "http://www.securityfocus.com/bid/26048", "http://secunia.com/advisories/27215", "http://www.vupen.com/english/advisories/2007/3474", "http://www.securityfocus.com/archive/1/482857/100/0/threaded", "http://www.securityfocus.com/archive/1/482129/100/100/threaded"], "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "metrics": {"baseScore": 4.9, "exploitabilityScore": 3.9, "impactScore": 6.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "login", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/login/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:login:login:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/login@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2007-5686", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-5686", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-5686"], "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-5686", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-5686", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://issues.rpath.com/browse/RPL-1825", "http://www.securityfocus.com/bid/26048", "http://secunia.com/advisories/27215", "http://www.vupen.com/english/advisories/2007/3474", "http://www.securityfocus.com/archive/1/482857/100/0/threaded", "http://www.securityfocus.com/archive/1/482129/100/100/threaded"], "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "metrics": {"baseScore": 4.9, "exploitabilityScore": 3.9, "impactScore": 6.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "passwd", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/passwd/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:passwd:passwd:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/passwd@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2007-6755", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-6755"], "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-6755", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", "http://rump2007.cr.yp.to/15-shumow.pdf", "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", "http://www.securityfocus.com/bid/63657"], "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libssl1.1", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libssl1.1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libssl1.1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libssl1.1:libssl1.1:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libssl1.1@1.1.1n-0+deb11u3?arch=arm64&upstream=openssl&distro=debian-11", "upstreams": [{"name": "openssl"}]}}, {"vulnerability": {"id": "CVE-2007-6755", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2007-6755"], "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2007-6755", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2007-6755", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html", "https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html", "http://rump2007.cr.yp.to/15-shumow.pdf", "http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html", "http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect", "http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/", "http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/", "http://www.securityfocus.com/bid/63657"], "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssl", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/openssl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:openssl:openssl:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssl@1.1.1n-0+deb11u3?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2008-3234", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2008-3234", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2008-3234"], "description": "sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2008-3234", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2008-3234", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.securityfocus.com/bid/30276", "https://exchange.xforce.ibmcloud.com/vulnerabilities/44037", "https://www.exploit-db.com/exploits/6094"], "description": "sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "metrics": {"baseScore": 6.5, "exploitabilityScore": 8, "impactScore": 6.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2010-0928", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2010-0928", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2010-0928"], "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2010-0928", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.osvdb.org/62808", "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"], "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", "cvss": [{"version": "2.0", "vector": "AV:L/AC:H/Au:N/C:C/I:N/A:N", "metrics": {"baseScore": 4, "exploitabilityScore": 1.9, "impactScore": 6.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libssl1.1", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libssl1.1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libssl1.1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libssl1.1:libssl1.1:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libssl1.1@1.1.1n-0+deb11u3?arch=arm64&upstream=openssl&distro=debian-11", "upstreams": [{"name": "openssl"}]}}, {"vulnerability": {"id": "CVE-2010-0928", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2010-0928", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2010-0928"], "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2010-0928", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", "http://www.osvdb.org/62808", "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"], "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", "cvss": [{"version": "2.0", "vector": "AV:L/AC:H/Au:N/C:C/I:N/A:N", "metrics": {"baseScore": 4, "exploitabilityScore": 1.9, "impactScore": 6.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssl", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/openssl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:openssl:openssl:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssl@1.1.1n-0+deb11u3?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2010-4756", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2010-4756", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2010-4756"], "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2010-4756", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://securityreason.com/exploitalert/9223", "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", "https://bugzilla.redhat.com/show_bug.cgi?id=681681"], "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "metrics": {"baseScore": 4, "exploitabilityScore": 8, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2010-4756", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2010-4756", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2010-4756"], "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2010-4756", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://securityreason.com/exploitalert/9223", "http://cxib.net/stuff/glob-0day.c", "http://securityreason.com/achievement_securityalert/89", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4756", "https://bugzilla.redhat.com/show_bug.cgi?id=681681"], "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "metrics": {"baseScore": 4, "exploitabilityScore": 8, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2011-3374", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-3374", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-3374", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-3374", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", "https://snyk.io/vuln/SNYK-LINUX-APT-116518", "https://access.redhat.com/security/cve/cve-2011-3374", "https://security-tracker.debian.org/tracker/CVE-2011-3374", "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", "https://seclists.org/fulldisclosure/2011/Sep/221", "https://ubuntu.com/security/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "metrics": {"baseScore": 3.7, "exploitabilityScore": 2.2, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "apt", "version": "2.2.4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "apt", "version": "2.2.4", "type": "deb", "locations": [{"path": "/usr/share/doc/apt/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/apt.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/apt.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPLv2+"], "cpes": ["cpe:2.3:a:apt:apt:2.2.4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/apt@2.2.4?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2011-3374", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-3374", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-3374", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-3374", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", "https://snyk.io/vuln/SNYK-LINUX-APT-116518", "https://access.redhat.com/security/cve/cve-2011-3374", "https://security-tracker.debian.org/tracker/CVE-2011-3374", "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", "https://seclists.org/fulldisclosure/2011/Sep/221", "https://ubuntu.com/security/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "metrics": {"baseScore": 3.7, "exploitabilityScore": 2.2, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "apt", "version": "2.2.4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "apt-transport-https", "version": "2.2.4", "type": "deb", "locations": [{"path": "/usr/share/doc/apt-transport-https/copyright", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}, {"path": "/var/lib/dpkg/info/apt-transport-https.md5sums", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPLv2+"], "cpes": ["cpe:2.3:a:apt-transport-https:apt-transport-https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt-transport-https:apt_transport_https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt_transport_https:apt-transport-https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt_transport_https:apt_transport_https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt-transport:apt-transport-https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt-transport:apt_transport_https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt_transport:apt-transport-https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt_transport:apt_transport_https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt:apt-transport-https:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:apt:apt_transport_https:2.2.4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/apt-transport-https@2.2.4?arch=all&upstream=apt&distro=debian-11", "upstreams": [{"name": "apt"}]}}, {"vulnerability": {"id": "CVE-2011-3374", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-3374", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-3374", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-3374", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480", "https://snyk.io/vuln/SNYK-LINUX-APT-116518", "https://access.redhat.com/security/cve/cve-2011-3374", "https://security-tracker.debian.org/tracker/CVE-2011-3374", "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html", "https://seclists.org/fulldisclosure/2011/Sep/221", "https://ubuntu.com/security/CVE-2011-3374"], "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "metrics": {"baseScore": 3.7, "exploitabilityScore": 2.2, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "apt", "version": "2.2.4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libapt-pkg6.0", "version": "2.2.4", "type": "deb", "locations": [{"path": "/usr/share/doc/libapt-pkg6.0/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libapt-pkg6.0:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPLv2+"], "cpes": ["cpe:2.3:a:libapt-pkg6.0:libapt-pkg6.0:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:libapt-pkg6.0:libapt_pkg6.0:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:libapt_pkg6.0:libapt-pkg6.0:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:libapt_pkg6.0:libapt_pkg6.0:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:libapt:libapt-pkg6.0:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:libapt:libapt_pkg6.0:2.2.4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libapt-pkg6.0@2.2.4?arch=arm64&upstream=apt&distro=debian-11", "upstreams": [{"name": "apt"}]}}, {"vulnerability": {"id": "CVE-2011-3389", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-3389", "namespace": "debian:distro:debian:11", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-3389"], "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-3389", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-3389", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.opera.com/docs/changelogs/unix/1151/", "http://www.securityfocus.com/bid/49388", "http://www.opera.com/docs/changelogs/windows/1151/", "http://www.opera.com/docs/changelogs/mac/1151/", "http://osvdb.org/74829", "http://secunia.com/advisories/45791", "http://www.securitytracker.com/id?1025997", "http://eprint.iacr.org/2004/111", "https://bugzilla.redhat.com/show_bug.cgi?id=737506", "http://ekoparty.org/2011/juliano-rizzo.php", "http://www.imperialviolet.org/2011/09/23/chromeandbeast.html", "https://bugzilla.novell.com/show_bug.cgi?id=719047", "http://www.insecure.cl/Beast-SSL.rar", "http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html", "http://eprint.iacr.org/2006/136", "http://isc.sans.edu/diary/SSL+TLS+part+3+/11635", "http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue", "http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/", "http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx", "http://technet.microsoft.com/security/advisory/2588513", "http://support.apple.com/kb/HT4999", "http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html", "http://support.apple.com/kb/HT5001", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html", "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html", "http://www.securitytracker.com/id?1026103", "http://www.securityfocus.com/bid/49778", "http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx", "http://www.redhat.com/support/errata/RHSA-2011-1384.html", "http://vnhacker.blogspot.com/2011/09/beast.html", "http://www.kb.cert.org/vuls/id/864643", "http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html", "http://www.ibm.com/developerworks/java/jdk/alerts/", "http://www.opera.com/docs/changelogs/windows/1160/", "http://www.opera.com/docs/changelogs/mac/1160/", "http://www.opera.com/support/kb/view/1004/", "http://www.opera.com/docs/changelogs/unix/1160/", "http://www.redhat.com/support/errata/RHSA-2012-0006.html", "http://support.apple.com/kb/HT5130", "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html", "http://marc.info/?l=bugtraq&m=132872385320240&w=2", "http://support.apple.com/kb/HT5281", "http://lists.apple.com/archives/security-announce/2012/May/msg00001.html", "http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html", "http://support.apple.com/kb/HT5501", "http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html", "http://secunia.com/advisories/49198", "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html", "https://hermes.opensuse.org/messages/13155432", "https://hermes.opensuse.org/messages/13154861", "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html", "http://marc.info/?l=bugtraq&m=132750579901589&w=2", "http://secunia.com/advisories/48692", "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail", "http://secunia.com/advisories/48948", "http://secunia.com/advisories/48915", "http://www.us-cert.gov/cas/techalerts/TA12-010A.html", "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862", "http://secunia.com/advisories/55351", "http://secunia.com/advisories/55322", "http://secunia.com/advisories/55350", "http://www.securitytracker.com/id/1029190", "http://rhn.redhat.com/errata/RHSA-2013-1455.html", "http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html", "http://www.ubuntu.com/usn/USN-1263-1", "http://support.apple.com/kb/HT6150", "http://security.gentoo.org/glsa/glsa-201406-32.xml", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", "http://downloads.asterisk.org/pub/security/AST-2016-001.html", "http://marc.info/?l=bugtraq&m=134254957702612&w=2", "http://marc.info/?l=bugtraq&m=133365109612558&w=2", "http://marc.info/?l=bugtraq&m=133728004526190&w=2", "http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf", "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752", "http://marc.info/?l=bugtraq&m=134254866602253&w=2", "http://www.mandriva.com/security/advisories?name=MDVSA-2012:058", "http://rhn.redhat.com/errata/RHSA-2012-0508.html", "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html", "http://security.gentoo.org/glsa/glsa-201203-02.xml", "http://secunia.com/advisories/48256", "http://www.securitytracker.com/id?1026704", "http://secunia.com/advisories/47998", "http://www.debian.org/security/2012/dsa-2398", "http://curl.haxx.se/docs/adv_20120124B.html", "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006", "https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf", "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"], "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "gnutls28", "version": "3.7.1-5+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libgnutls30", "version": "3.7.1-5+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libgnutls30/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libgnutls30:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "BSD-3-Clause", "CC0", "Expat", "GFDL-1.3", "GPL", "GPL-3", "GPLv3+", "LGPL", "LGPL-3", "LGPLv2.1+", "LGPLv3+_or_GPLv2+", "The"], "cpes": ["cpe:2.3:a:libgnutls30:libgnutls30:3.7.1-5+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libgnutls30@3.7.1-5+deb11u2?arch=arm64&upstream=gnutls28&distro=debian-11", "upstreams": [{"name": "gnutls28"}]}}, {"vulnerability": {"id": "CVE-2011-4116", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-4116", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-4116"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-4116", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-4116", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.openwall.com/lists/oss-security/2011/11/04/2", "https://rt.cpan.org/Public/Bug/Display.html?id=69106", "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", "http://www.openwall.com/lists/oss-security/2011/11/04/4", "https://seclists.org/oss-sec/2011/q4/238"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libperl5.32", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libperl5.32/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libperl5.32:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:libperl5.32:libperl5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libperl5.32@5.32.1-4+deb11u2?arch=arm64&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2011-4116", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-4116", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-4116"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-4116", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-4116", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.openwall.com/lists/oss-security/2011/11/04/2", "https://rt.cpan.org/Public/Bug/Display.html?id=69106", "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", "http://www.openwall.com/lists/oss-security/2011/11/04/4", "https://seclists.org/oss-sec/2011/q4/238"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl:perl:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl@5.32.1-4+deb11u2?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2011-4116", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-4116", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-4116"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-4116", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-4116", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.openwall.com/lists/oss-security/2011/11/04/2", "https://rt.cpan.org/Public/Bug/Display.html?id=69106", "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", "http://www.openwall.com/lists/oss-security/2011/11/04/4", "https://seclists.org/oss-sec/2011/q4/238"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl-base", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl-base/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/perl-base.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl-base:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-base:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_base:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_base:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl-base@5.32.1-4+deb11u2?arch=arm64&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2011-4116", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2011-4116", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2011-4116"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2011-4116", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2011-4116", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.openwall.com/lists/oss-security/2011/11/04/2", "https://rt.cpan.org/Public/Bug/Display.html?id=69106", "https://github.com/Perl-Toolchain-Gang/File-Temp/issues/14", "http://www.openwall.com/lists/oss-security/2011/11/04/4", "https://seclists.org/oss-sec/2011/q4/238"], "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl-modules-5.32", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl-modules-5.32/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl-modules-5.32.