Update docker-compose.yml

[FinnPL]

No description provided.

[github-actions]

Docker Compose Image Metadata and CVE Scan Report

Docker Compose Image Metadata and CVE Report
=============================================
Processing file: .github/workflows/docker-compose-scan.yml
   Found image: <imagename>)
   Running docker scout cves <imagename>) ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning <imagename>)
   Found image: \s*\K.+'
   Running docker scout cves \s*\K.+' ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning \s*\K.+'
   Found image: $file
   Running docker scout cves $file ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning $file
   Found image: |
   Running docker scout cves | ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning |
   Found image: tr
   Running docker scout cves tr ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning tr
   Found image: -d
   Running docker scout cves -d ...
unknown shorthand flag: 'd' in -d
See 'docker --help'.

Usage:  docker [OPTIONS] COMMAND

A self-sufficient runtime for containers

Common Commands:
  run         Create and run a new container from an image
  exec        Execute a command in a running container
  ps          List containers
  build       Build an image from a Dockerfile
  pull        Download an image from a registry
  push        Upload an image to a registry
  images      List images
  login       Log in to a registry
  logout      Log out from a registry
  search      Search Docker Hub for images
  version     Show the Docker version information
  info        Display system-wide information

Management Commands:
  builder     Manage builds
  buildx*     Docker Buildx
  compose*    Docker Compose
  container   Manage containers
  context     Manage contexts
  image       Manage images
  manifest    Manage Docker image manifests and manifest lists
  network     Manage networks
  plugin      Manage plugins
  system      Manage Docker
  trust       Manage trust on Docker images
  volume      Manage volumes

Swarm Commands:
  swarm       Manage Swarm

Commands:
  attach      Attach local standard input, output, and error streams to a running container
  commit      Create a new image from a container's changes
  cp          Copy files/folders between a container and the local filesystem
  create      Create a new container
  diff        Inspect changes to files or directories on a container's filesystem
  events      Get real time events from the server
  export      Export a container's filesystem as a tar archive
  history     Show the history of an image
  import      Import the contents from a tarball to create a filesystem image
  inspect     Return low-level information on Docker objects
  kill        Kill one or more running containers
  load        Load an image from a tar archive or STDIN
  logs        Fetch the logs of a container
  pause       Pause all processes within one or more containers
  port        List port mappings or a specific mapping for the container
  rename      Rename a container
  restart     Restart one or more containers
  rm          Remove one or more containers
  rmi         Remove one or more images
  save        Save one or more images to a tar archive (streamed to STDOUT by default)
  start       Start one or more stopped containers
  stats       Display a live stream of container(s) resource usage statistics
  stop        Stop one or more running containers
  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
  top         Display the running processes of a container
  unpause     Unpause all processes within one or more containers
  update      Update configuration of one or more containers
  wait        Block until one or more containers stop, then print their exit codes

Global Options:
      --config string      Location of client config files (default
                           "/home/runner/.docker")
  -c, --context string     Name of the context to use to connect to the
                           daemon (overrides DOCKER_HOST env var and
                           default context set with "docker context use")
  -D, --debug              Enable debug mode
  -H, --host list          Daemon socket to connect to
  -l, --log-level string   Set the logging level ("debug", "info",
                           "warn", "error", "fatal") (default "info")
      --tls                Use TLS; implied by --tlsverify
      --tlscacert string   Trust certs signed only by this CA (default
                           "/home/runner/.docker/ca.pem")
      --tlscert string     Path to TLS certificate file (default
                           "/home/runner/.docker/cert.pem")
      --tlskey string      Path to TLS key file (default
                           "/home/runner/.docker/key.pem")
      --tlsverify          Use TLS and verify the remote
  -v, --version            Print version information and quit

Run 'docker COMMAND --help' for more information on a command.

For more help on how to use Docker, head to https://docs.docker.com/go/guides/

   Error scanning -d
   Found image: ''
   Running docker scout cves '' ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning ''
   Found image: )
   Running docker scout cves ) ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning )
   Found image: $image
   Running docker scout cves $image ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning $image
   Found image: >>
   Running docker scout cves >> ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning >>
   Found image: report.txt
   Running docker scout cves report.txt ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning report.txt
---------------------------------------------
Processing file: src/Pi4/docker-compose.yml
   Found image: traefik:v2.5.0
   Running docker scout cves traefik:v2.5.0 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning traefik:v2.5.0
   Found image: #
   Running docker scout cves # ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning #
   Found image: Known
   Running docker scout cves Known ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning Known
   Found image: CVEs:
   Running docker scout cves CVEs: ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVEs:
   Found image: CVE-2021-32786,
   Running docker scout cves CVE-2021-32786, ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVE-2021-32786,
   Found image: CVE-2021-32787
   Running docker scout cves CVE-2021-32787 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVE-2021-32787
   Found image: portainer/portainer-ce:2.0.0
   Running docker scout cves portainer/portainer-ce:2.0.0 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning portainer/portainer-ce:2.0.0
   Found image: #
   Running docker scout cves # ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning #
   Found image: Known
   Running docker scout cves Known ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning Known
   Found image: CVEs:
   Running docker scout cves CVEs: ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVEs:
   Found image: CVE-2021-21334
   Running docker scout cves CVE-2021-21334 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVE-2021-21334
   Found image: twinproduction/gatus:v2.1.0
   Running docker scout cves twinproduction/gatus:v2.1.0 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning twinproduction/gatus:v2.1.0
   Found image: #
   Running docker scout cves # ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning #
   Found image: No
   Running docker scout cves No ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning No
   Found image: known
   Running docker scout cves known ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning known
   Found image: CVEs
   Running docker scout cves CVEs ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVEs
   Found image: for
   Running docker scout cves for ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning for
   Found image: this
   Running docker scout cves this ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning this
   Found image: specific
   Running docker scout cves specific ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning specific
   Found image: version
   Running docker scout cves version ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning version
   Found image: ghcr.io/gethomepage/homepage:v0.9.0
   Running docker scout cves ghcr.io/gethomepage/homepage:v0.9.0 ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning ghcr.io/gethomepage/homepage:v0.9.0
   Found image: #
   Running docker scout cves # ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning #
   Found image: No
   Running docker scout cves No ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning No
   Found image: known
   Running docker scout cves known ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning known
   Found image: CVEs
   Running docker scout cves CVEs ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning CVEs
   Found image: for
   Running docker scout cves for ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning for
   Found image: this
   Running docker scout cves this ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning this
   Found image: specific
   Running docker scout cves specific ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning specific
   Found image: version
   Running docker scout cves version ...
docker: 'scout' is not a docker command.
See 'docker --help'
   Error scanning version
---------------------------------------------