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl-modules-5.32:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules-5.32:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules_5.32:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules_5.32:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl-modules-5.32@5.32.1-4+deb11u2?arch=all&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2013-0340", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2013-0340", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-0340"], "description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2013-0340", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-0340", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://openwall.com/lists/oss-security/2013/02/22/3", "http://www.openwall.com/lists/oss-security/2013/04/12/6", "http://www.osvdb.org/90634", "http://securitytracker.com/id?1028213", "http://www.securityfocus.com/bid/58233", "https://security.gentoo.org/glsa/201701-21", "https://support.apple.com/kb/HT212814", "https://support.apple.com/kb/HT212815", "https://support.apple.com/kb/HT212819", "https://support.apple.com/kb/HT212807", "https://support.apple.com/kb/HT212804", "https://support.apple.com/kb/HT212805", "http://seclists.org/fulldisclosure/2021/Sep/39", "http://seclists.org/fulldisclosure/2021/Sep/38", "http://seclists.org/fulldisclosure/2021/Sep/35", "http://seclists.org/fulldisclosure/2021/Sep/34", "http://seclists.org/fulldisclosure/2021/Sep/33", "http://seclists.org/fulldisclosure/2021/Sep/40", "https://lists.apache.org/thread.html/r41eca5f4f09e74436cbb05dec450fc2bef37b5d3e966aa7cc5fada6d@%3Cannounce.apache.org%3E", "https://lists.apache.org/thread.html/rfb2c193360436e230b85547e85a41bea0916916f96c501f5b6fc4702@%3Cusers.openoffice.apache.org%3E", "http://www.openwall.com/lists/oss-security/2021/10/07/4", "http://seclists.org/fulldisclosure/2021/Oct/61", "http://seclists.org/fulldisclosure/2021/Oct/63", "http://seclists.org/fulldisclosure/2021/Oct/62"], "description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "expat", "version": "2.2.10-2+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libexpat1", "version": "2.2.10-2+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libexpat1/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libexpat1:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["MIT"], "cpes": ["cpe:2.3:a:libexpat1:libexpat1:2.2.10-2+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libexpat1@2.2.10-2+deb11u4?arch=arm64&upstream=expat&distro=debian-11", "upstreams": [{"name": "expat"}]}}, {"vulnerability": {"id": "CVE-2013-4235", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2013-4235", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4235"], "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2013-4235", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4235", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", "https://access.redhat.com/security/cve/cve-2013-4235", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "metrics": {"baseScore": 3.3, "exploitabilityScore": 3.4, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 4.7, "exploitabilityScore": 1, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "login", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/login/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:login:login:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/login@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2013-4235", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2013-4235", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4235"], "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2013-4235", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4235", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", "https://access.redhat.com/security/cve/cve-2013-4235", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:P", "metrics": {"baseScore": 3.3, "exploitabilityScore": 3.4, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 4.7, "exploitabilityScore": 1, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "passwd", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/passwd/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:passwd:passwd:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/passwd@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2013-4392", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4392"], "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2013-4392", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-4392", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.openwall.com/lists/oss-security/2013/10/01/9", "https://bugzilla.redhat.com/show_bug.cgi?id=859060", "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357"], "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 3.3, "exploitabilityScore": 3.4, "impactScore": 4.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "systemd", "version": "247.3-7+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsystemd0", "version": "247.3-7+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsystemd0/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsystemd0:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["CC0-1.0", "Expat", "GPL-2", "GPL-2+", "LGPL-2.1", "LGPL-2.1+", "public-domain"], "cpes": ["cpe:2.3:a:libsystemd0:libsystemd0:247.3-7+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsystemd0@247.3-7+deb11u1?arch=arm64&upstream=systemd&distro=debian-11", "upstreams": [{"name": "systemd"}]}}, {"vulnerability": {"id": "CVE-2013-4392", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2013-4392"], "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2013-4392", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-4392", "namespace": "nvd:cpe", "severity": "Low", "urls": ["http://www.openwall.com/lists/oss-security/2013/10/01/9", "https://bugzilla.redhat.com/show_bug.cgi?id=859060", "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357"], "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 3.3, "exploitabilityScore": 3.4, "impactScore": 4.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "systemd", "version": "247.3-7+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libudev1", "version": "247.3-7+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libudev1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libudev1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["CC0-1.0", "Expat", "GPL-2", "GPL-2+", "LGPL-2.1", "LGPL-2.1+", "public-domain"], "cpes": ["cpe:2.3:a:libudev1:libudev1:247.3-7+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libudev1@247.3-7+deb11u1?arch=arm64&upstream=systemd&distro=debian-11", "upstreams": [{"name": "systemd"}]}}, {"vulnerability": {"id": "CVE-2015-3276", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2015-3276", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2015-3276"], "description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2015-3276", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2015-3276", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.securitytracker.com/id/1034221", "http://rhn.redhat.com/errata/RHSA-2015-2131.html", "https://bugzilla.redhat.com/show_bug.cgi?id=1238322", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"], "description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openldap", "version": "2.4.57+dfsg-3+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libldap-2.4-2", "version": "2.4.57+dfsg-3+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libldap-2.4-2/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libldap-2.4-2:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=arm64&upstream=openldap&distro=debian-11", "upstreams": [{"name": "openldap"}]}}, {"vulnerability": {"id": "CVE-2016-1000027", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027", "namespace": "nvd:cpe", "severity": "Critical", "urls": ["https://security-tracker.debian.org/tracker/CVE-2016-1000027", "https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json", "https://www.tenable.com/security/research/tra-2016-20", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626", "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now", "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525"], "description": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9}, "vendorMetadata": {}}], "fix": {"versions": [], "state": "unknown"}, "advisories": []}, "relatedVulnerabilities": [], "matchDetails": [{"type": "cpe-match", "matcher": "java-matcher", "searchedBy": {"namespace": "nvd:cpe", "cpes": ["cpe:2.3:a:vmware:spring_framework:5.3.23:*:*:*:*:*:*:*"]}, "found": {"versionConstraint": "< 6.0.0 (unknown)", "cpes": ["cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*"]}}], "artifact": {"name": "spring-core", "version": "5.3.23", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:springsource-spring-framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring-framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring_framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:springsource_spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource-spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource_spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:pivotal_software:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_framework:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:springsource:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring-core:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring_core:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_framework:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:spring:spring_core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring-core:5.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_core:5.3.23:*:*:*:*:*:*:*"], "purl": "pkg:maven/spring-core/spring-core@5.3.23", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/spring-core-5.3.23.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "91407dc1106ea423c44150f3da1a0b4f8e25e5ca"}]}}}, {"vulnerability": {"id": "CVE-2016-20012", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2016-20012", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2016-20012"], "description": "** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2016-20012", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-20012", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265", "https://github.com/openssh/openssh-portable/pull/270", "https://rushter.com/blog/public-ssh-keys/", "https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak", "https://security.netapp.com/advisory/ntap-20211014-0005/", "https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185", "https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097", "https://www.openwall.com/lists/oss-security/2018/08/24/1"], "description": "** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2016-2781", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2016-2781", "namespace": "debian:distro:debian:11", "severity": "Low", "urls": ["https://security-tracker.debian.org/tracker/CVE-2016-2781"], "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2016-2781", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-2781", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.openwall.com/lists/oss-security/2016/02/28/3", "http://www.openwall.com/lists/oss-security/2016/02/28/2", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2, "impactScore": 4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "coreutils", "version": "8.32-4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "coreutils", "version": "8.32-4", "type": "deb", "locations": [{"path": "/usr/share/doc/coreutils/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/coreutils.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-3"], "cpes": ["cpe:2.3:a:coreutils:coreutils:8.32-4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/coreutils@8.32-4?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2017-11164", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-11164", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-11164"], "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-11164", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://openwall.com/lists/oss-security/2017/07/11/3", "http://www.securityfocus.com/bid/99575", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "metrics": {"baseScore": 7.8, "exploitabilityScore": 10, "impactScore": 6.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "pcre3", "version": "2:8.39-13"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpcre3", "version": "2:8.39-13", "type": "deb", "locations": [{"path": "/usr/share/doc/libpcre3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libpcre3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libpcre3:libpcre3:2:8.39-13:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11", "upstreams": [{"name": "pcre3"}]}}, {"vulnerability": {"id": "CVE-2017-14159", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-14159", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-14159"], "description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-14159", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-14159", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://www.openldap.org/its/index.cgi?findid=8703", "https://www.oracle.com/security-alerts/cpuapr2022.html"], "description": "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 4.7, "exploitabilityScore": 1, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openldap", "version": "2.4.57+dfsg-3+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libldap-2.4-2", "version": "2.4.57+dfsg-3+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libldap-2.4-2/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libldap-2.4-2:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=arm64&upstream=openldap&distro=debian-11", "upstreams": [{"name": "openldap"}]}}, {"vulnerability": {"id": "CVE-2017-16231", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-16231", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-16231"], "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-16231", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-16231", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bugs.exim.org/show_bug.cgi?id=2047", "http://www.securityfocus.com/bid/101688", "http://www.openwall.com/lists/oss-security/2017/11/01/8", "http://www.openwall.com/lists/oss-security/2017/11/01/7", "http://www.openwall.com/lists/oss-security/2017/11/01/3", "http://www.openwall.com/lists/oss-security/2017/11/01/11", "http://seclists.org/fulldisclosure/2018/Dec/33", "http://packetstormsecurity.com/files/150897/PCRE-8.41-Buffer-Overflow.html"], "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "pcre3", "version": "2:8.39-13"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpcre3", "version": "2:8.39-13", "type": "deb", "locations": [{"path": "/usr/share/doc/libpcre3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libpcre3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libpcre3:libpcre3:2:8.39-13:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11", "upstreams": [{"name": "pcre3"}]}}, {"vulnerability": {"id": "CVE-2017-17740", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-17740", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-17740"], "description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-17740", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-17740", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.openldap.org/its/index.cgi/Incoming?id=8759", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html", "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html", "https://kc.mcafee.com/corporate/index?page=content&id=SB10365", "https://www.oracle.com/security-alerts/cpuapr2022.html"], "description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openldap", "version": "2.4.57+dfsg-3+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libldap-2.4-2", "version": "2.4.57+dfsg-3+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libldap-2.4-2/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libldap-2.4-2:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=arm64&upstream=openldap&distro=debian-11", "upstreams": [{"name": "openldap"}]}}, {"vulnerability": {"id": "CVE-2017-18018", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-18018", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-18018"], "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-18018", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-18018", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html"], "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 4.7, "exploitabilityScore": 1, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "coreutils", "version": "8.32-4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "coreutils", "version": "8.32-4", "type": "deb", "locations": [{"path": "/usr/share/doc/coreutils/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/coreutils.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-3"], "cpes": ["cpe:2.3:a:coreutils:coreutils:8.32-4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/coreutils@8.32-4?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2017-7245", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-7245", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-7245"], "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-7245", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-7245", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", "http://www.securityfocus.com/bid/97067", "https://security.gentoo.org/glsa/201710-25", "https://access.redhat.com/errata/RHSA-2018:2486"], "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "pcre3", "version": "2:8.39-13"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpcre3", "version": "2:8.39-13", "type": "deb", "locations": [{"path": "/usr/share/doc/libpcre3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libpcre3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libpcre3:libpcre3:2:8.39-13:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11", "upstreams": [{"name": "pcre3"}]}}, {"vulnerability": {"id": "CVE-2017-7246", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2017-7246", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2017-7246"], "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2017-7246", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2017-7246", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/", "http://www.securityfocus.com/bid/97067", "https://security.gentoo.org/glsa/201710-25", "https://access.redhat.com/errata/RHSA-2018:2486"], "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "pcre3", "version": "2:8.39-13"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpcre3", "version": "2:8.39-13", "type": "deb", "locations": [{"path": "/usr/share/doc/libpcre3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libpcre3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libpcre3:libpcre3:2:8.39-13:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11", "upstreams": [{"name": "pcre3"}]}}, {"vulnerability": {"id": "CVE-2018-1000021", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-1000021", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-1000021"], "description": "GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-1000021", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000021", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"], "description": "GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git:git:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git@1:2.30.2-1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2018-1000021", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-1000021", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-1000021"], "description": "GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-1000021", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000021", "namespace": "nvd:cpe", "severity": "High", "urls": ["http://www.batterystapl.es/2018/01/security-implications-of-ansi-escape.html"], "description": "GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git-man", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git-man/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git-man.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git-man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git-man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git_man:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git-man@1:2.30.2-1?arch=all&upstream=git&distro=debian-11", "upstreams": [{"name": "git"}]}}, {"vulnerability": {"id": "CVE-2018-1000052", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000052", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/fmtlib/fmt/issues/642", "https://github.com/fmtlib/fmt/commit/8cf30aa2be256eba07bb1cefb998c52326e846e7"], "description": "fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}], "fix": {"versions": [], "state": "unknown"}, "advisories": []}, "relatedVulnerabilities": [], "matchDetails": [{"type": "cpe-match", "matcher": "java-matcher", "searchedBy": {"namespace": "nvd:cpe", "cpes": ["cpe:2.3:a:fmt:fmt:1.0:*:*:*:*:*:*:*"]}, "found": {"versionConstraint": "< 4.1.0 (unknown)", "cpes": ["cpe:2.3:a:fmt:fmt:*:*:*:*:*:*:*:*"]}}], "artifact": {"name": "commons-jelly-tags-fmt", "version": "1.0", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:apache-software-foundation:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache-software-foundation:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache_software_foundation:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags-fmt:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags_fmt:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:commons-jelly-tags-fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:commons_jelly_tags_fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly-tags:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly_tags:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons-jelly:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons_jelly:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:commons:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:commons:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:jelly:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:jelly:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:tags:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:tags:fmt:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:fmt:fmt:1.0:*:*:*:*:*:*:*"], "purl": "pkg:maven/commons-jelly-tags-fmt/commons-jelly-tags-fmt@1.0", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-jelly-tags-fmt-1.0.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "2107da38fdd287ab78a4fa65c1300b5ad9999274"}]}}}, {"vulnerability": {"id": "CVE-2018-15919", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-15919", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-15919"], "description": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-15919", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-15919", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["http://seclists.org/oss-sec/2018/q3/180", "http://www.securityfocus.com/bid/105163", "https://security.netapp.com/advisory/ntap-20181221-0001/"], "description": "Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2018-20796", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-20796", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-20796"], "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-20796", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "http://www.securityfocus.com/bid/107160", "https://security.netapp.com/advisory/ntap-20190315-0002/", "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp;utm_medium=RSS"], "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2018-20796", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-20796", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-20796"], "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-20796", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-20796", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html", "https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141", "http://www.securityfocus.com/bid/107160", "https://security.netapp.com/advisory/ntap-20190315-0002/", "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp;utm_medium=RSS"], "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+' in grep.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2018-5709", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-5709", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-5709"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-5709", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libgssapi-krb5-2", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libgssapi-krb5-2/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libgssapi-krb5-2:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libgssapi-krb5-2@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2018-5709", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-5709", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-5709"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-5709", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libk5crypto3", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libk5crypto3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libk5crypto3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libk5crypto3:libk5crypto3:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libk5crypto3@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2018-5709", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-5709", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-5709"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-5709", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libkrb5-3", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libkrb5-3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libkrb5-3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libkrb5-3:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5-3:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5_3:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5_3:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5:libkrb5-3:1.18.3-6+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:libkrb5:libkrb5_3:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libkrb5-3@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2018-5709", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-5709", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-5709"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-5709", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-5709", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "krb5", "version": "1.18.3-6+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libkrb5support0", "version": "1.18.3-6+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libkrb5support0/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libkrb5support0:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:libkrb5support0:libkrb5support0:1.18.3-6+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libkrb5support0@1.18.3-6+deb11u2?arch=arm64&upstream=krb5&distro=debian-11", "upstreams": [{"name": "krb5"}]}}, {"vulnerability": {"id": "CVE-2018-6829", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2018-6829"], "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2018-6829", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", "https://www.oracle.com/security-alerts/cpujan2020.html"], "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libgcrypt20", "version": "1.8.7-6"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libgcrypt20", "version": "1.8.7-6", "type": "deb", "locations": [{"path": "/usr/share/doc/libgcrypt20/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libgcrypt20:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL"], "cpes": ["cpe:2.3:a:libgcrypt20:libgcrypt20:1.8.7-6:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libgcrypt20@1.8.7-6?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2019-1010022", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010022"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010022", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", "namespace": "nvd:cpe", "severity": "Critical", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "https://ubuntu.com/security/CVE-2019-1010022", "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010022", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010022"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010022", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", "namespace": "nvd:cpe", "severity": "Critical", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22850", "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "https://ubuntu.com/security/CVE-2019-1010022", "https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c3"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010023", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010023", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010023"], "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010023", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22851", "http://www.securityfocus.com/bid/109167", "https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010023", "https://ubuntu.com/security/CVE-2019-1010023"], "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010023", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010023", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010023"], "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010023", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010023", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22851", "http://www.securityfocus.com/bid/109167", "https://support.f5.com/csp/article/K11932200?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010023", "https://ubuntu.com/security/CVE-2019-1010023"], "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010024", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010024", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010024"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010024", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22852", "http://www.securityfocus.com/bid/109162", "https://support.f5.com/csp/article/K06046097", "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010024", "https://ubuntu.com/security/CVE-2019-1010024"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010024", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010024", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010024"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010024", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010024", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22852", "http://www.securityfocus.com/bid/109162", "https://support.f5.com/csp/article/K06046097", "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010024", "https://ubuntu.com/security/CVE-2019-1010024"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010025", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010025", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010025"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010025", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22853", "https://support.f5.com/csp/article/K06046097", "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010025", "https://ubuntu.com/security/CVE-2019-1010025"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-1010025", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-1010025", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-1010025"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-1010025", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010025", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=22853", "https://support.f5.com/csp/article/K06046097", "https://support.f5.com/csp/article/K06046097?utm_source=f5support&amp;utm_medium=RSS", "https://security-tracker.debian.org/tracker/CVE-2019-1010025", "https://ubuntu.com/security/CVE-2019-1010025"], "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-19882", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-19882", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-19882"], "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-19882", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19882", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.archlinux.org/task/64836", "https://github.com/shadow-maint/shadow/pull/199", "https://github.com/void-linux/void-packages/pull/17580", "https://bugs.gentoo.org/702252", "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", "https://security.gentoo.org/glsa/202008-09"], "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "login", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/login/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/login.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:login:login:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/login@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2019-19882", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-19882", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-19882"], "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-19882", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-19882", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.archlinux.org/task/64836", "https://github.com/shadow-maint/shadow/pull/199", "https://github.com/void-linux/void-packages/pull/17580", "https://bugs.gentoo.org/702252", "https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75", "https://security.gentoo.org/glsa/202008-09"], "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "shadow", "version": "1:4.8.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "passwd", "version": "1:4.8.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/passwd/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/passwd.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2"], "cpes": ["cpe:2.3:a:passwd:passwd:1:4.8.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/passwd@1:4.8.1-1?arch=arm64&upstream=shadow&distro=debian-11", "upstreams": [{"name": "shadow"}]}}, {"vulnerability": {"id": "CVE-2019-20838", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-20838", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-20838"], "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-20838", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-20838", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.gentoo.org/717920", "https://www.pcre.org/original/changelog.txt", "https://support.apple.com/kb/HT211931", "http://seclists.org/fulldisclosure/2020/Dec/32", "https://support.apple.com/kb/HT212147", "http://seclists.org/fulldisclosure/2021/Feb/14", "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"], "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "pcre3", "version": "2:8.39-13"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpcre3", "version": "2:8.39-13", "type": "deb", "locations": [{"path": "/usr/share/doc/libpcre3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libpcre3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libpcre3:libpcre3:2:8.39-13:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpcre3@2:8.39-13?arch=arm64&upstream=pcre3&distro=debian-11", "upstreams": [{"name": "pcre3"}]}}, {"vulnerability": {"id": "CVE-2019-6110", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-6110", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-6110"], "description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-6110", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-6110", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt", "https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c", "https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c", "https://www.exploit-db.com/exploits/46193/", "https://security.netapp.com/advisory/ntap-20190213-0001/", "https://security.gentoo.org/glsa/201903-16"], "description": "In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 4, "exploitabilityScore": 4.9, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "metrics": {"baseScore": 6.8, "exploitabilityScore": 1.6, "impactScore": 5.2}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2019-6129", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-6129", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-6129"], "description": "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-6129", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-6129", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://github.com/glennrp/libpng/issues/269", "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"], "description": "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libpng1.6", "version": "1.6.37-3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpng16-16", "version": "1.6.37-3", "type": "deb", "locations": [{"path": "/usr/share/doc/libpng16-16/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libpng16-16:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "BSD-3-clause", "BSD-like-with-advertising-clause", "GPL-2", "GPL-2+", "expat", "libpng"], "cpes": ["cpe:2.3:a:libpng16-16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16-16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16_16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16_16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpng16-16@1.6.37-3?arch=arm64&upstream=libpng1.6&distro=debian-11", "upstreams": [{"name": "libpng1.6"}]}}, {"vulnerability": {"id": "CVE-2019-8457", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-8457", "namespace": "debian:distro:debian:11", "severity": "Critical", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-8457"], "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-8457", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457", "namespace": "nvd:cpe", "severity": "Critical", "urls": ["https://www.sqlite.org/src/info/90acdbfce9c08858", "https://www.sqlite.org/releaselog/3_28_0.html", "https://usn.ubuntu.com/4004-1/", "https://usn.ubuntu.com/4004-2/", "https://security.netapp.com/advisory/ntap-20190606-0002/", "https://usn.ubuntu.com/4019-1/", "https://usn.ubuntu.com/4019-2/", "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/", "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "https://www.oracle.com/security-alerts/cpujan2020.html", "https://www.oracle.com/security-alerts/cpuapr2020.html", "https://www.oracle.com/security-alerts/cpujul2020.html", "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"], "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 7.5, "exploitabilityScore": 10, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 9.8, "exploitabilityScore": 3.9, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "db5.3", "version": "5.3.28+dfsg1-0.8"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libdb5.3", "version": "5.3.28+dfsg1-0.8", "type": "deb", "locations": [{"path": "/usr/share/doc/libdb5.3/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libdb5.3:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libdb5.3:libdb5.3:5.3.28+dfsg1-0.8:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.8?arch=arm64&upstream=db5.3&distro=debian-11", "upstreams": [{"name": "db5.3"}]}}, {"vulnerability": {"id": "CVE-2019-9192", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-9192", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-9192"], "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-9192", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=24269", "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp;utm_medium=RSS"], "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc-bin", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc-bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc-bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc_bin:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc-bin:2.31-13+deb11u4:*:*:*:*:*:*:*", "cpe:2.3:a:libc:libc_bin:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc-bin@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2019-9192", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2019-9192", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2019-9192"], "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2019-9192", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-9192", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://sourceware.org/bugzilla/show_bug.cgi?id=24269", "https://support.f5.com/csp/article/K26346590?utm_source=f5support&amp;utm_medium=RSS"], "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\\\1\\\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "glibc", "version": "2.31-13+deb11u4"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libc6", "version": "2.31-13+deb11u4", "type": "deb", "locations": [{"path": "/usr/share/doc/libc6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libc6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2.1"], "cpes": ["cpe:2.3:a:libc6:libc6:2.31-13+deb11u4:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libc6@2.31-13+deb11u4?arch=arm64&upstream=glibc&distro=debian-11", "upstreams": [{"name": "glibc"}]}}, {"vulnerability": {"id": "CVE-2020-13529", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-13529"], "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-13529", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13529", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://talosintelligence.com/vulnerability_reports/TALOS-2020-1142", "https://security.netapp.com/advisory/ntap-20210625-0005/", "https://security.gentoo.org/glsa/202107-48", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42TMJVNYRY65B4QCJICBYOEIVZV3KUYI/", "http://www.openwall.com/lists/oss-security/2021/08/04/2", "http://www.openwall.com/lists/oss-security/2021/08/17/3", "http://www.openwall.com/lists/oss-security/2021/09/07/3"], "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", "cvss": [{"version": "2.0", "vector": "AV:A/AC:M/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.9, "exploitabilityScore": 5.5, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "metrics": {"baseScore": 6.1, "exploitabilityScore": 1.6, "impactScore": 4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "systemd", "version": "247.3-7+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsystemd0", "version": "247.3-7+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsystemd0/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsystemd0:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["CC0-1.0", "Expat", "GPL-2", "GPL-2+", "LGPL-2.1", "LGPL-2.1+", "public-domain"], "cpes": ["cpe:2.3:a:libsystemd0:libsystemd0:247.3-7+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsystemd0@247.3-7+deb11u1?arch=arm64&upstream=systemd&distro=debian-11", "upstreams": [{"name": "systemd"}]}}, {"vulnerability": {"id": "CVE-2020-13529", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-13529"], "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-13529", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-13529", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://talosintelligence.com/vulnerability_reports/TALOS-2020-1142", "https://security.netapp.com/advisory/ntap-20210625-0005/", "https://security.gentoo.org/glsa/202107-48", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42TMJVNYRY65B4QCJICBYOEIVZV3KUYI/", "http://www.openwall.com/lists/oss-security/2021/08/04/2", "http://www.openwall.com/lists/oss-security/2021/08/17/3", "http://www.openwall.com/lists/oss-security/2021/09/07/3"], "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", "cvss": [{"version": "2.0", "vector": "AV:A/AC:M/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.9, "exploitabilityScore": 