[github-actions]

🔍 Vulnerabilities of portainer/portainer-ce:2.0.0

📦 Image Reference portainer/portainer-ce:2.0.0

digest	sha256:963be5398ad2500eda03bb937a483407e7aa7e8b2a73d07044ba0078ab1a1cfc
vulnerabilities
platform	linux/amd64
size	57 MB
packages	96

stdlib 1.13.1 (golang) pkg:golang/[email protected] Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.063% EPSS Percentile 30th percentile Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.241% EPSS Percentile 64th percentile Description Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.683% EPSS Percentile 80th percentile Description Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Affected range <1.16.14 Fixed version 1.16.14 EPSS Score 1.466% EPSS Percentile 87th percentile Description Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Affected range >=1.13.0-0 <1.13.7 Fixed version 1.13.7 EPSS Score 97.027% EPSS Percentile 100th percentile Description A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability. Affected range <1.19.10 Fixed version 1.19.10 EPSS Score 0.111% EPSS Percentile 46th percentile Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Affected range <1.17.11 Fixed version 1.17.11 EPSS Score 0.045% EPSS Percentile 17th percentile Description On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe". Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 18th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 18th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.21.12 Fixed version 1.21.12 EPSS Score 0.045% EPSS Percentile 18th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.044% EPSS Percentile 13th percentile Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Affected range <1.21.9 Fixed version 1.21.9 EPSS Score 0.044% EPSS Percentile 16th percentile Description An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. Affected range <1.20.0 Fixed version 1.20.0 EPSS Score 0.119% EPSS Percentile 47th percentile Description Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels. Affected range <1.20.11 Fixed version 1.20.11 EPSS Score 0.272% EPSS Percentile 68th percentile Description The filepath package does not recognize paths with a ??\ prefix as special. On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b. Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b. In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored. Affected range <1.20.10 Fixed version 1.20.10 EPSS Score 80.090% EPSS Percentile 99th percentile Description A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. Affected range <1.20.10 Fixed version 1.20.10 EPSS Score 0.590% EPSS Percentile 78th percentile Description A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.197% EPSS Percentile 58th percentile Description Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.749% EPSS Percentile 81st percentile Description Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Affected range <1.19.8 Fixed version 1.19.8 EPSS Score 0.339% EPSS Percentile 71st percentile Description HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.246% EPSS Percentile 64th percentile Description A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.240% EPSS Percentile 62nd percentile Description Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 1.734% EPSS Percentile 88th percentile Description A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. Affected range <1.19.6 Fixed version 1.19.6 EPSS Score 0.119% EPSS Percentile 47th percentile Description A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". Affected range <1.18.9 Fixed version 1.18.9 EPSS Score 0.130% EPSS Percentile 49th percentile Description On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. Affected range <1.18.8 Fixed version 1.18.8 EPSS Score 0.095% EPSS Percentile 42nd percentile Description Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.228% EPSS Percentile 61st percentile Description Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Affected range <1.17.13 Fixed version 1.17.13 EPSS Score 0.183% EPSS Percentile 56th percentile Description Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.215% EPSS Percentile 60th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. Affected range <1.17.11 Fixed version 1.17.11 EPSS Score 0.175% EPSS Percentile 55th percentile Description On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.215% EPSS Percentile 60th percentile Description Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.215% EPSS Percentile 60th percentile Description Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.215% EPSS Percentile 60th percentile Description Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.215% EPSS Percentile 60th percentile Description Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Affected range <1.17.11 Fixed version 1.17.11 EPSS Score 0.180% EPSS Percentile 56th percentile Description On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. For example, Clean(".\c:") returns "c:". Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.163% EPSS Percentile 54th percentile Description Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Affected range <1.18.7 Fixed version 1.18.7 EPSS Score 0.215% EPSS Percentile 60th percentile Description Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. Affected range <1.17.9 Fixed version 1.17.9 EPSS Score 0.632% EPSS Percentile 79th percentile Description A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.218% EPSS Percentile 60th percentile Description Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. Affected range <1.18.6 Fixed version 1.18.6 EPSS Score 0.271% EPSS Percentile 68th percentile Description HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. Affected range <1.16.15 Fixed version 1.16.15 EPSS Score 1.408% EPSS Percentile 86th percentile Description On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB. Affected range <1.17.9 Fixed version 1.17.9 EPSS Score 1.568% EPSS Percentile 87th percentile Description encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. Affected range <1.16.14 Fixed version 1.16.14 EPSS Score 0.925% EPSS Percentile 83rd percentile Description Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption. Affected range <1.16.12 Fixed version 1.16.12 EPSS Score 3.640% EPSS Percentile 92nd percentile Description An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests. Affected range <1.16.10 Fixed version 1.16.10 EPSS Score 0.447% EPSS Percentile 75th percentile Description Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument. Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File. Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one. Finally, the actual panic site was made robust as a defense-in-depth measure. Affected range <1.16.10 Fixed version 1.16.10 EPSS Score 1.556% EPSS Percentile 87th percentile Description Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table. Affected range <1.16.8 Fixed version 1.16.8 EPSS Score 0.255% EPSS Percentile 65th percentile Description The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196. Affected range <1.15.13 Fixed version 1.15.13 EPSS Score 0.211% EPSS Percentile 59th percentile Description Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. Affected range <1.15.13 Fixed version 1.15.13 EPSS Score 0.517% EPSS Percentile 77th percentile Description NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. Affected range <1.15.9 Fixed version 1.15.9 EPSS Score 0.094% EPSS Percentile 42nd percentile Description The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. Affected range >=1.13.0-0 <1.13.7 Fixed version 1.13.7 EPSS Score 1.100% EPSS Percentile 85th percentile Description On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Affected range <1.13.15 Fixed version 1.13.15 EPSS Score 0.645% EPSS Percentile 79th percentile Description ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs. Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs. Affected range >=1.13.0-0 <1.13.2 Fixed version 1.13.2 EPSS Score 0.325% EPSS Percentile 71st percentile Description Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.101% EPSS Percentile 43rd percentile Description Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Affected range <1.19.9 Fixed version 1.19.9 EPSS Score 0.101% EPSS Percentile 43rd percentile Description Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. Affected range <1.15.13 Fixed version 1.15.13 EPSS Score 0.734% EPSS Percentile 81st percentile Description The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.044% EPSS Percentile 13th percentile Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Affected range <1.19.11 Fixed version 1.19.11 EPSS Score 0.120% EPSS Percentile 48th percentile Description The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.161% EPSS Percentile 54th percentile Description Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.159% EPSS Percentile 53rd percentile Description The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. Affected range <1.15.14 Fixed version 1.15.14 EPSS Score 0.341% EPSS Percentile 72nd percentile Description crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. Affected range <1.14.14 Fixed version 1.14.14 EPSS Score 0.461% EPSS Percentile 76th percentile Description The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. Affected range <1.22.11 Fixed version 1.22.11 EPSS Score 0.045% EPSS Percentile 18th percentile Description A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Affected range <1.22.11 Fixed version 1.22.11 EPSS Score 0.045% EPSS Percentile 18th percentile Description The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Affected range <1.20.8 Fixed version 1.20.8 EPSS Score 0.154% EPSS Percentile 53rd percentile Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Affected range <1.20.8 Fixed version 1.20.8 EPSS Score 0.211% EPSS Percentile 59th percentile Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Affected range <1.14.8 Fixed version 1.14.8 EPSS Score 0.721% EPSS Percentile 81st percentile Description When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.044% EPSS Percentile 13th percentile Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Affected range <1.15.15 Fixed version 1.15.15 EPSS Score 0.641% EPSS Percentile 79th percentile Description ReverseProxy can panic after encountering a problem copying a proxied response body. Affected range <1.15.12 Fixed version 1.15.12 EPSS Score 0.579% EPSS Percentile 78th percentile Description A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts. Affected range <1.13.13 Fixed version 1.13.13 EPSS Score 0.536% EPSS Percentile 77th percentile Description HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected. Affected range <1.21.11 Fixed version 1.21.11 EPSS Score 0.043% EPSS Percentile 12th percentile Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Affected range <1.17.12 Fixed version 1.17.12 EPSS Score 0.076% EPSS Percentile 36th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Affected range <1.20.11 Fixed version 1.20.11 EPSS Score 0.111% EPSS Percentile 46th percentile Description On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local. Affected range <1.20.12 Fixed version 1.20.12 EPSS Score 0.111% EPSS Percentile 46th percentile Description A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Affected range <1.19.12 Fixed version 1.19.12 EPSS Score 0.150% EPSS Percentile 52nd percentile Description Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Affected range <1.19.7 Fixed version 1.19.7 EPSS Score 0.086% EPSS Percentile 39th percentile Description The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. Affected range <1.18.9 Fixed version 1.18.9 EPSS Score 0.361% EPSS Percentile 72nd percentile Description An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. Affected range <1.17.10 Fixed version 1.17.10 EPSS Score 0.261% EPSS Percentile 65th percentile Description When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible. Affected range <1.15.13 Fixed version 1.15.13 EPSS Score 0.138% EPSS Percentile 50th percentile Description ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. Affected range <1.13.13 Fixed version 1.13.13 EPSS Score 0.200% EPSS Percentile 58th percentile Description On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose. Affected range <1.16.12 Fixed version 1.16.12 EPSS Score 0.517% EPSS Percentile 77th percentile Description When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.045% EPSS Percentile 18th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.044% EPSS Percentile 13th percentile Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Affected range <1.22.12 Fixed version 1.22.12 EPSS Score 0.045% EPSS Percentile 18th percentile Description Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols. Affected range <1.17.11 Fixed version 1.17.11 EPSS Score 0.140% EPSS Percentile 51st percentile Description An attacker can correlate a resumed TLS session with a previous connection. Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Affected range <1.21.8 Fixed version 1.21.8 EPSS Score 0.044% EPSS Percentile 13th percentile Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

gopkg.in/src-d/go-git.v4 4.13.1 (golang) pkg:golang/gopkg.in/src-d/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=4.0.0 <=4.13.1 Fixed version Not Fixed CVSS Score 9.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.367% EPSS Percentile 73rd percentile Description Impact A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. Patches Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers. Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affected range >=4.0.0 <=4.13.1 Fixed version Not Fixed CVSS Score 9.2 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear EPSS Score 0.043% EPSS Percentile 12th percentile Description Impact An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. Affected versions Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us. Improper Input Validation Affected range >=4.0.0 <=4.13.1 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.043% EPSS Percentile 12th percentile Description Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. This is a go-git implementation issue and does not affect the upstream git cli. Patches Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers. Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. Improper Input Validation Affected range >=4.7.1 <=4.13.1 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.078% EPSS Percentile 36th percentile Description Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. Patches Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability. Workarounds In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers. Credit Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us. References GHSA-mw99-9chc-xw7r

golang.org/x/crypto 0.0.0-20191128160524-b544559bb6d1 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.0.0-20220525230936-793ad666bf5e Fixed version 0.0.0-20220525230936-793ad666bf5e EPSS Score 0.045% EPSS Percentile 18th percentile Description httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/....\asd becomes ....\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix. Use of a Broken or Risky Cryptographic Algorithm Affected range <0.0.0-20220314234659-1baeb1ce4c0b Fixed version 0.0.0-20220314234659-1baeb1ce4c0b CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.379% EPSS Percentile 73rd percentile Description The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. Affected range <0.0.0-20211202192323-5770296d904e Fixed version 0.0.0-20211202192323-5770296d904e CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.081% EPSS Percentile 37th percentile Description The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic. Improper Verification of Cryptographic Signature Affected range <0.0.0-20200220183623-bac4c82f6975 Fixed version 0.0.0-20200220183623-bac4c82f6975 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 13.960% EPSS Percentile 96th percentile Description golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. Improper Certificate Validation Affected range <0.0.0-20200124225646-8b5121be2f68 Fixed version 0.0.0-20200124225646-8b5121be2f68 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.100% EPSS Percentile 85th percentile Description The Helm core maintainers have identified a high severity security vulnerability in Go's crypto package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0. Thanks to @ravin9249 for identifying the vulnerability. Impact Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service. Patches A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+. Workarounds No workaround is available. Users are urged to upgrade. References https://nvd.nist.gov/vuln/detail/CVE-2020-7919 fix(ci): use go 1.14 helm/helm#8288 For more information If you have any questions or comments about this advisory: Open an issue in the Helm repository For security-specific issues, email us at [email protected] NULL Pointer Dereference Affected range <0.0.0-20201216223049-8b5274cf687f Fixed version 0.0.0-20201216223049-8b5274cf687f CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.907% EPSS Percentile 83rd percentile Description A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