5.5, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "metrics": {"baseScore": 6.1, "exploitabilityScore": 1.6, "impactScore": 4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "systemd", "version": "247.3-7+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libudev1", "version": "247.3-7+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libudev1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libudev1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["CC0-1.0", "Expat", "GPL-2", "GPL-2+", "LGPL-2.1", "LGPL-2.1+", "public-domain"], "cpes": ["cpe:2.3:a:libudev1:libudev1:247.3-7+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libudev1@247.3-7+deb11u1?arch=arm64&upstream=systemd&distro=debian-11", "upstreams": [{"name": "systemd"}]}}, {"vulnerability": {"id": "CVE-2020-14145", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-14145", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-14145"], "description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-14145", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-14145", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1", "https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/", "https://security.netapp.com/advisory/ntap-20200709-0004/", "http://www.openwall.com/lists/oss-security/2020/12/02/1", "https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d", "https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py", "https://docs.ssh-mitm.at/CVE-2020-14145.html", "https://security.gentoo.org/glsa/202105-35"], "description": "The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.9, "exploitabilityScore": 2.2, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2020-15719", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-15719", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-15719"], "description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-15719", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-15719", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://access.redhat.com/errata/RHBA-2019:3674", "https://bugzilla.redhat.com/show_bug.cgi?id=1740070", "https://bugs.openldap.org/show_bug.cgi?id=9266", "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html", "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html", "https://kc.mcafee.com/corporate/index?page=content&id=SB10365", "https://www.oracle.com/security-alerts/cpuapr2022.html"], "description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "metrics": {"baseScore": 4, "exploitabilityScore": 4.9, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "metrics": {"baseScore": 4.2, "exploitabilityScore": 1.6, "impactScore": 2.5}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openldap", "version": "2.4.57+dfsg-3+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libldap-2.4-2", "version": "2.4.57+dfsg-3+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libldap-2.4-2/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libldap-2.4-2:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap-2.4-2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:libldap:libldap_2.4_2:2.4.57+dfsg-3+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libldap-2.4-2@2.4.57+dfsg-3+deb11u1?arch=arm64&upstream=openldap&distro=debian-11", "upstreams": [{"name": "openldap"}]}}, {"vulnerability": {"id": "CVE-2020-15778", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-15778", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-15778"], "description": "** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-15778", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-15778", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/cpandya2909/CVE-2020-15778/", "https://www.openssh.com/security.html", "https://security.netapp.com/advisory/ntap-20200731-0007/", "https://news.ycombinator.com/item?id=25005567"], "description": "** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of \"anomalous argument transfers\" because that could \"stand a great chance of breaking existing workflows.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2020-16156", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-16156", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-16156"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-16156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://metacpan.org/pod/distribution/CPAN/scripts/cpan", "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libperl5.32", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/libperl5.32/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libperl5.32:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:libperl5.32:libperl5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libperl5.32@5.32.1-4+deb11u2?arch=arm64&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2020-16156", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-16156", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-16156"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-16156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://metacpan.org/pod/distribution/CPAN/scripts/cpan", "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl:perl:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl@5.32.1-4+deb11u2?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2020-16156", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-16156", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-16156"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-16156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://metacpan.org/pod/distribution/CPAN/scripts/cpan", "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl-base", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl-base/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/perl-base.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl-base:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-base:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_base:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_base:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl-base:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl_base:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl-base@5.32.1-4+deb11u2?arch=arm64&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2020-16156", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2020-16156", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2020-16156"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2020-16156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://metacpan.org/pod/distribution/CPAN/scripts/cpan", "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"], "description": "CPAN 2.28 allows Signature Verification Bypass.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "perl", "version": "5.32.1-4+deb11u2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "perl-modules-5.32", "version": "5.32.1-4+deb11u2", "type": "deb", "locations": [{"path": "/usr/share/doc/perl-modules-5.32/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/perl-modules-5.32.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Artistic", "Artistic-2", "Artistic-dist", "BSD-3-clause", "BSD-3-clause-GENERIC", "BSD-3-clause-with-weird-numbering", "BSD-4-clause-POWERDOG", "BZIP", "DONT-CHANGE-THE-GPL", "Expat", "GPL-1", "GPL-1+", "GPL-2", "GPL-2+", "GPL-3+-WITH-BISON-EXCEPTION", "HSIEH-BSD", "HSIEH-DERIVATIVE", "LGPL-2.1", "REGCOMP", "REGCOMP,", "RRA-KEEP-THIS-NOTICE", "SDBM-PUBLIC-DOMAIN", "TEXT-TABS", "Unicode", "ZLIB"], "cpes": ["cpe:2.3:a:perl-modules-5.32:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules-5.32:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules_5.32:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules_5.32:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl-modules:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl_modules:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl-modules-5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*", "cpe:2.3:a:perl:perl_modules_5.32:5.32.1-4+deb11u2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/perl-modules-5.32@5.32.1-4+deb11u2?arch=all&upstream=perl&distro=debian-11", "upstreams": [{"name": "perl"}]}}, {"vulnerability": {"id": "CVE-2021-22922", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22922", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22922"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22922", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213175", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "curl", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/curl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/curl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:curl:curl:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/curl@7.74.0-1.3+deb11u3?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2021-22922", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22922", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22922"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22922", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213175", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libcurl3-gnutls", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libcurl3-gnutls/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libcurl3-gnutls:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libcurl3-gnutls@7.74.0-1.3+deb11u3?arch=arm64&upstream=curl&distro=debian-11", "upstreams": [{"name": "curl"}]}}, {"vulnerability": {"id": "CVE-2021-22922", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22922", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22922"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22922", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22922", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213175", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libcurl4", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libcurl4/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libcurl4:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:libcurl4:libcurl4:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libcurl4@7.74.0-1.3+deb11u3?arch=arm64&upstream=curl&distro=debian-11", "upstreams": [{"name": "curl"}]}}, {"vulnerability": {"id": "CVE-2021-22923", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22923", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22923"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22923", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213181", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 1.6, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "curl", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/curl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/curl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:curl:curl:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/curl@7.74.0-1.3+deb11u3?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2021-22923", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22923", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22923"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22923", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213181", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 1.6, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libcurl3-gnutls", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libcurl3-gnutls/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libcurl3-gnutls:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:libcurl3-gnutls:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3-gnutls:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3_gnutls:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3_gnutls:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3:libcurl3-gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*", "cpe:2.3:a:libcurl3:libcurl3_gnutls:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libcurl3-gnutls@7.74.0-1.3+deb11u3?arch=arm64&upstream=curl&distro=debian-11", "upstreams": [{"name": "curl"}]}}, {"vulnerability": {"id": "CVE-2021-22923", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-22923", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-22923"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-22923", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-22923", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://hackerone.com/reports/1213181", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", "https://security.netapp.com/advisory/ntap-20210902-0003/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"], "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 1.6, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "curl", "version": "7.74.0-1.3+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libcurl4", "version": "7.74.0-1.3+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libcurl4/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libcurl4:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-Clause", "BSD-4-Clause", "ISC", "curl", "other", "public-domain"], "cpes": ["cpe:2.3:a:libcurl4:libcurl4:7.74.0-1.3+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libcurl4@7.74.0-1.3+deb11u3?arch=arm64&upstream=curl&distro=debian-11", "upstreams": [{"name": "curl"}]}}, {"vulnerability": {"id": "CVE-2021-33560", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-33560", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-33560"], "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-33560", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-33560", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://dev.gnupg.org/T5466", "https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61", "https://dev.gnupg.org/T5305", "https://dev.gnupg.org/T5328", "https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/", "https://www.oracle.com/security-alerts/cpuoct2021.html", "https://www.oracle.com/security-alerts/cpujan2022.html", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html"], "description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libgcrypt20", "version": "1.8.7-6"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libgcrypt20", "version": "1.8.7-6", "type": "deb", "locations": [{"path": "/usr/share/doc/libgcrypt20/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libgcrypt20:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL"], "cpes": ["cpe:2.3:a:libgcrypt20:libgcrypt20:1.8.7-6:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libgcrypt20@1.8.7-6?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2021-36084", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36084", "namespace": "debian:distro:debian:11", "severity": "Low", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36084"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36084", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36084", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml", "https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": {"baseScore": 3.3, "exploitabilityScore": 1.8, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libsepol", "version": "3.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsepol1", "version": "3.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsepol1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsepol1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL", "LGPL"], "cpes": ["cpe:2.3:a:libsepol1:libsepol1:3.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsepol1@3.1-1?arch=arm64&upstream=libsepol&distro=debian-11", "upstreams": [{"name": "libsepol"}]}}, {"vulnerability": {"id": "CVE-2021-36085", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36085", "namespace": "debian:distro:debian:11", "severity": "Low", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36085"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36085", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36085", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124", "https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": {"baseScore": 3.3, "exploitabilityScore": 1.8, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libsepol", "version": "3.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsepol1", "version": "3.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsepol1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsepol1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL", "LGPL"], "cpes": ["cpe:2.3:a:libsepol1:libsepol1:3.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsepol1@3.1-1?arch=arm64&upstream=libsepol&distro=debian-11", "upstreams": [{"name": "libsepol"}]}}, {"vulnerability": {"id": "CVE-2021-36086", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36086", "namespace": "debian:distro:debian:11", "severity": "Low", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36086"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36086", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36086", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml", "https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/"], "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": {"baseScore": 3.3, "exploitabilityScore": 1.8, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libsepol", "version": "3.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsepol1", "version": "3.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsepol1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsepol1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL", "LGPL"], "cpes": ["cpe:2.3:a:libsepol1:libsepol1:3.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsepol1@3.1-1?arch=arm64&upstream=libsepol&distro=debian-11", "upstreams": [{"name": "libsepol"}]}}, {"vulnerability": {"id": "CVE-2021-36087", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36087", "namespace": "debian:distro:debian:11", "severity": "Low", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36087"], "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36087", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36087", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675", "https://lore.kernel.org/selinux/CAEN2sdqJKHvDzPnxS-J8grU8fSf32DDtx=kyh84OsCq_Vm+yaQ@mail.gmail.com/T/", "https://github.com/SELinuxProject/selinux/commit/340f0eb7f3673e8aacaf0a96cbfcd4d12a405521", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U7ZYR3PIJ75N6U2IONJWCKZ5L2NKJTGR/"], "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 2.1, "exploitabilityScore": 3.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": {"baseScore": 3.3, "exploitabilityScore": 1.8, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libsepol", "version": "3.1-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsepol1", "version": "3.1-1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsepol1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsepol1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL", "LGPL"], "cpes": ["cpe:2.3:a:libsepol1:libsepol1:3.1-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsepol1@3.1-1?arch=arm64&upstream=libsepol&distro=debian-11", "upstreams": [{"name": "libsepol"}]}}, {"vulnerability": {"id": "CVE-2021-36368", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36368", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36368"], "description": "** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is \"this is not an authentication bypass, since nothing is being bypassed.\"", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36368", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36368", "namespace": "nvd:cpe", "severity": "Low", "urls": ["https://github.com/openssh/openssh-portable/pull/258", "https://docs.ssh-mitm.at/trivialauth.html", "https://bugzilla.mindrot.org/show_bug.cgi?id=3316", "https://www.openssh.com/security.html", "https://security-tracker.debian.org/tracker/CVE-2021-36368"], "description": "** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is \"this is not an authentication bypass, since nothing is being bypassed.\"", "cvss": [{"version": "2.0", "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 2.6, "exploitabilityScore": 4.9, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 3.7, "exploitabilityScore": 2.2, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2021-36690", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-36690", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-36690"], "description": "** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-36690", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-36690", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://www.sqlite.org/forum/forumpost/718c0a8d17", "https://www.oracle.com/security-alerts/cpujan2022.html"], "description": "** DISPUTED ** A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance of this report because a sqlite3.exe user already has full privileges (e.g., is intentionally allowed to execute commands). This report does NOT imply any problem in the SQLite library.