github.com/containerd/containerd 1.3.1 (golang) pkg:golang/github.com/containerd/[email protected] Exposure of Sensitive Information to an Unauthorized Actor Affected range <1.4.13 Fixed version 1.4.13 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.866% EPSS Percentile 82nd percentile Description Impact A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. Patches This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images are used. Credits The containerd project would like to thank Felix Wilhelm of Google Project Zero for responsibly disclosing this issue in accordance with the containerd security policy. For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] Affected range <1.5.18 Fixed version 1.5.18 EPSS Score 0.042% EPSS Percentile 5th percentile Description Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups. Affected range <1.5.18 Fixed version 1.5.18 EPSS Score 0.046% EPSS Percentile 20th percentile Description Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups. Affected range <1.5.18 Fixed version 1.5.18 EPSS Score 0.046% EPSS Percentile 20th percentile Description Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups. Exposure of Sensitive Information to an Unauthorized Actor Affected range <1.3.10 Fixed version 1.3.10 CVSS Score 6.3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N EPSS Score 0.119% EPSS Percentile 47th percentile Description Impact Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue Patches This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released. Workarounds There are no known workarounds. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <1.4.11 Fixed version 1.4.11 CVSS Score 5.9 CVSS Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L EPSS Score 0.045% EPSS Percentile 17th percentile Description Impact A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. Patches This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Workarounds Limit access to the host to trusted users. Update directory permission on container bundles directories. For more information If you have any questions or comments about this advisory: Open an issue in github.com/containerd/containerd Email us at [email protected] Uncontrolled Resource Consumption Affected range <1.5.16 Fixed version 1.5.16 CVSS Score 5.7 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.097% EPSS Percentile 42nd percentile Description Impact A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. Patches This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] To report a security issue in containerd: Report a new vulnerability Email us at [email protected] Uncontrolled Resource Consumption Affected range <1.5.18 Fixed version 1.5.18 CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.067% EPSS Percentile 32nd percentile Description Impact When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. Patches This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. Credits The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF. For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] To report a security issue in containerd: Report a new vulnerability Email us at [email protected] Uncontrolled Resource Consumption Affected range <1.5.13 Fixed version 1.5.13 CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.045% EPSS Percentile 17th percentile Description Impact A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; ExecSync may be used when running probes or when executing processes via an "exec" facility. Patches This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images and commands are used. References Similar fix in cri-o's CRI implementation GHSA-fcm2-6c3h-pg6j Credits The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security audit sponsored by CNCF and facilitated by OSTIF. For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] Improper Privilege Management Affected range <1.5.18 Fixed version 1.5.18 CVSS Score 5.3 CVSS Vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L EPSS Score 0.165% EPSS Percentile 54th percentile Description Impact A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. Patches This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. Workarounds Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups. References https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18 CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0 Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0 Buildah: CVE-2022-2990, fixed in Buildah 1.27.1 Note that CVE IDs apply to a particular implementation, even if an issue is common. For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] To report a security issue in containerd: Report a new vulnerability Email us at [email protected] Affected range <1.5.18 Fixed version 1.5.18 EPSS Score 0.217% EPSS Percentile 60th percentile Description Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups. Incorrect Resource Transfer Between Spheres Affected range <1.3.9 Fixed version 1.3.9 CVSS Score 5.2 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Impact Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. Specific Go Packages Affected github.com/containerd/containerd/cmd Patches This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. Workarounds If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. Credits The containerd maintainers would like to thank Jeff Dileo of NCC Group for responsibly disclosing this issue in accordance with the containerd security policy and for reviewing the patch. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug. Exposure of Resource to Wrong Sphere Affected range <1.4.8 Fixed version 1.4.8 CVSS Score 5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L EPSS Score 0.202% EPSS Percentile 58th percentile Description Impact A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. Patches This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted. Workarounds Ensure you only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with unexpected files. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug. Affected range <=1.6.25 Fixed version 1.6.26 Description /sys/devices/virtual/powercap accessible by default to containers Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel. By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912. Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios: Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile. While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912 https://platypusattack.com/ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71 https://web.eece.maine.edu/~vweaver/projects/rapl/ Access of Resource Using Incompatible Type ('Type Confusion') Affected range <1.4.12 Fixed version 1.4.12 CVSS Score 3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N Description Impact In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. Patches This issue has been fixed in containerd 1.4.12 and 1.5.8. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected. Workarounds Ensure you only pull images from trusted sources. References GHSA-mc8v-mgrf-8f4m GHSA-77vh-xpmg-72qh For more information If you have any questions or comments about this advisory: Open an issue in containerd Email us at [email protected] Affected range <1.5.11 Fixed version 1.5.11 Description Impact A bug was found in containerd where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. Patches This bug has been fixed in containerd 1.5.11 and 1.6.2. Users should update to these versions as soon as possible. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes containerd behavior such that containers are started with a more typical Linux environment. Refer to capabilities(7) for a description of how capabilities work. Note that permitted file capabilities continue to allow for privileges to be raised up to the container's bounding set and that processes may add capabilities to their own inheritable set up to the container's bounding set per the rules described in the manual page. In all cases the container's bounding set provides an upper bound on the capabilities that can be assumed and provides for the container security sandbox. Workarounds The entrypoint of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug

golang.org/x/net 0.0.0-20191126235420-ef20fe5d7933 (golang) pkg:golang/golang.org/x/[email protected] Affected range <0.0.0-20220906165146-f3363e06e74c Fixed version 0.0.0-20220906165146-f3363e06e74c CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.271% EPSS Percentile 68th percentile Description In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. Affected range <0.0.0-20211209124913-491a49abca63 Fixed version 0.0.0-20211209124913-491a49abca63 EPSS Score 3.640% EPSS Percentile 92nd percentile Description An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range <0.0.0-20210520170846-37e1c6afe023 Fixed version 0.0.0-20210520170846-37e1c6afe023 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.147% EPSS Percentile 52nd percentile Description Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input. Uncontrolled Recursion Affected range <0.0.0-20210428140749-89ef3d95e781 Fixed version 0.0.0-20210428140749-89ef3d95e781 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.579% EPSS Percentile 78th percentile Description golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

github.com/prometheus/client_golang 1.1.0 (golang) pkg:golang/github.com/prometheus/[email protected] Affected range <1.11.1 Fixed version 1.11.1 EPSS Score 0.334% EPSS Percentile 71st percentile Description The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method". Affected range <1.11.1 Fixed version 1.11.1 EPSS Score 0.097% EPSS Percentile 42nd percentile Description The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method". Uncontrolled Resource Consumption Affected range <1.11.1 Fixed version 1.11.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.754% EPSS Percentile 81st percentile Description This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. Impact HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. Affected Configuration In order to be affected, an instrumented software must Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight. Do not filter any specific methods (e.g GET) before middleware. Pass metric with method label name to our middleware. Not have any firewall/LB/proxy that filters away requests with unknown method. Patches promhttp: Check validity of method and code label values prometheus/client_golang#962 promhttp: Check validity of method and code label values (#962) prometheus/client_golang#987 Workarounds If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can: Remove method label name from counter/gauge you use in the InstrumentHandler. Turn off affected promhttp handlers. Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request. Use a reverse proxy or web application firewall, configured to only allow a limited set of methods. For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/prometheus/client_golang Email us at [email protected]