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "sqlite3", "version": "3.34.1-3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsqlite3-0", "version": "3.34.1-3", "type": "deb", "locations": [{"path": "/usr/share/doc/libsqlite3-0/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libsqlite3-0:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPL-2+", "public-domain"], "cpes": ["cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsqlite3-0@3.34.1-3?arch=arm64&upstream=sqlite3&distro=debian-11", "upstreams": [{"name": "sqlite3"}]}}, {"vulnerability": {"id": "CVE-2021-39537", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-39537", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-39537"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-39537", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html", "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html", "http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libncursesw6", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libtinfo6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libncursesw6:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:libncursesw6:libncursesw6:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libncursesw6@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2021-39537", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-39537", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-39537"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-39537", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html", "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html", "http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libtinfo6", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libtinfo6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libtinfo6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:libtinfo6:libtinfo6:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libtinfo6@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2021-39537", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-39537", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-39537"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-39537", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html", "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html", "http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "ncurses-base", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/ncurses-base/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-base.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-base.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:ncurses-base:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses-base:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_base:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_base:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/ncurses-base@6.2+20201114-2?arch=all&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2021-39537", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-39537", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-39537"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-39537", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html", "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html", "http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup"], "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 8.8, "exploitabilityScore": 2.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "ncurses-bin", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/ncurses-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:ncurses-bin:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses-bin:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_bin:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_bin:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/ncurses-bin@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2021-41617", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-41617", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-41617"], "description": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-41617", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-41617", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://www.openwall.com/lists/oss-security/2021/09/26/1", "https://www.openssh.com/txt/release-8.8", "https://www.openssh.com/security.html", "https://bugzilla.suse.com/show_bug.cgi?id=1190975", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XJIONMHMKZDTMH6BQR5TNLF2WDCGWED/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W44V2PFQH5YLRN6ZJTVRKAD7CU6CYYET/", "https://security.netapp.com/advisory/ntap-20211014-0004/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVI7RWM2JLNMWTOFK6BDUSGNOIPZYPUT/", "https://www.oracle.com/security-alerts/cpuapr2022.html", "https://www.oracle.com/security-alerts/cpujul2022.html"], "description": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 4.4, "exploitabilityScore": 3.4, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7, "exploitabilityScore": 1, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssh", "version": "1:8.4p1-5+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssh-client", "version": "1:8.4p1-5+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/openssh-client/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssh-client.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "Beer-ware", "Expat-with-advertising-restriction", "Mazieres-BSD-style", "OpenSSH", "Powell-BSD-style", "public-domain"], "cpes": ["cpe:2.3:a:openssh-client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh-client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh_client:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh-client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:openssh:openssh_client:1:8.4p1-5+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssh-client@1:8.4p1-5+deb11u1?arch=arm64&upstream=openssh&distro=debian-11", "upstreams": [{"name": "openssh"}]}}, {"vulnerability": {"id": "CVE-2021-4214", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-4214", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-4214"], "description": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-4214", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4214", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2043393", "https://access.redhat.com/security/cve/CVE-2021-4214", "https://security-tracker.debian.org/tracker/CVE-2021-4214", "https://github.com/glennrp/libpng/issues/302"], "description": "A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "libpng1.6", "version": "1.6.37-3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libpng16-16", "version": "1.6.37-3", "type": "deb", "locations": [{"path": "/usr/share/doc/libpng16-16/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libpng16-16:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "BSD-3-clause", "BSD-like-with-advertising-clause", "GPL-2", "GPL-2+", "expat", "libpng"], "cpes": ["cpe:2.3:a:libpng16-16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16-16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16_16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16_16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16:libpng16-16:1.6.37-3:*:*:*:*:*:*:*", "cpe:2.3:a:libpng16:libpng16_16:1.6.37-3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libpng16-16@1.6.37-3?arch=arm64&upstream=libpng1.6&distro=debian-11", "upstreams": [{"name": "libpng1.6"}]}}, {"vulnerability": {"id": "CVE-2021-4217", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-4217", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-4217"], "description": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-4217", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-4217", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077", "https://bugzilla.redhat.com/show_bug.cgi?id=2044583", "https://access.redhat.com/security/cve/CVE-2021-4217"], "description": "A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "unzip", "version": "6.0-26+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "unzip", "version": "6.0-26+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/unzip/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/unzip.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:unzip:unzip:6.0-26+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/unzip@6.0-26+deb11u1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2021-45346", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2021-45346", "namespace": "debian:distro:debian:11", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2021-45346"], "description": "A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicous user obtain sensitive information..", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2021-45346", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-45346", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://github.com/guyinatuxedo/sqlite3_record_leaking", "https://security.netapp.com/advisory/ntap-20220303-0001/", "https://sqlite.org/forum/forumpost/53de8864ba114bf6"], "description": "A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicous user obtain sensitive information..", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "metrics": {"baseScore": 4, "exploitabilityScore": 8, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "sqlite3", "version": "3.34.1-3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsqlite3-0", "version": "3.34.1-3", "type": "deb", "locations": [{"path": "/usr/share/doc/libsqlite3-0/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libsqlite3-0:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPL-2+", "public-domain"], "cpes": ["cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsqlite3-0@3.34.1-3?arch=arm64&upstream=sqlite3&distro=debian-11", "upstreams": [{"name": "sqlite3"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "bsdutils", "version": "1:2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/bsdutils/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/bsdutils.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:bsdutils:bsdutils:1:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/bsdutils@1:2.36.1-8+deb11u1?arch=arm64&upstream=util-linux%402.36.1-8+deb11u1&distro=debian-11", "upstreams": [{"name": "util-linux", "version": "2.36.1-8+deb11u1"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libblkid1", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libblkid1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libblkid1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:libblkid1:libblkid1:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libblkid1@2.36.1-8+deb11u1?arch=arm64&upstream=util-linux&distro=debian-11", "upstreams": [{"name": "util-linux"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libmount1", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libmount1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libmount1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:libmount1:libmount1:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libmount1@2.36.1-8+deb11u1?arch=arm64&upstream=util-linux&distro=debian-11", "upstreams": [{"name": "util-linux"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsmartcols1", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libsmartcols1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libsmartcols1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:libsmartcols1:libsmartcols1:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsmartcols1@2.36.1-8+deb11u1?arch=arm64&upstream=util-linux&distro=debian-11", "upstreams": [{"name": "util-linux"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libuuid1", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libuuid1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libuuid1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:libuuid1:libuuid1:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libuuid1@2.36.1-8+deb11u1?arch=arm64&upstream=util-linux&distro=debian-11", "upstreams": [{"name": "util-linux"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "mount", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/mount/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/mount.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:mount:mount:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/mount@2.36.1-8+deb11u1?arch=arm64&upstream=util-linux&distro=debian-11", "upstreams": [{"name": "util-linux"}]}}, {"vulnerability": {"id": "CVE-2022-0563", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-0563", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-0563"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-0563", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0563", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u", "https://security.netapp.com/advisory/ntap-20220331-0002/"], "description": "A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an \"INPUTRC\" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 1.9, "exploitabilityScore": 3.4, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "util-linux", "version": "2.36.1-8+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "util-linux", "version": "2.36.1-8+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/util-linux/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/util-linux.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/util-linux.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-2-clause", "BSD-3-clause", "BSD-4-clause", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "LGPL", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "LGPL-3", "LGPL-3+", "MIT", "public-domain"], "cpes": ["cpe:2.3:a:util-linux:util-linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:util-linux:util_linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:util_linux:util-linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:util_linux:util_linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:util:util-linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*", "cpe:2.3:a:util:util_linux:2.36.1-8+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/util-linux@2.36.1-8+deb11u1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-1304", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-1304", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-1304"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-1304", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2069726"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "e2fsprogs", "version": "1.46.2-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "e2fsprogs", "version": "1.46.2-2", "type": "deb", "locations": [{"path": "/usr/share/doc/e2fsprogs/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/e2fsprogs.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/e2fsprogs.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2"], "cpes": ["cpe:2.3:a:e2fsprogs:e2fsprogs:1.46.2-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/e2fsprogs@1.46.2-2?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-1304", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-1304", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-1304"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-1304", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2069726"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "e2fsprogs", "version": "1.46.2-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libcom-err2", "version": "1.46.2-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libcom-err2/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libcom-err2:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libcom-err2:libcom-err2:1.46.2-2:*:*:*:*:*:*:*", "cpe:2.3:a:libcom-err2:libcom_err2:1.46.2-2:*:*:*:*:*:*:*", "cpe:2.3:a:libcom_err2:libcom-err2:1.46.2-2:*:*:*:*:*:*:*", "cpe:2.3:a:libcom_err2:libcom_err2:1.46.2-2:*:*:*:*:*:*:*", "cpe:2.3:a:libcom:libcom-err2:1.46.2-2:*:*:*:*:*:*:*", "cpe:2.3:a:libcom:libcom_err2:1.46.2-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libcom-err2@1.46.2-2?arch=arm64&upstream=e2fsprogs&distro=debian-11", "upstreams": [{"name": "e2fsprogs"}]}}, {"vulnerability": {"id": "CVE-2022-1304", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-1304", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-1304"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-1304", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2069726"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "e2fsprogs", "version": "1.46.2-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libext2fs2", "version": "1.46.2-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libext2fs2/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libext2fs2:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2"], "cpes": ["cpe:2.3:a:libext2fs2:libext2fs2:1.46.2-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libext2fs2@1.46.2-2?arch=arm64&upstream=e2fsprogs&distro=debian-11", "upstreams": [{"name": "e2fsprogs"}]}}, {"vulnerability": {"id": "CVE-2022-1304", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-1304", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-1304"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-1304", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2069726"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "e2fsprogs", "version": "1.46.2-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libss2", "version": "1.46.2-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libss2/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libss2:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libss2:libss2:1.46.2-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libss2@1.46.2-2?arch=arm64&upstream=e2fsprogs&distro=debian-11", "upstreams": [{"name": "e2fsprogs"}]}}, {"vulnerability": {"id": "CVE-2022-1304", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-1304", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-1304"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-1304", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugzilla.redhat.com/show_bug.cgi?id=2069726"], "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "e2fsprogs", "version": "1.46.2-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "logsave", "version": "1.46.2-2", "type": "deb", "locations": [{"path": "/usr/share/doc/logsave/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/logsave.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "LGPL-2"], "cpes": ["cpe:2.3:a:logsave:logsave:1.46.2-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/logsave@1.46.2-2?arch=arm64&upstream=e2fsprogs&distro=debian-11", "upstreams": [{"name": "e2fsprogs"}]}}, {"vulnerability": {"id": "CVE-2022-2097", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-2097", "namespace": "debian:distro:debian:11", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-2097"], "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-2097", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://www.openssl.org/news/secadv/20220705.txt", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", "https://security.netapp.com/advisory/ntap-20220715-0011/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"], "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libssl1.1", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/libssl1.1/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libssl1.1:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:libssl1.1:libssl1.1:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libssl1.1@1.1.1n-0+deb11u3?arch=arm64&upstream=openssl&distro=debian-11", "upstreams": [{"name": "openssl"}]}}, {"vulnerability": {"id": "CVE-2022-2097", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-2097", "namespace": "debian:distro:debian:11", "severity": "Medium", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-2097"], "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-2097", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://www.openssl.org/news/secadv/20220705.txt", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93", "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/", "https://security.netapp.com/advisory/ntap-20220715-0011/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"], "description": "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", "cvss": [{"version": "2.0", "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "metrics": {"baseScore": 5.3, "exploitabilityScore": 3.9, "impactScore": 1.4}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "openssl", "version": "1.1.1n-0+deb11u3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "openssl", "version": "1.1.1n-0+deb11u3", "type": "deb", "locations": [{"path": "/usr/share/doc/openssl/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/openssl.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": [], "cpes": ["cpe:2.3:a:openssl:openssl:1.1.1n-0+deb11u3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/openssl@1.1.1n-0+deb11u3?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-24765", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-24765", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-24765"], "description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-24765", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24765", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2", "https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash", "https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode", "http://www.openwall.com/lists/oss-security/2022/04/12/7", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/", "https://support.apple.com/kb/HT213261", "http://seclists.org/fulldisclosure/2022/May/31", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"], "description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git:git:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git@1:2.30.2-1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-24765", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-24765", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-24765"], "description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-24765", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24765", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2", "https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash", "https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode", "http://www.openwall.com/lists/oss-security/2022/04/12/7", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/", "https://support.apple.com/kb/HT213261", "http://seclists.org/fulldisclosure/2022/May/31", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"], "description": "Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\\.git\\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\\Users` if the user profile is located in `C:\\Users\\my-user-name`.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git-man", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git-man/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git-man.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git-man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git-man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git_man:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git-man@1:2.30.2-1?arch=all&upstream=git&distro=debian-11", "upstreams": [{"name": "git"}]}}, {"vulnerability": {"id": "CVE-2022-24975", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-24975", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-24975"], "description": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-24975", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24975", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/", "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"], "description": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git:git:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git@1:2.30.2-1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-24975", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-24975", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-24975"], "description": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-24975", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24975", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/", "https://github.com/git/git/blob/2dc94da3744bfbbf145eca587a0f5ff480cc5867/Documentation/git-clone.txt#L185-L191"], "description": "The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the \"GitBleed\" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "metrics": {"baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git-man", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git-man/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git-man.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git-man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git-man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git_man:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git-man@1:2.30.2-1?arch=all&upstream=git&distro=debian-11", "upstreams": [{"name": "git"}]}}, {"vulnerability": {"id": "CVE-2022-29187", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29187", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29187"], "description": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29187", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29187", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.blog/2022-04-12-git-security-vulnerability-announced", "https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u", "https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v", "http://www.openwall.com/lists/oss-security/2022/07/14/1", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"], "description": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.conffiles", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git:git:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git@1:2.30.2-1?arch=arm64&distro=debian-11", "upstreams": []}}, {"vulnerability": {"id": "CVE-2022-29187", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29187", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29187"], "description": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29187", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29187", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.blog/2022-04-12-git-security-vulnerability-announced", "https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u", "https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v", "http://www.openwall.com/lists/oss-security/2022/07/14/1", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/"], "description": "Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.", "cvss": [{"version": "2.0", "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "metrics": {"baseScore": 6.9, "exploitabilityScore": 3.4, "impactScore": 10}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "git", "version": "1:2.30.2-1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "git-man", "version": "1:2.30.2-1", "type": "deb", "locations": [{"path": "/usr/share/doc/git-man/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/git-man.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "Artistic", "Boost", "EDL-1.0", "Expat", "GPL", "GPL-1+", "GPL-2", "GPL-2+", "ISC", "LGPL-2", "LGPL-2+", "LGPL-2.1", "LGPL-2.1+", "dlmalloc", "mingw-runtime"], "cpes": ["cpe:2.3:a:git-man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git-man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git_man:git_man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git-man:1:2.30.2-1:*:*:*:*:*:*:*", "cpe:2.3:a:git:git_man:1:2.30.2-1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/git-man@1:2.30.2-1?arch=all&upstream=git&distro=debian-11", "upstreams": [{"name": "git"}]}}, {"vulnerability": {"id": "CVE-2022-29458", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29458", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29458"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29458", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "metrics": {"baseScore": 7.1, "exploitabilityScore": 1.8, "impactScore": 5.2}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libncursesw6", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libtinfo6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libncursesw6:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:libncursesw6:libncursesw6:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libncursesw6@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2022-29458", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29458", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29458"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29458", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "metrics": {"baseScore": 7.1, "exploitabilityScore": 1.8, "impactScore": 5.2}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libtinfo6", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/libtinfo6/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/libtinfo6:arm64.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:libtinfo6:libtinfo6:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libtinfo6@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2022-29458", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29458", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29458"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29458", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "metrics": {"baseScore": 7.1, "exploitabilityScore": 1.8, "impactScore": 5.2}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "ncurses-base", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/ncurses-base/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-base.conffiles", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-base.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:ncurses-base:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses-base:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_base:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_base:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses-base:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses_base:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/ncurses-base@6.2+20201114-2?arch=all&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2022-29458", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-29458", "namespace": "debian:distro:debian:11", "severity": "High", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-29458"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [], "fix": {"versions": [], "state": "wont-fix"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-29458", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html"], "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "metrics": {"baseScore": 5.8, "exploitabilityScore": 8.6, "impactScore": 4.9}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "metrics": {"baseScore": 7.1, "exploitabilityScore": 1.8, "impactScore": 5.2}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "ncurses", "version": "6.2+20201114-2"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "ncurses-bin", "version": "6.2+20201114-2", "type": "deb", "locations": [{"path": "/usr/share/doc/ncurses-bin/copyright", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/info/ncurses-bin.md5sums", "layerID": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["BSD-3-clause", "MIT/X11", "X11"], "cpes": ["cpe:2.3:a:ncurses-bin:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses-bin:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_bin:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses_bin:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses-bin:6.2+20201114-2:*:*:*:*:*:*:*", "cpe:2.3:a:ncurses:ncurses_bin:6.2+20201114-2:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/ncurses-bin@6.2+20201114-2?arch=arm64&upstream=ncurses&distro=debian-11", "upstreams": [{"name": "ncurses"}]}}, {"vulnerability": {"id": "CVE-2022-31782", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-31782", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-31782"], "description": "ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-31782", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-31782", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://gitlab.freedesktop.org/freetype/freetype-demos/-/issues/8"], "description": "ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow.", "cvss": [{"version": "2.0", "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "metrics": {"baseScore": 6.8, "exploitabilityScore": 8.6, "impactScore": 6.4}, "vendorMetadata": {}}, {"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "metrics": {"baseScore": 7.8, "exploitabilityScore": 1.8, "impactScore": 5.9}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "freetype", "version": "2.10.4+dfsg-1+deb11u1"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libfreetype6", "version": "2.10.4+dfsg-1+deb11u1", "type": "deb", "locations": [{"path": "/usr/share/doc/libfreetype6/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libfreetype6:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["Apache-2.0", "BSD-3-Clause", "FSFAP", "FSFUL", "FSFULLR", "FTL", "GPL-2", "GPL-2+", "GPL-3", "GPL-3+", "MIT", "OFL-1.1", "OpenGroup-BSD-like", "Permissive", "Public-Domain", "Zlib"], "cpes": ["cpe:2.3:a:libfreetype6:libfreetype6:2.10.4+dfsg-1+deb11u1:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libfreetype6@2.10.4+dfsg-1+deb11u1?arch=arm64&upstream=freetype&distro=debian-11", "upstreams": [{"name": "freetype"}]}}, {"vulnerability": {"id": "CVE-2022-35737", "dataSource": "https://security-tracker.debian.org/tracker/CVE-2022-35737", "namespace": "debian:distro:debian:11", "severity": "Negligible", "urls": ["https://security-tracker.debian.org/tracker/CVE-2022-35737"], "description": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-35737", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://kb.cert.org/vuls/id/720344", "https://www.sqlite.org/cves.html", "https://sqlite.org/releaselog/3_39_2.html", "https://security.netapp.com/advisory/ntap-20220915-0009/"], "description": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": {"distro": {"type": "debian", "version": "11"}, "namespace": "debian:distro:debian:11", "package": {"name": "sqlite3", "version": "3.34.1-3"}}, "found": {"versionConstraint": "none (deb)"}}], "artifact": {"name": "libsqlite3-0", "version": "3.34.1-3", "type": "deb", "locations": [{"path": "/usr/share/doc/libsqlite3-0/copyright", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/info/libsqlite3-0:arm64.md5sums", "layerID": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194"}, {"path": "/var/lib/dpkg/status", "layerID": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673"}], "language": "", "licenses": ["GPL-2", "GPL-2+", "public-domain"], "cpes": ["cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3-0:3.34.1-3:*:*:*:*:*:*:*", "cpe:2.3:a:libsqlite3:libsqlite3_0:3.34.1-3:*:*:*:*:*:*:*"], "purl": "pkg:deb/debian/libsqlite3-0@3.34.1-3?arch=arm64&upstream=sqlite3&distro=debian-11", "upstreams": [{"name": "sqlite3"}]}}, {"vulnerability": {"id": "GHSA-3f7h-mf4q-vrm4", "dataSource": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "namespace": "github:language:java", "severity": "Low", "urls": ["https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"], "description": "XStream Denial of Service due to parser crash", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40152", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434", "https://github.com/x-stream/xstream/issues/304"], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.5.0 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-3mc7-4q67-w48m", "dataSource": "https://github.com/advisories/GHSA-3mc7-4q67-w48m", "namespace": "github:language:java", "severity": "High", "urls": ["https://github.com/advisories/GHSA-3mc7-4q67-w48m"], "description": "Uncontrolled Resource Consumption in snakeyaml", "cvss": [], "fix": {"versions": ["1.31"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-25857", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174", "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174", "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360", "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"], "description": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.31 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.29", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.29:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.29", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/snakeyaml-api.hpi:WEB-INF/lib/snakeyaml-1.29.jar", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "6d0cdafb2010f1297e574656551d7145240f6e25"}]}}}, {"vulnerability": {"id": "GHSA-3mq5-fq9h-gj7j", "dataSource": "https://github.com/advisories/GHSA-3mq5-fq9h-gj7j", "namespace": "github:language:java", "severity": "Low", "urls": ["https://github.com/advisories/GHSA-3mq5-fq9h-gj7j"], "description": "XStream Denial of Service due to parser crash", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40151", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://github.com/x-stream/xstream/issues/304", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367"], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.5.0 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-4rv7-wj6m-6c6r", "dataSource": "https://github.com/advisories/GHSA-4rv7-wj6m-6c6r", "namespace": "github:language:java", "severity": "Low", "urls": ["https://github.com/advisories/GHSA-4rv7-wj6m-6c6r"], "description": "XStream Denial of Service due to parser crash", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40156", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50841", "https://github.com/x-stream/xstream/issues/304"], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.5.0 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-5hc5-c3m9-8vcj", "dataSource": "https://github.com/advisories/GHSA-5hc5-c3m9-8vcj", "namespace": "github:language:java", "severity": "Low", "urls": ["https://github.com/advisories/GHSA-5hc5-c3m9-8vcj"], "description": "XStream Denial of Service via stack overflow", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40155", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40155", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50428", "https://github.com/x-stream/xstream/issues/304"], "description": "Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.4.19 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-98wm-3w3q-mw94", "dataSource": "https://github.com/advisories/GHSA-98wm-3w3q-mw94", "namespace": "github:language:java", "severity": "Medium", "urls": ["https://github.com/advisories/GHSA-98wm-3w3q-mw94"], "description": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "cvss": [], "fix": {"versions": ["1.31"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-38751", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039", "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"], "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.31 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.29", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.29:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.29", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/snakeyaml-api.hpi:WEB-INF/lib/snakeyaml-1.29.jar", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "6d0cdafb2010f1297e574656551d7145240f6e25"}]}}}, {"vulnerability": {"id": "GHSA-9fwf-46g9-45rx", "dataSource": "https://github.com/advisories/GHSA-9fwf-46g9-45rx", "namespace": "github:language:java", "severity": "Low", "urls": ["https://github.com/advisories/GHSA-9fwf-46g9-45rx"], "description": "XStream Denial of Service via stack overflow", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40154", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40154", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50393", "https://github.com/x-stream/xstream/issues/304"], "description": "Those using Xstream to serialise XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.4.19 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-9w3m-gqgf-c4p9", "dataSource": "https://github.com/advisories/GHSA-9w3m-gqgf-c4p9", "namespace": "github:language:java", "severity": "Medium", "urls": ["https://github.com/advisories/GHSA-9w3m-gqgf-c4p9"], "description": "snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write", "cvss": [], "fix": {"versions": ["1.32"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-38752", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081", "https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081"], "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.32 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.29", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.29:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.29", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/snakeyaml-api.hpi:WEB-INF/lib/snakeyaml-1.29.jar", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "6d0cdafb2010f1297e574656551d7145240f6e25"}]}}}, {"vulnerability": {"id": "GHSA-9w3m-gqgf-c4p9", "dataSource": "https://github.com/advisories/GHSA-9w3m-gqgf-c4p9", "namespace": "github:language:java", "severity": "Medium", "urls": ["https://github.com/advisories/GHSA-9w3m-gqgf-c4p9"], "description": "snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write", "cvss": [], "fix": {"versions": ["1.32"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-38752", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081", "https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081"], "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.32 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.31", "type": "java-archive", "locations": [{"path": "/opt/jenkins-plugin-manager.jar", "layerID": "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.31:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.31:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.31", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/opt/jenkins-plugin-manager.jar:snakeyaml", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": null}}}, {"vulnerability": {"id": "GHSA-c4r9-r8fh-9vj2", "dataSource": "https://github.com/advisories/GHSA-c4r9-r8fh-9vj2", "namespace": "github:language:java", "severity": "Medium", "urls": ["https://github.com/advisories/GHSA-c4r9-r8fh-9vj2"], "description": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "cvss": [], "fix": {"versions": ["1.31"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-38749", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024", "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"], "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 6.5, "exploitabilityScore": 2.