golang.org/x/text 0.3.2 (golang) pkg:golang/golang.org/x/[email protected] Missing Release of Resource after Effective Lifetime Affected range <0.3.8 Fixed version 0.3.8 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.168% EPSS Percentile 55th percentile Description The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits. Specific Go Packages Affected golang.org/x/text/language Out-of-bounds Read Affected range <0.3.7 Fixed version 0.3.7 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.115% EPSS Percentile 47th percentile Description golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. Uncontrolled Resource Consumption Affected range <0.3.3 Fixed version 0.3.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C EPSS Score 0.116% EPSS Percentile 47th percentile Description Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. Specific Go Packages Affected golang.org/x/text/encoding/unicode golang.org/x/text/transform

github.com/opencontainers/runc 0.0.0-20161109192122-51371867a01c (golang) pkg:golang/github.com/opencontainers/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <0.0.0-20210519065900-b9ee9c631459 Fixed version 0.0.0-20210519065900-b9ee9c631459 CVSS Score 7.6 CVSS Vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N EPSS Score 0.217% EPSS Percentile 60th percentile Description Summary runc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-30465 has been assigned for this issue. An attacker must have the ability to start containers using some kind of custom volume configuration, and while recommended container hardening mechanisms such as LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of damage an attacker could do, they do not block this attack outright. We have a reproducer using Kubernetes (and the below description mentions Kubernetes-specific paths), but this is not a Kubernetes-specific issue. The now-released runc v1.0.0-rc95 contains a fix for this issue, we recommend users update as soon as possible. Details In circumstances where a container is being started, and runc is mounting inside a volume shared with another container (which is conducting a symlink-exchange attack), runc can be tricked into mounting outside of the container rootfs by swapping the target of a mount with a symlink due to a time-of-check-to-time-of-use (TOCTTOU) flaw. This is fairly similar in style to previous TOCTTOU attacks (and is a problem we are working on solving with libpathrs). However, this alone is not useful because this happens inside a mount namespace with MS_SLAVE propagation applied to / (meaning that the mount doesn't appear on the host -- it's only a "host-side mount" inside the container's namespace). To exploit this, you must have additional mount entries in the configuration that use some subpath of the mounted-over host path as a source for a subsequent mount. However, it turns out with some container orchestrators (such as Kubernetes -- though it is very likely that other downstream users of runc could have similar behaviour be accessible to untrusted users), the existence of additional volume management infrastructure allows this attack to be applied to gain access to the host filesystem without requiring the attacker to have completely arbitrary control over container configuration. In the case of Kubernetes, this is exploitable by creating a symlink in a volume to the top-level (well-known) directory where volumes are sourced from (for instance, /var/lib/kubelet/pods/$MY_POD_UID/volumes/kubernetes.io~empty-dir), and then using that symlink as the target of a mount. The source of the mount is an attacker controlled directory, and thus the source directory from which subsequent mounts will occur is an attacker-controlled directory. Thus the attacker can first place a symlink to / in their malicious source directory with the name of a volume, and a subsequent mount in the container will bind-mount / into the container. Applying this attack requires the attacker to start containers with a slightly peculiar volume configuration (though not explicitly malicious-looking such as bind-mounting / into the container explicitly), and be able to run malicious code in a container that shares volumes with said volume configuration. It helps the attacker if the host paths used for volume management are well known, though this is not a hard requirement. Patches This has been patched in runc 1.0.0-rc95, and users should upgrade as soon as possible. The patch itself can be found here. Workarounds There are no known workarounds for this issue. However, users who enforce running containers with more confined security profiles (such as reduced capabilities, not running code as root in the container, user namespaces, AppArmor/SELinux, and seccomp) will restrict what an attacker can do in the case of a container breakout -- we recommend users make use of strict security profiles if possible (most notably user namespaces -- which can massively restrict the impact a container breakout can have on the host system). References commit seclists public disclosure Credit Thanks to Etienne Champetier for discovering and disclosing this vulnerability, to Noah Meyerhans for writing the first draft of this patch, and to Samuel Karp for testing it. For more information If you have any questions or comments about this advisory: Open an issue in our issue tracker. Email us at [email protected]. Exposure of Sensitive Information to an Unauthorized Actor Affected range <0.0.0-20170321022603-75f8da7c889a Fixed version 0.0.0-20170321022603-75f8da7c889a CVSS Score 6.4 CVSS Vector CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.065% EPSS Percentile 31st percentile Description RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container. Improper Preservation of Permissions Affected range <0.0.0-20230329064553-f19387a6bec4 Fixed version 0.0.0-20230329064553-f19387a6bec4 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L EPSS Score 0.044% EPSS Percentile 15th percentile Description Impact It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration. Patches Fixed in runc v1.1.5, by prohibiting symlinked /proc: opencontainers/runc#3785 This PR fixes CVE-2023-27561 as well. Workarounds Avoid using an untrusted container image. Integer Overflow or Wraparound Affected range <0.0.0-20211203081737-f46b6ba2c931 Fixed version 0.0.0-20211203081737-f46b6ba2c931 CVSS Score 6 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L EPSS Score 0.398% EPSS Percentile 74th percentile Description Impact In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. Prior to 9c444070ec7bb83995dbc0185da68284da71c554, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc's config.json, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting would allow the attacker to disable namespace protections entirely anyway (setting them to /proc/1/ns/... for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter. However, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c444070ec7bb83995dbc0185da68284da71c554 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure), though as mentioned above it appears this bug was not practically exploitable on any released version of runc to date. Patches The patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed. Workarounds To the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. References commit d72d057ba794 ("runc init: avoid netlink message length overflows") https://bugs.chromium.org/p/project-zero/issues/detail?id=2241 Credits Thanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability. In particular, the fact they found this vulnerability so quickly, before we made a 1.1 release of runc (which would've been vulnerable) was quite impressive. For more information If you have any questions or comments about this advisory: Open an issue in our repo Incorrect Default Permissions Affected range <0.0.0-20220505194949-a916309fff0f Fixed version 0.0.0-20220505194949-a916309fff0f CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L EPSS Score 0.045% EPSS Percentile 17th percentile Description Impact A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. Patches This bug has been fixed in runc 1.1.2. Users should update to this version as soon as possible. This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities. In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file. Credits The opencontainers project would like to thank Andrew G. Morgan for responsibly disclosing this issue in accordance with the opencontainers org security policy. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug Race Condition Enabling Link Following Affected range <0.0.0-20240903011541-2c9f5602f0ba Fixed version 0.0.0-20240903011541-2c9f5602f0ba CVSS Score 4.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/U:Green EPSS Score 0.045% EPSS Percentile 18th percentile Description Impact runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this can be used to create empty files, existing files will not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The CVSS score for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (Low severity, 3.6). Workarounds Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use /etc/sub[ug]id), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though we haven't thoroughly tested to what extent the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack. Patches Fixed in runc v1.1.14 and v1.2.0-rc3. main patches: rootfs: consolidate mountpoint creation logic opencontainers/runc#4359 opencontainers/runc@63c2908 release-1.1 patches: opencontainers/runc@8781993 opencontainers/runc@f0b652e Credits Thanks to Rodrigo Campos Catelin (@rata) and Alban Crequy (@alban) from Microsoft for discovering and reporting this vulnerability. Improper Preservation of Permissions Affected range <0.0.0-20230329064553-f19387a6bec4 Fixed version 0.0.0-20230329064553-f19387a6bec4 CVSS Score 2.5 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L EPSS Score 0.044% EPSS Percentile 15th percentile Description Impact It was found that rootless runc makes /sys/fs/cgroup writable in following conditons: when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users's cgroup hierarchies are not affected. Patches v1.1.5 (planned) Workarounds Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths Affected range <0.0.0-20200630152430-24a3cf88a7ae Fixed version 0.0.0-20200630152430-24a3cf88a7ae Description Impact Contrary to the OCI runtime specification, runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup. This would allow malicious containers (with sufficient privileges) to create arbitrary device inodes (assuming they have CAP_MKNOD) and operate on any device inodes they may have access to (assuming they have regular Unix DAC permissions). However, most (if not all) programs that make use of runc include this deny-all rule. This was most likely added before the specification mandated a white-list of devices, and the fact that all programs wrote their own deny-all rule obscured the existence of this bug for several years. In fact, even the specification's examples include a default deny-all rule! We therefore believe that while this is a security bug (and has been fixed as such), it was almost certainly not exploitable in the wild due to the inclusion of default deny-all rules by all known users of runc -- hence why this advisory has low severity. Patches This issue has been fixed in a patch that was part of a larger rework of the devices cgroup code in runc -- which lead to the discovery of this security bug. Users should upgrade to 1.0.0-rc91 as soon as it is released, or wait for your distribution to backport the relevant fixes. Workarounds If you are using runc directly, ensure that there is a deny-all entry at the beginning of linux.resources.devices -- such an entry would look like {"allow": false, "permissions": "rwm"} (all other fields are ignored, though type must be set to "a" or null if it is present). Users which consume runc through another program should check whether their containers are operating under a white-list -- this can be done by reading /sys/fs/cgroup/devices/devices.list inside the container. If the file contains only the entry a *:* rwm (meaning the cgroup is in black-list mode, which likely means "allow all device access") then your containers are vulnerable to this issue. As always, we recommend in the strongest possible terms that all of our users enable user namespaces on all of their workloads (or pressure their vendors to do so). User namespaces are one of the most significant defense-in-depth protections you can enable for containers, and have prevented many container-related vulnerabilities (both kernel 0days as well as bugs in container runtimes, such as this one). References https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html opencontainers/runtime-spec/config-linux.md#device-whitelist cgroup: devices: major cleanups and minimal transition rules opencontainers/runc#2391 For more information If you have any questions or comments about this advisory: Open an issue in this repo. Email us at [email protected].