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.31 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.29", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.29:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.29", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/snakeyaml-api.hpi:WEB-INF/lib/snakeyaml-1.29.jar", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "6d0cdafb2010f1297e574656551d7145240f6e25"}]}}}, {"vulnerability": {"id": "GHSA-fv22-xp26-mm9w", "dataSource": "https://github.com/advisories/GHSA-fv22-xp26-mm9w", "namespace": "github:language:java", "severity": "High", "urls": ["https://github.com/advisories/GHSA-fv22-xp26-mm9w"], "description": "XStream Denial of Service due to parser crash", "cvss": [], "fix": {"versions": [], "state": "not-fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-40153", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40153", "namespace": "nvd:cpe", "severity": "High", "urls": ["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49858", "https://github.com/x-stream/xstream/issues/304"], "description": "Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<=1.5.0 (unknown)"}}], "artifact": {"name": "xstream", "version": "1.4.19", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:thoughtworks:xstream:1.4.19:*:*:*:*:*:*:*", "cpe:2.3:a:xstream:xstream:1.4.19:*:*:*:*:*:*:*"], "purl": "pkg:maven/com.thoughtworks.xstream/xstream@1.4.19", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/xstream-1.4.19.jar", "pomArtifactID": "xstream", "pomGroupID": "com.thoughtworks.xstream", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "e0e581d812aa92ae12f07234f3398e06af74b112"}]}}}, {"vulnerability": {"id": "GHSA-hhhw-99gj-p3c3", "dataSource": "https://github.com/advisories/GHSA-hhhw-99gj-p3c3", "namespace": "github:language:java", "severity": "Medium", "urls": ["https://github.com/advisories/GHSA-hhhw-99gj-p3c3"], "description": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "cvss": [], "fix": {"versions": ["1.31"], "state": "fixed"}, "advisories": []}, "relatedVulnerabilities": [{"id": "CVE-2022-38750", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "namespace": "nvd:cpe", "severity": "Medium", "urls": ["https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027", "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html"], "description": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "cvss": [{"version": "3.1", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": {"baseScore": 5.5, "exploitabilityScore": 1.8, "impactScore": 3.6}, "vendorMetadata": {}}]}], "matchDetails": [{"type": "exact-direct-match", "matcher": "java-matcher", "searchedBy": {"language": "java", "namespace": "github:language:java"}, "found": {"versionConstraint": "<1.31 (unknown)"}}], "artifact": {"name": "snakeyaml", "version": "1.29", "type": "java-archive", "locations": [{"path": "/usr/share/jenkins/jenkins.war", "layerID": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4"}], "language": "java", "licenses": [], "cpes": ["cpe:2.3:a:snakeyaml:snakeyaml:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:yaml:snakeyaml:1.29:*:*:*:*:*:*:*"], "purl": "pkg:maven/org.yaml/snakeyaml@1.29", "upstreams": [], "metadataType": "JavaMetadata", "metadata": {"virtualPath": "/usr/share/jenkins/jenkins.war:WEB-INF/detached-plugins/snakeyaml-api.hpi:WEB-INF/lib/snakeyaml-1.29.jar", "pomArtifactID": "snakeyaml", "pomGroupID": "org.yaml", "manifestName": "", "archiveDigests": [{"algorithm": "sha1", "value": "6d0cdafb2010f1297e574656551d7145240f6e25"}]}}}], "source": {"type": "image", "target": {"userInput": "jenkins/jenkins:latest", "imageID": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e", "manifestDigest": "sha256:032cf07c238ba6e4e27bda7499f28bfbdd3b2031d311528739f9baeead953690", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "tags": ["jenkins/jenkins:latest"], "imageSize": 452987414, "layers": [{"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18", "size": 117910998}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194", "size": 120347616}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673", "size": 15542275}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:fc9a51638b16c36853c2ef1a45a5e819ad3e1790152a7cd754a45f39b824775b", "size": 3249}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:92db140da1f5c90784831e2e6433e03133d5af7d4f3171816c514c29fd83bd49", "size": 0}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4", "size": 93548489}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:c9b68da33ca33ee833513a9fc97d065f3d42d85ae7e776aee1fa0abfd271630b", "size": 0}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5", "size": 6255224}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:68d47521aa341cb528302dc5701c8f184a4af12022e080c5abdee86db0a6631b", "size": 99369972}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:e03780dcb30d650d125184140b0650fbce7b9a5ff185e1146e6bd74ca062283f", "size": 6503}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:43305190bf7a3b09f5be70a6718a24714e723bfcce60617ad326f18c104611db", "size": 2149}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:bd4179aca5c898ff6c654e83ac9df2668dd85205cf8bea47b5fdef790211b69a", "size": 506}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:6692f5b1d367af8ae5ed8050d1beabc30359db521272a3fccafe43437c47dab6", "size": 323}, {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "digest": "sha256:f59ba7c3f335e803163a38c198f37cc5d1203129c4e8f1e4e0d7eb0706e6c600", "size": 110}], "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjoxMzI4NiwiZGlnZXN0Ijoic2hhMjU2OjYyNjk0ZWU3NzA3ZWVlZDgzY2ZkZGRjYjg5MmU0ZDQ4MzE1YTQyZGRiNjA4Njc5YTJmMmQwMTJhNDA1Y2QzOWUifSwibGF5ZXJzIjpbeyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MTIzMTUzOTIwLCJkaWdlc3QiOiJzaGEyNTY6MDQ1MGQzM2MyZjViM2NmZWZkYmE5MzgxYzEzZDA1OTAyNWY2ZWZkYmQ3NzNmNTZjYmY4NmViMWMxOGUxMmYxOCJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjEyMzY4NDg2NCwiZGlnZXN0Ijoic2hhMjU2OmVjMDk1MzI3OWNlNmQzMzRkNjU1ZjRjODc0MzE2YjFlY2ZlOTE4OGRhZWY4ZDlhMDgyNzU1YjAxMmM3M2YxOTQifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoxNTYwMTY2NCwiZGlnZXN0Ijoic2hhMjU2OjE5Yzg5NDM1NjA1MGJkZTUyN2MxMjA3Y2NjN2U4OGNlMmQ5ZDNmODBkMTFmZWZiMjNjMjI1MmI5NDg1ZjU2NzMifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoxMjgwMCwiZGlnZXN0Ijoic2hhMjU2OmZjOWE1MTYzOGIxNmMzNjg1M2MyZWYxYTQ1YTVlODE5YWQzZTE3OTAxNTJhN2NkNzU0YTQ1ZjM5YjgyNDc3NWIifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjozNTg0LCJkaWdlc3QiOiJzaGEyNTY6OTJkYjE0MGRhMWY1YzkwNzg0ODMxZTJlNjQzM2UwMzEzM2Q1YWY3ZDRmMzE3MTgxNmM1MTRjMjlmZDgzYmQ0OSJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjkzNTUxNjE2LCJkaWdlc3QiOiJzaGEyNTY6NTRmMzQxMzg1MzQ5ZjY5ZjJjZTYxODRlY2VjM2RkY2RiOTk3ZDFkNDZmMmFhZTM1ZjBhOTRkNWI5MmEwZDNiNCJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjM1ODQsImRpZ2VzdCI6InNoYTI1NjpjOWI2OGRhMzNjYTMzZWU4MzM1MTNhOWZjOTdkMDY1ZjNkNDJkODVhZTdlNzc2YWVlMWZhMGFiZmQyNzE2MzBiIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6NjI1NzY2NCwiZGlnZXN0Ijoic2hhMjU2OjY4N2JkMDU1MGJiNGVhYTgyMTk5MDA0MmYyMjZmYmY0MDM1NTlmZTg3YmE4ODQyZmVkZjNhODk1ZjM0MDgyZDUifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo5OTY0NzQ4OCwiZGlnZXN0Ijoic2hhMjU2OjY4ZDQ3NTIxYWEzNDFjYjUyODMwMmRjNTcwMWM4ZjE4NGE0YWYxMjAyMmUwODBjNWFiZGVlODZkYjBhNjYzMWIifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjo5NzI4LCJkaWdlc3QiOiJzaGEyNTY6ZTAzNzgwZGNiMzBkNjUwZDEyNTE4NDE0MGIwNjUwZmJjZTdiOWE1ZmYxODVlMTE0NmU2YmQ3NGNhMDYyMjgzZiJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjU2MzIsImRpZ2VzdCI6InNoYTI1Njo0MzMwNTE5MGJmN2EzYjA5ZjViZTcwYTY3MThhMjQ3MTRlNzIzYmZjY2U2MDYxN2FkMzI2ZjE4YzEwNDYxMWRiIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjU2MCwiZGlnZXN0Ijoic2hhMjU2OmJkNDE3OWFjYTVjODk4ZmY2YzY1NGU4M2FjOWRmMjY2OGRkODUyMDVjZjhiZWE0N2I1ZmRlZjc5MDIxMWI2OWEifSx7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuaW1hZ2Uucm9vdGZzLmRpZmYudGFyLmd6aXAiLCJzaXplIjoyNTYwLCJkaWdlc3QiOiJzaGEyNTY6NjY5MmY1YjFkMzY3YWY4YWU1ZWQ4MDUwZDFiZWFiYzMwMzU5ZGI1MjEyNzJhM2ZjY2FmZTQzNDM3YzQ3ZGFiNiJ9LHsibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjM1ODQsImRpZ2VzdCI6InNoYTI1NjpmNTliYTdjM2YzMzVlODAzMTYzYTM4YzE5OGYzN2NjNWQxMjAzMTI5YzRlOGYxZTRlMGQ3ZWIwNzA2ZTZjNjAwIn1dfQ==", "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJVc2VyIjoiamVua2lucyIsIkV4cG9zZWRQb3J0cyI6eyI1MDAwMC90Y3AiOnt9LCI4MDgwL3RjcCI6e319LCJFbnYiOlsiUEFUSD0vb3B0L2phdmEvb3Blbmpkay9iaW46L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluIiwiTEFORz1DLlVURi04IiwiSkVOS0lOU19IT01FPS92YXIvamVua2luc19ob21lIiwiSkVOS0lOU19TTEFWRV9BR0VOVF9QT1JUPTUwMDAwIiwiUkVGPS91c3Ivc2hhcmUvamVua2lucy9yZWYiLCJKRU5LSU5TX1ZFUlNJT049Mi4zNzIiLCJKRU5LSU5TX1VDPWh0dHBzOi8vdXBkYXRlcy5qZW5raW5zLmlvIiwiSkVOS0lOU19VQ19FWFBFUklNRU5UQUw9aHR0cHM6Ly91cGRhdGVzLmplbmtpbnMuaW8vZXhwZXJpbWVudGFsIiwiSkVOS0lOU19JTkNSRU1FTlRBTFNfUkVQT19NSVJST1I9aHR0cHM6Ly9yZXBvLmplbmtpbnMtY2kub3JnL2luY3JlbWVudGFscyIsIkNPUFlfUkVGRVJFTkNFX0ZJTEVfTE9HPS92YXIvamVua2luc19ob21lL2NvcHlfcmVmZXJlbmNlX2ZpbGUubG9nIiwiSkFWQV9IT01FPS9vcHQvamF2YS9vcGVuamRrIl0sIkVudHJ5cG9pbnQiOlsiL3Vzci9iaW4vdGluaSIsIi0tIiwiL3Vzci9sb2NhbC9iaW4vamVua2lucy5zaCJdLCJWb2x1bWVzIjp7Ii92YXIvamVua2luc19ob21lIjp7fX0sIkxhYmVscyI6eyJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UuZGVzY3JpcHRpb24iOiJUaGUgSmVua2lucyBDb250aW51b3VzIEludGVncmF0aW9uIGFuZCBEZWxpdmVyeSBzZXJ2ZXIiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UubGljZW5zZXMiOiJNSVQiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UucmV2aXNpb24iOiJiYjJjNDhjZGZiN2ViMDkxZTY5MDc0OWUxMGQwYzViMzM3NDAyNDUyIiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnNvdXJjZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9qZW5raW5zY2kvZG9ja2VyIiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnRpdGxlIjoiT2ZmaWNpYWwgSmVua2lucyBEb2NrZXIgaW1hZ2UiLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudXJsIjoiaHR0cHM6Ly93d3cuamVua2lucy5pby8iLCJvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudmVuZG9yIjoiSmVua2lucyBwcm9qZWN0Iiwib3JnLm9wZW5jb250YWluZXJzLmltYWdlLnZlcnNpb24iOiIyLjM3MiJ9LCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNzU0MzczMzEyWiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIyLTA5LTEzVDAyOjEwOjQxLjIxNTA2ODIyOVoiLCJjcmVhdGVkX2J5IjoiL2Jpbi9zaCAtYyAjKG5vcCkgQUREIGZpbGU6ODc5ZmIwY2QyMzEwN2FjNmY1MzU4MTQ1NjA3NGM3ZmYxM2MwNTFhYTI2MmRlM2NhMTZmZmE4NDc1Y2YwNGRlYyBpbiAvICJ9LHsiY3JlYXRlZCI6IjIwMjItMDktMTNUMDI6MTA6NDIuMTE5OTkxMTJaIiwiY3JlYXRlZF9ieSI6Ii9iaW4vc2ggLWMgIyhub3ApICBDTUQgW1wiYmFzaFwiXSIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE0OjU5OjM5LjI0MzI3OTAxNloiLCJjcmVhdGVkX2J5IjoiUlVOIC9iaW4vc2ggLWMgYXB0LWdldCB1cGRhdGUgICBcdTAwMjZcdTAwMjYgYXB0LWdldCBpbnN0YWxsIC15IC0tbm8taW5zdGFsbC1yZWNvbW1lbmRzICAgICBjYS1jZXJ0aWZpY2F0ZXMgICAgIGN1cmwgICAgIGdpdCAgICAgZ251cGcgICAgIGdwZyAgICAgbGliZm9udGNvbmZpZzEgICAgIGxpYmZyZWV0eXBlNiAgICAgc3NoLWNsaWVudCAgICAgdGluaSAgICAgdW56aXAgICBcdTAwMjZcdTAwMjYgcm0gLXJmIC92YXIvbGliL2FwdC9saXN0cy8qICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzIuOTM3MTM5Nzk2WiIsImNyZWF0ZWRfYnkiOiJSVU4gL2Jpbi9zaCAtYyBjdXJsIC1zIGh0dHBzOi8vcGFja2FnZWNsb3VkLmlvL2luc3RhbGwvcmVwb3NpdG9yaWVzL2dpdGh1Yi9naXQtbGZzL3NjcmlwdC5kZWIuc2ggLW8gL3RtcC9zY3JpcHQuZGViLnNoICAgXHUwMDI2XHUwMDI2IGJhc2ggL3RtcC9zY3JpcHQuZGViLnNoICAgXHUwMDI2XHUwMDI2IHJtIC1mIC90bXAvc2NyaXB0LmRlYi5zaCAgIFx1MDAyNlx1MDAyNiBhcHQtZ2V0IGluc3RhbGwgLXkgLS1uby1pbnN0YWxsLXJlY29tbWVuZHMgICAgIGdpdC1sZnMgICBcdTAwMjZcdTAwMjYgcm0gLXJmIC92YXIvbGliL2FwdC9saXN0cy8qICAgXHUwMDI2XHUwMDI2IGdpdCBsZnMgaW5zdGFsbCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjM3MDk4MjE3N1oiLCJjcmVhdGVkX2J5IjoiRU5WIExBTkc9Qy5VVEYtOCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuMzcwOTgyMTc3WiIsImNyZWF0ZWRfYnkiOiJBUkcgVEFSR0VUQVJDSCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuMzcwOTgyMTc3WiIsImNyZWF0ZWRfYnkiOiJBUkcgQ09NTUlUX1NIQSIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuMzcwOTgyMTc3WiIsImNyZWF0ZWRfYnkiOiJBUkcgdXNlcj1qZW5raW5zIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IkFSRyBncm91cD1qZW5raW5zIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IkFSRyB1aWQ9MTAwMCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuMzcwOTgyMTc3WiIsImNyZWF0ZWRfYnkiOiJBUkcgZ2lkPTEwMDAiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjM3MDk4MjE3N1oiLCJjcmVhdGVkX2J5IjoiQVJHIGh0dHBfcG9ydD04MDgwIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IkFSRyBhZ2VudF9wb3J0PTUwMDAwIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IkFSRyBKRU5LSU5TX0hPTUU9L3Zhci9qZW5raW5zX2hvbWUiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjM3MDk4MjE3N1oiLCJjcmVhdGVkX2J5IjoiQVJHIFJFRj0vdXNyL3NoYXJlL2plbmtpbnMvcmVmIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IkVOViBKRU5LSU5TX0hPTUU9L3Zhci9qZW5raW5zX2hvbWUiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjM3MDk4MjE3N1oiLCJjcmVhdGVkX2J5IjoiRU5WIEpFTktJTlNfU0xBVkVfQUdFTlRfUE9SVD01MDAwMCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuMzcwOTgyMTc3WiIsImNyZWF0ZWRfYnkiOiJFTlYgUkVGPS91c3Ivc2hhcmUvamVua2lucy9yZWYiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjM3MDk4MjE3N1oiLCJjcmVhdGVkX2J5IjoiUlVOIHwxMCBUQVJHRVRBUkNIPWFybTY0IENPTU1JVF9TSEE9YmIyYzQ4Y2RmYjdlYjA5MWU2OTA3NDllMTBkMGM1YjMzNzQwMjQ1MiB1c2VyPWplbmtpbnMgZ3JvdXA9amVua2lucyB1aWQ9MTAwMCBnaWQ9MTAwMCBodHRwX3BvcnQ9ODA4MCBhZ2VudF9wb3J0PTUwMDAwIEpFTktJTlNfSE9NRT0vdmFyL2plbmtpbnNfaG9tZSBSRUY9L3Vzci9zaGFyZS9qZW5raW5zL3JlZiAvYmluL3NoIC1jIG1rZGlyIC1wICRKRU5LSU5TX0hPTUUgICBcdTAwMjZcdTAwMjYgY2hvd24gJHt1aWR9OiR7Z2lkfSAkSkVOS0lOU19IT01FICAgXHUwMDI2XHUwMDI2IGdyb3VwYWRkIC1nICR7Z2lkfSAke2dyb3VwfSAgIFx1MDAyNlx1MDAyNiB1c2VyYWRkIC1kIFwiJEpFTktJTlNfSE9NRVwiIC11ICR7dWlkfSAtZyAke2dpZH0gLWwgLW0gLXMgL2Jpbi9iYXNoICR7dXNlcn0gIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy4zNzA5ODIxNzdaIiwiY3JlYXRlZF9ieSI6IlZPTFVNRSBbL3Zhci9qZW5raW5zX2hvbWVdIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy41MTgwMTgzNzRaIiwiY3JlYXRlZF9ieSI6IlJVTiB8MTAgVEFSR0VUQVJDSD1hcm02NCBDT01NSVRfU0hBPWJiMmM0OGNkZmI3ZWIwOTFlNjkwNzQ5ZTEwZDBjNWIzMzc0MDI0NTIgdXNlcj1qZW5raW5zIGdyb3VwPWplbmtpbnMgdWlkPTEwMDAgZ2lkPTEwMDAgaHR0cF9wb3J0PTgwODAgYWdlbnRfcG9ydD01MDAwMCBKRU5LSU5TX0hPTUU9L3Zhci9qZW5raW5zX2hvbWUgUkVGPS91c3Ivc2hhcmUvamVua2lucy9yZWYgL2Jpbi9zaCAtYyBta2RpciAtcCAke1JFRn0vaW5pdC5ncm9vdnkuZCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjMzLjUxODAxODM3NFoiLCJjcmVhdGVkX2J5IjoiQVJHIEpFTktJTlNfVkVSU0lPTiIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6MzMuNTE4MDE4Mzc0WiIsImNyZWF0ZWRfYnkiOiJFTlYgSkVOS0lOU19WRVJTSU9OPTIuMzcyIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy41MTgwMTgzNzRaIiwiY3JlYXRlZF9ieSI6IkFSRyBKRU5LSU5TX1NIQT0xMTYzYzQ1NTRkYzkzNDM5YzVlZWYwMmIwNmE4ZDc0Zjk4Y2E5MjBiYmMwMTJjMmI4YTA4OWQ0MTRjZmE4MDc1IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDozMy41MTgwMTgzNzRaIiwiY3JlYXRlZF9ieSI6IkFSRyBKRU5LSU5TX1VSTD1odHRwczovL3JlcG8uamVua2lucy1jaS5vcmcvcHVibGljL29yZy9qZW5raW5zLWNpL21haW4vamVua2lucy13YXIvMi4zNzIvamVua2lucy13YXItMi4zNzIud2FyIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NC4xMjM5MjgxNjZaIiwiY3JlYXRlZF9ieSI6IlJVTiB8MTMgVEFSR0VUQVJDSD1hcm02NCBDT01NSVRfU0hBPWJiMmM0OGNkZmI3ZWIwOTFlNjkwNzQ5ZTEwZDBjNWIzMzc0MDI0NTIgdXNlcj1qZW5raW5zIGdyb3VwPWplbmtpbnMgdWlkPTEwMDAgZ2lkPTEwMDAgaHR0cF9wb3J0PTgwODAgYWdlbnRfcG9ydD01MDAwMCBKRU5LSU5TX0hPTUU9L3Zhci9qZW5raW5zX2hvbWUgUkVGPS91c3Ivc2hhcmUvamVua2lucy9yZWYgSkVOS0lOU19WRVJTSU9OPTIuMzcyIEpFTktJTlNfU0hBPWNiMmJhNGM0ZGQyYmZiMWJjZmM1N2QxMjllYTNiMjk5YmFlYzgyMzU4YWE5OWU3N2ZmMTQyYjllNDMyYmJiMjUgSkVOS0lOU19VUkw9aHR0cHM6Ly9yZXBvLmplbmtpbnMtY2kub3JnL3B1YmxpYy9vcmcvamVua2lucy1jaS9tYWluL2plbmtpbnMtd2FyLzIuMzcyL2plbmtpbnMtd2FyLTIuMzcyLndhciAvYmluL3NoIC1jIGN1cmwgLWZzU0wgJHtKRU5LSU5TX1VSTH0gLW8gL3Vzci9zaGFyZS9qZW5raW5zL2plbmtpbnMud2FyICAgXHUwMDI2XHUwMDI2IGVjaG8gXCIke0pFTktJTlNfU0hBfSAgL3Vzci9zaGFyZS9qZW5raW5zL2plbmtpbnMud2FyXCIgXHUwMDNlL3RtcC9qZW5raW5zX3NoYSAgIFx1MDAyNlx1MDAyNiBzaGEyNTZzdW0gLWMgLS1zdHJpY3QgL3RtcC9qZW5raW5zX3NoYSAgIFx1MDAyNlx1MDAyNiBybSAtZiAvdG1wL2plbmtpbnNfc2hhICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDQuMTIzOTI4MTY2WiIsImNyZWF0ZWRfYnkiOiJFTlYgSkVOS0lOU19VQz1odHRwczovL3VwZGF0ZXMuamVua2lucy5pbyIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDQuMTIzOTI4MTY2WiIsImNyZWF0ZWRfYnkiOiJFTlYgSkVOS0lOU19VQ19FWFBFUklNRU5UQUw9aHR0cHM6Ly91cGRhdGVzLmplbmtpbnMuaW8vZXhwZXJpbWVudGFsIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NC4xMjM5MjgxNjZaIiwiY3JlYXRlZF9ieSI6IkVOViBKRU5LSU5TX0lOQ1JFTUVOVEFMU19SRVBPX01JUlJPUj1odHRwczovL3JlcG8uamVua2lucy1jaS5vcmcvaW5jcmVtZW50YWxzIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NC4yOTY0OTg2ODdaIiwiY3JlYXRlZF9ieSI6IlJVTiB8MTMgVEFSR0VUQVJDSD1hcm02NCBDT01NSVRfU0hBPWJiMmM0OGNkZmI3ZWIwOTFlNjkwNzQ5ZTEwZDBjNWIzMzc0MDI0NTIgdXNlcj1qZW5raW5zIGdyb3VwPWplbmtpbnMgdWlkPTEwMDAgZ2lkPTEwMDAgaHR0cF9wb3J0PTgwODAgYWdlbnRfcG9ydD01MDAwMCBKRU5LSU5TX0hPTUU9L3Zhci9qZW5raW5zX2hvbWUgUkVGPS91c3Ivc2hhcmUvamVua2lucy9yZWYgSkVOS0lOU19WRVJTSU9OPTIuMzcyIEpFTktJTlNfU0hBPWNiMmJhNGM0ZGQyYmZiMWJjZmM1N2QxMjllYTNiMjk5YmFlYzgyMzU4YWE5OWU3N2ZmMTQyYjllNDMyYmJiMjUgSkVOS0lOU19VUkw9aHR0cHM6Ly9yZXBvLmplbmtpbnMtY2kub3JnL3B1YmxpYy9vcmcvamVua2lucy1jaS9tYWluL2plbmtpbnMtd2FyLzIuMzcyL2plbmtpbnMtd2FyLTIuMzcyLndhciAvYmluL3NoIC1jIGNob3duIC1SICR7dXNlcn0gXCIkSkVOS0lOU19IT01FXCIgXCIkUkVGXCIgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NC4yOTY0OTg2ODdaIiwiY3JlYXRlZF9ieSI6IkFSRyBQTFVHSU5fQ0xJX1ZFUlNJT049Mi4xMi45IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NC4yOTY0OTg2ODdaIiwiY3JlYXRlZF9ieSI6IkFSRyBQTFVHSU5fQ0xJX1VSTD1odHRwczovL2dpdGh1Yi5jb20vamVua2luc2NpL3BsdWdpbi1pbnN0YWxsYXRpb24tbWFuYWdlci10b29sL3JlbGVhc2VzL2Rvd25sb2FkLzIuMTIuOS9qZW5raW5zLXBsdWdpbi1tYW5hZ2VyLTIuMTIuOS5qYXIiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjQ1OTYzNTU0MloiLCJjcmVhdGVkX2J5IjoiUlVOIHwxNSBUQVJHRVRBUkNIPWFybTY0IENPTU1JVF9TSEE9YmIyYzQ4Y2RmYjdlYjA5MWU2OTA3NDllMTBkMGM1YjMzNzQwMjQ1MiB1c2VyPWplbmtpbnMgZ3JvdXA9amVua2lucyB1aWQ9MTAwMCBnaWQ9MTAwMCBodHRwX3BvcnQ9ODA4MCBhZ2VudF9wb3J0PTUwMDAwIEpFTktJTlNfSE9NRT0vdmFyL2plbmtpbnNfaG9tZSBSRUY9L3Vzci9zaGFyZS9qZW5raW5zL3JlZiBKRU5LSU5TX1ZFUlNJT049Mi4zNzIgSkVOS0lOU19TSEE9Y2IyYmE0YzRkZDJiZmIxYmNmYzU3ZDEyOWVhM2IyOTliYWVjODIzNThhYTk5ZTc3ZmYxNDJiOWU0MzJiYmIyNSBKRU5LSU5TX1VSTD1odHRwczovL3JlcG8uamVua2lucy1jaS5vcmcvcHVibGljL29yZy9qZW5raW5zLWNpL21haW4vamVua2lucy13YXIvMi4zNzIvamVua2lucy13YXItMi4zNzIud2FyIFBMVUdJTl9DTElfVkVSU0lPTj0yLjEyLjkgUExVR0lOX0NMSV9VUkw9aHR0cHM6Ly9naXRodWIuY29tL2plbmtpbnNjaS9wbHVnaW4taW5zdGFsbGF0aW9uLW1hbmFnZXItdG9vbC9yZWxlYXNlcy9kb3dubG9hZC8yLjEyLjkvamVua2lucy1wbHVnaW4tbWFuYWdlci0yLjEyLjkuamFyIC9iaW4vc2ggLWMgY3VybCAtZnNTTCAke1BMVUdJTl9DTElfVVJMfSAtbyAvb3B0L2plbmtpbnMtcGx1Z2luLW1hbmFnZXIuamFyICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNDU5NjM1NTQyWiIsImNyZWF0ZWRfYnkiOiJFWFBPU0UgbWFwWzgwODAvdGNwOnt9XSIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNDU5NjM1NTQyWiIsImNyZWF0ZWRfYnkiOiJFWFBPU0UgbWFwWzUwMDAwL3RjcDp7fV0iLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjQ1OTYzNTU0MloiLCJjcmVhdGVkX2J5IjoiRU5WIENPUFlfUkVGRVJFTkNFX0ZJTEVfTE9HPS92YXIvamVua2luc19ob21lL2NvcHlfcmVmZXJlbmNlX2ZpbGUubG9nIiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAiLCJlbXB0eV9sYXllciI6dHJ1ZX0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NS40NTk2MzU1NDJaIiwiY3JlYXRlZF9ieSI6IkVOViBKQVZBX0hPTUU9L29wdC9qYXZhL29wZW5qZGsiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjQ1OTYzNTU0MloiLCJjcmVhdGVkX2J5IjoiRU5WIFBBVEg9L29wdC9qYXZhL29wZW5qZGsvYmluOi91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNjM3NjI4MDZaIiwiY3JlYXRlZF9ieSI6IkNPUFkgL2phdmFydW50aW1lIC9vcHQvamF2YS9vcGVuamRrICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNjM3NjI4MDZaIiwiY3JlYXRlZF9ieSI6IlVTRVIgamVua2lucyIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNjU1OTc2NDJaIiwiY3JlYXRlZF9ieSI6IkNPUFkgamVua2lucy1zdXBwb3J0IC91c3IvbG9jYWwvYmluL2plbmtpbnMtc3VwcG9ydCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjY2NzMyMjA4WiIsImNyZWF0ZWRfYnkiOiJDT1BZIGplbmtpbnMuc2ggL3Vzci9sb2NhbC9iaW4vamVua2lucy5zaCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjY3NzYyNzYyNloiLCJjcmVhdGVkX2J5IjoiQ09QWSB0aW5pLXNoaW0uc2ggL3NiaW4vdGluaSAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1LjY5MDI4MzcwNVoiLCJjcmVhdGVkX2J5IjoiQ09QWSBqZW5raW5zLXBsdWdpbi1jbGkuc2ggL2Jpbi9qZW5raW5zLXBsdWdpbi1jbGkgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMi0xMC0wNFQxNTowMDo0NS42OTAyODM3MDVaIiwiY3JlYXRlZF9ieSI6IkVOVFJZUE9JTlQgW1wiL3Vzci9iaW4vdGluaVwiIFwiLS1cIiBcIi91c3IvbG9jYWwvYmluL2plbmtpbnMuc2hcIl0iLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCIsImVtcHR5X2xheWVyIjp0cnVlfSx7ImNyZWF0ZWQiOiIyMDIyLTEwLTA0VDE1OjAwOjQ1Ljc1NDM3MzMxMloiLCJjcmVhdGVkX2J5IjoiQ09QWSBpbnN0YWxsLXBsdWdpbnMuc2ggL3Vzci9sb2NhbC9iaW4vaW5zdGFsbC1wbHVnaW5zLnNoICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDRUMTU6MDA6NDUuNzU0MzczMzEyWiIsImNyZWF0ZWRfYnkiOiJMQUJFTCBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudmVuZG9yPUplbmtpbnMgcHJvamVjdCBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudGl0bGU9T2ZmaWNpYWwgSmVua2lucyBEb2NrZXIgaW1hZ2Ugb3JnLm9wZW5jb250YWluZXJzLmltYWdlLmRlc2NyaXB0aW9uPVRoZSBKZW5raW5zIENvbnRpbnVvdXMgSW50ZWdyYXRpb24gYW5kIERlbGl2ZXJ5IHNlcnZlciBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudmVyc2lvbj0yLjM3MiBvcmcub3BlbmNvbnRhaW5lcnMuaW1hZ2UudXJsPWh0dHBzOi8vd3d3LmplbmtpbnMuaW8vIG9yZy5vcGVuY29udGFpbmVycy5pbWFnZS5zb3VyY2U9aHR0cHM6Ly9naXRodWIuY29tL2plbmtpbnNjaS9kb2NrZXIgb3JnLm9wZW5jb250YWluZXJzLmltYWdlLnJldmlzaW9uPWJiMmM0OGNkZmI3ZWIwOTFlNjkwNzQ5ZTEwZDBjNWIzMzc0MDI0NTIgb3JnLm9wZW5jb250YWluZXJzLmltYWdlLmxpY2Vuc2VzPU1JVCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIiwiZW1wdHlfbGF5ZXIiOnRydWV9XSwibW9ieS5idWlsZGtpdC5idWlsZGluZm8udjEiOiJleUptY205dWRHVnVaQ0k2SW1SdlkydGxjbVpwYkdVdWRqQWlMQ0p6YjNWeVkyVnpJanBiZXlKMGVYQmxJam9pWkc5amEyVnlMV2x0WVdkbElpd2ljbVZtSWpvaVpHOWphMlZ5TG1sdkwyeHBZbkpoY25rdlpHVmlhV0Z1T21KMWJHeHpaWGxsTFRJd01qSXdPVEV5SWl3aWNHbHVJam9pYzJoaE1qVTJPak5sT0RKaU1XRm1Nek0yTURkaFpXSmhaV0l6TmpReFlqYzFaRFpsT0RCbVpESTRaRE0yWlRFM09Ua3paV1l4TXpjd09HVTVORGt6WlRNd1pUaG1aamtpZlN4N0luUjVjR1VpT2lKa2IyTnJaWEl0YVcxaFoyVWlMQ0p5WldZaU9pSmtiMk5yWlhJdWFXOHZiR2xpY21GeWVTOWxZMnhwY0hObExYUmxiWFZ5YVc0Nk1URXVNQzR4Tmk0eFh6RXRhbVJyTFdadlkyRnNJaXdpY0dsdUlqb2ljMmhoTWpVMk9qbGxaV0UyTmprNE0yTXpPR1F3WkdVeE5qUXhNMk01Tm1FeU5tWXdaR1kzWmprNFpUaGxZVEZpTW1FMVl6WTFPVGcxTmpVellXSXlORFUyTkRZM00yRWlmVjE5Iiwib3MiOiJsaW51eCIsInJvb3RmcyI6eyJ0eXBlIjoibGF5ZXJzIiwiZGlmZl9pZHMiOlsic2hhMjU2OjA0NTBkMzNjMmY1YjNjZmVmZGJhOTM4MWMxM2QwNTkwMjVmNmVmZGJkNzczZjU2Y2JmODZlYjFjMThlMTJmMTgiLCJzaGEyNTY6ZWMwOTUzMjc5Y2U2ZDMzNGQ2NTVmNGM4NzQzMTZiMWVjZmU5MTg4ZGFlZjhkOWEwODI3NTViMDEyYzczZjE5NCIsInNoYTI1NjoxOWM4OTQzNTYwNTBiZGU1MjdjMTIwN2NjYzdlODhjZTJkOWQzZjgwZDExZmVmYjIzYzIyNTJiOTQ4NWY1NjczIiwic2hhMjU2OmZjOWE1MTYzOGIxNmMzNjg1M2MyZWYxYTQ1YTVlODE5YWQzZTE3OTAxNTJhN2NkNzU0YTQ1ZjM5YjgyNDc3NWIiLCJzaGEyNTY6OTJkYjE0MGRhMWY1YzkwNzg0ODMxZTJlNjQzM2UwMzEzM2Q1YWY3ZDRmMzE3MTgxNmM1MTRjMjlmZDgzYmQ0OSIsInNoYTI1Njo1NGYzNDEzODUzNDlmNjlmMmNlNjE4NGVjZWMzZGRjZGI5OTdkMWQ0NmYyYWFlMzVmMGE5NGQ1YjkyYTBkM2I0Iiwic2hhMjU2OmM5YjY4ZGEzM2NhMzNlZTgzMzUxM2E5ZmM5N2QwNjVmM2Q0MmQ4NWFlN2U3NzZhZWUxZmEwYWJmZDI3MTYzMGIiLCJzaGEyNTY6Njg3YmQwNTUwYmI0ZWFhODIxOTkwMDQyZjIyNmZiZjQwMzU1OWZlODdiYTg4NDJmZWRmM2E4OTVmMzQwODJkNSIsInNoYTI1Njo2OGQ0NzUyMWFhMzQxY2I1MjgzMDJkYzU3MDFjOGYxODRhNGFmMTIwMjJlMDgwYzVhYmRlZTg2ZGIwYTY2MzFiIiwic2hhMjU2OmUwMzc4MGRjYjMwZDY1MGQxMjUxODQxNDBiMDY1MGZiY2U3YjlhNWZmMTg1ZTExNDZlNmJkNzRjYTA2MjI4M2YiLCJzaGEyNTY6NDMzMDUxOTBiZjdhM2IwOWY1YmU3MGE2NzE4YTI0NzE0ZTcyM2JmY2NlNjA2MTdhZDMyNmYxOGMxMDQ2MTFkYiIsInNoYTI1NjpiZDQxNzlhY2E1Yzg5OGZmNmM2NTRlODNhYzlkZjI2NjhkZDg1MjA1Y2Y4YmVhNDdiNWZkZWY3OTAyMTFiNjlhIiwic2hhMjU2OjY2OTJmNWIxZDM2N2FmOGFlNWVkODA1MGQxYmVhYmMzMDM1OWRiNTIxMjcyYTNmY2NhZmU0MzQzN2M0N2RhYjYiLCJzaGEyNTY6ZjU5YmE3YzNmMzM1ZTgwMzE2M2EzOGMxOThmMzdjYzVkMTIwMzEyOWM0ZThmMWU0ZTBkN2ViMDcwNmU2YzYwMCJdfX0=", "repoDigests": ["jenkins/jenkins@sha256:02097ebc75a0f586228a49acc48bde36087a9d3de7d676e86c2e563c0e99ed12"], "architecture": "arm64", "os": "linux"}}, "distro": {"name": "debian", "version": "11", "idLike": []}, "descriptor": {"name": "grype", "version": "0.50.1", "configuration": {"configPath": "", "output": "json", "file": "", "distro": "", "add-cpes-if-none": false, "output-template-file": "", "quiet": false, "check-for-app-update": true, "only-fixed": false, "only-notfixed": false, "platform": "", "search": {"scope": "Squashed", "unindexed-archives": false, "indexed-archives": true}, "ignore": null, "exclude": [], "db": {"cache-dir": "/root/.cache/grype/db", "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", "ca-cert": "", "auto-update": true, "validate-by-hash-on-start": false, "validate-age": true, "max-allowed-built-age": 432000000000000}, "externalSources": {"enable": false, "maven": {"searchUpstreamBySha1": true, "baseUrl": "https://search.maven.org/solrsearch/select"}}, "match": {"java": {"using-cpes": true}, "dotnet": {"using-cpes": true}, "golang": {"using-cpes": true}, "javascript": {"using-cpes": true}, "python": {"using-cpes": true}, "ruby": {"using-cpes": true}, "stock": {"using-cpes": true}}, "dev": {"profile-cpu": false, "profile-mem": false}, "fail-on-severity": "", "registry": {"insecure-skip-tls-verify": false, "insecure-use-http": false, "auth": []}, "log": {"structured": false, "level": "", "file": ""}, "attestation": {"public-key": "", "skip-verification": false}}, "db": {"built": "2022-10-05T08:18:57Z", "schemaVersion": 4, "location": "/root/.cache/grype/db/4", "checksum": "sha256:3a01f985af5174797a7d47459b1015bac155ecb2c9d5e20a5555d513a00661c8", "error": null}}}, "docker": {"image": "jenkins/jenkins:latest", "summary": {"fatal": 0, "warn": 1, "info": 3, "skip": 0, "pass": 12}, "details": [{"code": "DKL-DI-0006", "title": "Avoid latest tag", "level": "WARN", "alerts": ["Avoid 'latest' tag"]}, {"code": "CIS-DI-0005", "title": "Enable Content trust for Docker", "level": "INFO", "alerts": ["export DOCKER_CONTENT_TRUST=1 before docker pull/build"]}, {"code": "CIS-DI-0006", "title": "Add HEALTHCHECK instruction to the container image", "level": "INFO", "alerts": ["not found HEALTHCHECK statement"]}, {"code": "CIS-DI-0008", "title": "Confirm safety of setuid/setgid files", "level": "INFO", "alerts": ["setuid file: urwxr-xr-x usr/bin/chsh", "setuid file: urwxr-xr-x usr/lib/openssh/ssh-keysign", "setuid file: urwxr-xr-x bin/mount", "setgid file: grwxr-xr-x sbin/unix_chkpwd", "setuid file: urwxr-xr-x usr/bin/chfn", "setuid file: urwxr-xr-x usr/bin/gpasswd", "setuid file: urwxr-xr-x usr/bin/newgrp", "setuid file: urwxr-xr-x bin/umount", "setgid file: grwxr-xr-x usr/bin/ssh-agent", "setuid file: urwxr-xr-x usr/bin/passwd", "setgid file: grwxr-xr-x usr/bin/wall", "setgid file: grwxr-xr-x usr/bin/chage", "setgid file: grwxr-xr-x usr/bin/expiry", "setuid file: urwxr-xr-x bin/su"]}]}, "secrets": {"SchemaVersion": 2, "ArtifactName": "jenkins/jenkins:latest", "ArtifactType": "container_image", "Metadata": {"OS": {"Family": "debian", "Name": "11.5"}, "ImageID": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e", "DiffIDs": ["sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18", "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194", "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673", "sha256:fc9a51638b16c36853c2ef1a45a5e819ad3e1790152a7cd754a45f39b824775b", "sha256:92db140da1f5c90784831e2e6433e03133d5af7d4f3171816c514c29fd83bd49", "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4", "sha256:c9b68da33ca33ee833513a9fc97d065f3d42d85ae7e776aee1fa0abfd271630b", "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5", "sha256:68d47521aa341cb528302dc5701c8f184a4af12022e080c5abdee86db0a6631b", "sha256:e03780dcb30d650d125184140b0650fbce7b9a5ff185e1146e6bd74ca062283f", "sha256:43305190bf7a3b09f5be70a6718a24714e723bfcce60617ad326f18c104611db", "sha256:bd4179aca5c898ff6c654e83ac9df2668dd85205cf8bea47b5fdef790211b69a", "sha256:6692f5b1d367af8ae5ed8050d1beabc30359db521272a3fccafe43437c47dab6", "sha256:f59ba7c3f335e803163a38c198f37cc5d1203129c4e8f1e4e0d7eb0706e6c600"], "RepoTags": ["jenkins/jenkins:latest"], "RepoDigests": ["jenkins/jenkins@sha256:02097ebc75a0f586228a49acc48bde36087a9d3de7d676e86c2e563c0e99ed12"], "ImageConfig": {"architecture": "arm64", "created": "2022-10-04T15:00:45.754373312Z", "history": [{"created": "2022-09-13T02:10:41Z", "created_by": "/bin/sh -c #(nop) ADD file:879fb0cd23107ac6f53581456074c7ff13c051aa262de3ca16ffa8475cf04dec in / "}, {"created": "2022-09-13T02:10:42Z", "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]", "empty_layer": true}, {"created": "2022-10-04T14:59:39Z", "created_by": "RUN /bin/sh -c apt-get update   && apt-get install -y --no-install-recommends     ca-certificates     curl     git     gnupg     gpg     libfontconfig1     libfreetype6     ssh-client     tini     unzip   && rm -rf /var/lib/apt/lists/* # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:32Z", "created_by": "RUN /bin/sh -c curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh -o /tmp/script.deb.sh   && bash /tmp/script.deb.sh   && rm -f /tmp/script.deb.sh   && apt-get install -y --no-install-recommends     git-lfs   && rm -rf /var/lib/apt/lists/*   && git lfs install # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV LANG=C.UTF-8", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG TARGETARCH", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG COMMIT_SHA", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG user=jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG group=jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG uid=1000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG gid=1000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG http_port=8080", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG agent_port=50000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_HOME=/var/jenkins_home", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG REF=/usr/share/jenkins/ref", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_HOME=/var/jenkins_home", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_SLAVE_AGENT_PORT=50000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV REF=/usr/share/jenkins/ref", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "RUN |10 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref /bin/sh -c mkdir -p $JENKINS_HOME   && chown ${uid}:${gid} $JENKINS_HOME   && groupadd -g ${gid} ${group}   && useradd -d \"$JENKINS_HOME\" -u ${uid} -g ${gid} -l -m -s /bin/bash ${user} # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:33Z", "created_by": "VOLUME [/var/jenkins_home]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "RUN |10 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref /bin/sh -c mkdir -p ${REF}/init.groovy.d # buildkit", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_VERSION", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_VERSION=2.372", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_SHA=1163c4554dc93439c5eef02b06a8d74f98ca920bbc012c2b8a089d414cfa8075", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "RUN |13 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war /bin/sh -c curl -fsSL ${JENKINS_URL} -o /usr/share/jenkins/jenkins.war   && echo \"${JENKINS_SHA}  /usr/share/jenkins/jenkins.war\" >/tmp/jenkins_sha   && sha256sum -c --strict /tmp/jenkins_sha   && rm -f /tmp/jenkins_sha # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_UC=https://updates.jenkins.io", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "RUN |13 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war /bin/sh -c chown -R ${user} \"$JENKINS_HOME\" \"$REF\" # buildkit", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ARG PLUGIN_CLI_VERSION=2.12.9", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.12.9/jenkins-plugin-manager-2.12.9.jar", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "RUN |15 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war PLUGIN_CLI_VERSION=2.12.9 PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.12.9/jenkins-plugin-manager-2.12.9.jar /bin/sh -c curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "EXPOSE map[8080/tcp:{}]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "EXPOSE map[50000/tcp:{}]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV JAVA_HOME=/opt/java/openjdk", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY /javaruntime /opt/java/openjdk # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "USER jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins-support /usr/local/bin/jenkins-support # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins.sh /usr/local/bin/jenkins.sh # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY tini-shim.sh /sbin/tini # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENTRYPOINT [\"/usr/bin/tini\" \"--\" \"/usr/local/bin/jenkins.sh\"]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY install-plugins.sh /usr/local/bin/install-plugins.sh # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "LABEL org.opencontainers.image.vendor=Jenkins project org.opencontainers.image.title=Official Jenkins Docker image org.opencontainers.image.description=The Jenkins Continuous Integration and Delivery server org.opencontainers.image.version=2.372 org.opencontainers.image.url=https://www.jenkins.io/ org.opencontainers.image.source=https://github.com/jenkinsci/docker org.opencontainers.image.revision=bb2c48cdfb7eb091e690749e10d0c5b337402452 org.opencontainers.image.licenses=MIT", "comment": "buildkit.dockerfile.v0", "empty_layer": true}], "os": "linux", "rootfs": {"type": "layers", "diff_ids": ["sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18", "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194", "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673", "sha256:fc9a51638b16c36853c2ef1a45a5e819ad3e1790152a7cd754a45f39b824775b", "sha256:92db140da1f5c90784831e2e6433e03133d5af7d4f3171816c514c29fd83bd49", "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4", "sha256:c9b68da33ca33ee833513a9fc97d065f3d42d85ae7e776aee1fa0abfd271630b", "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5", "sha256:68d47521aa341cb528302dc5701c8f184a4af12022e080c5abdee86db0a6631b", "sha256:e03780dcb30d650d125184140b0650fbce7b9a5ff185e1146e6bd74ca062283f", "sha256:43305190bf7a3b09f5be70a6718a24714e723bfcce60617ad326f18c104611db", "sha256:bd4179aca5c898ff6c654e83ac9df2668dd85205cf8bea47b5fdef790211b69a", "sha256:6692f5b1d367af8ae5ed8050d1beabc30359db521272a3fccafe43437c47dab6", "sha256:f59ba7c3f335e803163a38c198f37cc5d1203129c4e8f1e4e0d7eb0706e6c600"]}, "config": {"Entrypoint": ["/usr/bin/tini", "--", "/usr/local/bin/jenkins.sh"], "Env": ["PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "LANG=C.UTF-8", "JENKINS_HOME=/var/jenkins_home", "JENKINS_SLAVE_AGENT_PORT=50000", "REF=/usr/share/jenkins/ref", "JENKINS_VERSION=2.372", "JENKINS_UC=https://updates.jenkins.io", "JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental", "JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals", "COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log", "JAVA_HOME=/opt/java/openjdk"], "Labels": {"org.opencontainers.image.description": "The Jenkins Continuous Integration and Delivery server", "org.opencontainers.image.licenses": "MIT", "org.opencontainers.image.revision": "bb2c48cdfb7eb091e690749e10d0c5b337402452", "org.opencontainers.image.source": "https://github.com/jenkinsci/docker", "org.opencontainers.image.title": "Official Jenkins Docker image", "org.opencontainers.image.url": "https://www.jenkins.io/", "org.opencontainers.image.vendor": "Jenkins project", "org.opencontainers.image.version": "2.372"}, "User": "jenkins", "Volumes": {"/var/jenkins_home": {}}}}}}, "iac": {"SchemaVersion": 2, "ArtifactName": "jenkins/jenkins:latest", "ArtifactType": "container_image", "Metadata": {"OS": {"Family": "debian", "Name": "11.5"}, "ImageID": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e", "DiffIDs": ["sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18", "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194", "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673", "sha256:fc9a51638b16c36853c2ef1a45a5e819ad3e1790152a7cd754a45f39b824775b", "sha256:92db140da1f5c90784831e2e6433e03133d5af7d4f3171816c514c29fd83bd49", "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4", "sha256:c9b68da33ca33ee833513a9fc97d065f3d42d85ae7e776aee1fa0abfd271630b", "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5", "sha256:68d47521aa341cb528302dc5701c8f184a4af12022e080c5abdee86db0a6631b", "sha256:e03780dcb30d650d125184140b0650fbce7b9a5ff185e1146e6bd74ca062283f", "sha256:43305190bf7a3b09f5be70a6718a24714e723bfcce60617ad326f18c104611db", "sha256:bd4179aca5c898ff6c654e83ac9df2668dd85205cf8bea47b5fdef790211b69a", "sha256:6692f5b1d367af8ae5ed8050d1beabc30359db521272a3fccafe43437c47dab6", "sha256:f59ba7c3f335e803163a38c198f37cc5d1203129c4e8f1e4e0d7eb0706e6c600"], "RepoTags": ["jenkins/jenkins:latest"], "RepoDigests": ["jenkins/jenkins@sha256:02097ebc75a0f586228a49acc48bde36087a9d3de7d676e86c2e563c0e99ed12"], "ImageConfig": {"architecture": "arm64", "created": "2022-10-04T15:00:45.754373312Z", "history": [{"created": "2022-09-13T02:10:41Z", "created_by": "/bin/sh -c #(nop) ADD file:879fb0cd23107ac6f53581456074c7ff13c051aa262de3ca16ffa8475cf04dec in / "}, {"created": "2022-09-13T02:10:42Z", "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]", "empty_layer": true}, {"created": "2022-10-04T14:59:39Z", "created_by": "RUN /bin/sh -c apt-get update   && apt-get install -y --no-install-recommends     ca-certificates     curl     git     gnupg     gpg     libfontconfig1     libfreetype6     ssh-client     tini     unzip   && rm -rf /var/lib/apt/lists/* # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:32Z", "created_by": "RUN /bin/sh -c curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh -o /tmp/script.deb.sh   && bash /tmp/script.deb.sh   && rm -f /tmp/script.deb.sh   && apt-get install -y --no-install-recommends     git-lfs   && rm -rf /var/lib/apt/lists/*   && git lfs install # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV LANG=C.UTF-8", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG TARGETARCH", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG COMMIT_SHA", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG user=jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG group=jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG uid=1000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG gid=1000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG http_port=8080", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG agent_port=50000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_HOME=/var/jenkins_home", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG REF=/usr/share/jenkins/ref", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_HOME=/var/jenkins_home", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_SLAVE_AGENT_PORT=50000", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV REF=/usr/share/jenkins/ref", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "RUN |10 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref /bin/sh -c mkdir -p $JENKINS_HOME   && chown ${uid}:${gid} $JENKINS_HOME   && groupadd -g ${gid} ${group}   && useradd -d \"$JENKINS_HOME\" -u ${uid} -g ${gid} -l -m -s /bin/bash ${user} # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:33Z", "created_by": "VOLUME [/var/jenkins_home]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "RUN |10 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref /bin/sh -c mkdir -p ${REF}/init.groovy.d # buildkit", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_VERSION", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ENV JENKINS_VERSION=2.372", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_SHA=1163c4554dc93439c5eef02b06a8d74f98ca920bbc012c2b8a089d414cfa8075", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:33Z", "created_by": "ARG JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "RUN |13 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war /bin/sh -c curl -fsSL ${JENKINS_URL} -o /usr/share/jenkins/jenkins.war   && echo \"${JENKINS_SHA}  /usr/share/jenkins/jenkins.war\" >/tmp/jenkins_sha   && sha256sum -c --strict /tmp/jenkins_sha   && rm -f /tmp/jenkins_sha # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_UC=https://updates.jenkins.io", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "RUN |13 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war /bin/sh -c chown -R ${user} \"$JENKINS_HOME\" \"$REF\" # buildkit", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ARG PLUGIN_CLI_VERSION=2.12.9", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:44Z", "created_by": "ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.12.9/jenkins-plugin-manager-2.12.9.jar", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "RUN |15 TARGETARCH=arm64 COMMIT_SHA=bb2c48cdfb7eb091e690749e10d0c5b337402452 user=jenkins group=jenkins uid=1000 gid=1000 http_port=8080 agent_port=50000 JENKINS_HOME=/var/jenkins_home REF=/usr/share/jenkins/ref JENKINS_VERSION=2.372 JENKINS_SHA=cb2ba4c4dd2bfb1bcfc57d129ea3b299baec82358aa99e77ff142b9e432bbb25 JENKINS_URL=https://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/2.372/jenkins-war-2.372.war PLUGIN_CLI_VERSION=2.12.9 PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.12.9/jenkins-plugin-manager-2.12.9.jar /bin/sh -c curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "EXPOSE map[8080/tcp:{}]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "EXPOSE map[50000/tcp:{}]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV JAVA_HOME=/opt/java/openjdk", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENV PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY /javaruntime /opt/java/openjdk # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "USER jenkins", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins-support /usr/local/bin/jenkins-support # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins.sh /usr/local/bin/jenkins.sh # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY tini-shim.sh /sbin/tini # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "ENTRYPOINT [\"/usr/bin/tini\" \"--\" \"/usr/local/bin/jenkins.sh\"]", "comment": "buildkit.dockerfile.v0", "empty_layer": true}, {"created": "2022-10-04T15:00:45Z", "created_by": "COPY install-plugins.sh /usr/local/bin/install-plugins.sh # buildkit", "comment": "buildkit.dockerfile.v0"}, {"created": "2022-10-04T15:00:45Z", "created_by": "LABEL org.opencontainers.image.vendor=Jenkins project org.opencontainers.image.title=Official Jenkins Docker image org.opencontainers.image.description=The Jenkins Continuous Integration and Delivery server org.opencontainers.image.version=2.372 org.opencontainers.image.url=https://www.jenkins.io/ org.opencontainers.image.source=https://github.com/jenkinsci/docker org.opencontainers.image.revision=bb2c48cdfb7eb091e690749e10d0c5b337402452 org.opencontainers.image.licenses=MIT", "comment": "buildkit.dockerfile.v0", "empty_layer": true}], "os": "linux", "rootfs": {"type": "layers", "diff_ids": ["sha256:0450d33c2f5b3cfefdba9381c13d059025f6efdbd773f56cbf86eb1c18e12f18", "sha256:ec0953279ce6d334d655f4c874316b1ecfe9188daef8d9a082755b012c73f194", "sha256:19c894356050bde527c1207ccc7e88ce2d9d3f80d11fefb23c2252b9485f5673", "sha256:fc9a51638b16c36853c2ef1a45a5e819ad3e1790152a7cd754a45f39b824775b", "sha256:92db140da1f5c90784831e2e6433e03133d5af7d4f3171816c514c29fd83bd49", "sha256:54f341385349f69f2ce6184ecec3ddcdb997d1d46f2aae35f0a94d5b92a0d3b4", "sha256:c9b68da33ca33ee833513a9fc97d065f3d42d85ae7e776aee1fa0abfd271630b", "sha256:687bd0550bb4eaa821990042f226fbf403559fe87ba8842fedf3a895f34082d5", "sha256:68d47521aa341cb528302dc5701c8f184a4af12022e080c5abdee86db0a6631b", "sha256:e03780dcb30d650d125184140b0650fbce7b9a5ff185e1146e6bd74ca062283f", "sha256:43305190bf7a3b09f5be70a6718a24714e723bfcce60617ad326f18c104611db", "sha256:bd4179aca5c898ff6c654e83ac9df2668dd85205cf8bea47b5fdef790211b69a", "sha256:6692f5b1d367af8ae5ed8050d1beabc30359db521272a3fccafe43437c47dab6", "sha256:f59ba7c3f335e803163a38c198f37cc5d1203129c4e8f1e4e0d7eb0706e6c600"]}, "config": {"Entrypoint": ["/usr/bin/tini", "--", "/usr/local/bin/jenkins.sh"], "Env": ["PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "LANG=C.UTF-8", "JENKINS_HOME=/var/jenkins_home", "JENKINS_SLAVE_AGENT_PORT=50000", "REF=/usr/share/jenkins/ref", "JENKINS_VERSION=2.372", "JENKINS_UC=https://updates.jenkins.io", "JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental", "JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals", "COPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.log", "JAVA_HOME=/opt/java/openjdk"], "Labels": {"org.opencontainers.image.description": "The Jenkins Continuous Integration and Delivery server", "org.opencontainers.image.licenses": "MIT", "org.opencontainers.image.revision": "bb2c48cdfb7eb091e690749e10d0c5b337402452", "org.opencontainers.image.source": "https://github.com/jenkinsci/docker", "org.opencontainers.image.title": "Official Jenkins Docker image", "org.opencontainers.image.url": "https://www.jenkins.io/", "org.opencontainers.image.vendor": "Jenkins project", "org.opencontainers.image.version": "2.372"}, "User": "jenkins", "Volumes": {"/var/jenkins_home": {}}}}}}, "permissions": [{"filename": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e.files.json", "namespace": "main", "successes": 16506}]}, "policy-results": [{"filename": "sha256:62694ee7707eeed83cfdddcb892e4d48315a42ddb608679a2f2d012a405cd39e.results.json", "namespace": "main", "successes": 3}], "policy-passed": true}