google.golang.org/grpc 1.22.1 (golang) pkg:golang/google.golang.org/[email protected] Affected range <1.56.3 Fixed version 1.56.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. Patches This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0. Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection. Workarounds None. References #6703 Uncontrolled Resource Consumption Affected range <1.56.3 Fixed version 1.56.3 CVSS Score 6.9 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N EPSS Score 80.090% EPSS Percentile 99th percentile Description HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the swift-nio-http2 repo advisory and their original conent follows. swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

github.com/docker/distribution 2.7.1+incompatible (golang) pkg:golang/github.com/docker/[email protected]%2Bincompatible Undefined Behavior for Input to API Affected range <2.8.2-beta.1 Fixed version 2.8.2-beta.1 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.054% EPSS Percentile 25th percentile Description Impact Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request. Patches Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code from the main branch, update at least to the commit after f55a6552b006a381d9167e328808565dd2bf77dc. Workarounds There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section. References /v2/_catalog endpoint accepts a parameter to control the maximum amount of records returned (query string: n). When not given the default n=100 is used. The server trusts that n has an acceptable value, however when using a maliciously large value, it allocates an array/slice of n of strings before filling the slice with data. This behaviour was introduced ~7yrs ago [1]. Recommendation The /v2/_catalog endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations. Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet. For more information If you have any questions or comments about this advisory: Open an issue in distribution repository Email us at [email protected] [1] faulty commit Access of Resource Using Incompatible Type ('Type Confusion') Affected range <2.8.0 Fixed version 2.8.0 CVSS Score 3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N Description Impact Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion. Patches Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586. Workarounds There is no way to work around this issue without patching. References Due to an oversight in the OCI Image Specification that removed the embedded mediaType field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence. For more information If you have any questions or comments about this advisory: Open an issue in distribution Open an issue in distribution-spec Email us at [email protected]

github.com/gogo/protobuf 1.2.2-0.20190723190241-65acae22fc9d (golang) pkg:golang/github.com/gogo/[email protected] Improper Validation of Array Index Affected range <1.3.2 Fixed version 1.3.2 CVSS Score 8.6 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H EPSS Score 1.089% EPSS Percentile 84th percentile Description An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

github.com/dgrijalva/jwt-go 3.2.0+incompatible (golang) pkg:golang/github.com/dgrijalva/[email protected]%2Bincompatible OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=v3.2.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.125% EPSS Percentile 48th percentile Description jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

github.com/jpillora/chisel 0.0.0-20190724232113-f3a8df20e389 (golang) pkg:golang/github.com/jpillora/[email protected] Inconsistency Between Implementation and Documented Design Affected range <0.0.0-20240805055020-59e5362e6bd6 Fixed version 0.0.0-20240805055020-59e5362e6bd6 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N EPSS Score 0.043% EPSS Percentile 12th percentile Description Summary The Chisel server doesn't ever read the documented AUTH environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. This advisory is a formalization of a report sent to the maintainer via email. Details In the help page for the chisel server subcommand, it mentions an AUTH environment variable that can be set in order to provide credentials that the server should authenticate connections against: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138. The issue is that the server entrypoint doesn't ever read the AUTH environment variable. The only place that this happens is in the client entrypoint: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452 This subverts the expectations set by the documentation, allowing unauthenticated users to connect to a Chisel server, even if auth is attempted to be set up in this manner. PoC Run chisel server, first specifying credentials with the AUTH environment variable, then with the --auth argument. In the first case, the server allows connections without authentication, while in the second, the correct behavior is exhibited. Impact Anyone who is running the Chisel server, and that is using the AUTH environment variable to specify credentials to authenticate against. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port.

gopkg.in/yaml.v2 2.2.4 (golang) pkg:golang/gopkg.in/[email protected] Excessive Platform Resource Consumption within a Loop Affected range <2.2.8 Fixed version 2.2.8 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.104% EPSS Percentile 44th percentile Description The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

k8s.io/client-go 0.17.2 (golang) pkg:golang/k8s.io/[email protected] Insertion of Sensitive Information into Log File Affected range <0.17.16 Fixed version 0.20.0-alpha.2 CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N EPSS Score 0.044% EPSS Percentile 15th percentile Description In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. This affects <= v1.19.5, <= v1.18.13, <= v1.17.15, < v1.20.0-alpha2.

k8s.io/apimachinery 0.17.2 (golang) pkg:golang/k8s.io/[email protected] URL Redirection to Untrusted Site ('Open Redirect') Affected range >=0.17.0 <0.17.9 Fixed version 0.17.9 CVSS Score 6.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.464% EPSS Percentile 76th percentile Description The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.7 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

github.com/docker/cli 0.0.0-20191126203649-54d085b857e9 (golang) pkg:golang/github.com/docker/[email protected] Exposure of Sensitive Information to an Unauthorized Actor Affected range <0.0.0-20210923182634-c2ea9bc90bac Fixed version 0.0.0-20210923182634-c2ea9bc90bac CVSS Score 5.4 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N EPSS Score 0.120% EPSS Percentile 47th percentile Description Impact A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to registry-1.docker.io rather than the intended private registry. Patches This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. Workarounds Ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH. For more information If you have any questions or comments about this advisory: Open an issue Email us at [email protected] if you think you’ve found a security bug

golang.org/x/sys 0.0.0-20190826190057-c7b8b68b1456 (golang) pkg:golang/golang.org/x/[email protected] Improper Privilege Management Affected range <0.0.0-20220412211240-33da011f77ad Fixed version 0.0.0-20220412211240-33da011f77ad CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N EPSS Score 0.261% EPSS Percentile 65th percentile Description Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. Specific Go Packages Affected golang.org/x/sys/unix

github.com/opencontainers/image-spec 0.0.0-20170515205857-f03dbe35d449 (golang) pkg:golang/github.com/opencontainers/[email protected] Access of Resource Using Incompatible Type ('Type Confusion') Affected range <0.0.0-20211109170610-67d2d5658fe0 Fixed version 0.0.0-20211109170610-67d2d5658fe0 CVSS Score 3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N Description Impact In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index. Patches The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document. Release v1.0.2 includes these updates. Workarounds Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields. References GHSA-mc8v-mgrf-8f4m For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/opencontainers/image-spec Email us at [email protected] https://github.com/opencontainers/image-spec/commits/v1.0.2