cyber-dojo
flows
differ-archived-at-1707630536
artifacts
4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
differ-archived-at-1707630536
Diff files from two traffic-lights
cyberdojo/differ:c65141d
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1707464669.4628341,
"fingerprint": "4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4",
"filename": "cyberdojo/differ:c65141d",
"git_commit": "c65141db87307ecf3cc253849b4045aa5ff39b59",
"build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330",
"commit_url": "https://github.com/cyber-dojo/differ/commit/c65141db87307ecf3cc253849b4045aa5ff39b59",
"evidence": {
"unit-test": {
"evidence_type": "junit",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330",
"evidence_archive_fingerprint": "e7f5f329d92e8dd7c7fd39ac0108083d402e2961a281e4991e2873d08ad052ea",
"user_data": {},
"junit_results": [
{
"name": "DiffSummaryTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 9,
"duration": 0.318735,
"timestamp": 1707464694
},
{
"name": "DifferTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 16,
"duration": 1.276119,
"timestamp": 1707464694
},
{
"name": "ExternalDiskWriterTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 1,
"duration": 0.000209,
"timestamp": 1707464694
},
{
"name": "ExternalGitterTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 4,
"duration": 0.000158,
"timestamp": 1707464694
},
{
"name": "ExternalShellerTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 5,
"duration": 0.005033,
"timestamp": 1707464694
},
{
"name": "ExternalsTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 3,
"duration": 8.3e-05,
"timestamp": 1707464694
},
{
"name": "GitDiffParseFilenamesTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 12,
"duration": 0.001107,
"timestamp": 1707464694
},
{
"name": "GitDiffParserTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 13,
"duration": 0.00158,
"timestamp": 1707464694
},
{
"name": "HttpProxyResponseTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 5,
"duration": 0.000756,
"timestamp": 1707464694
},
{
"name": "ProberTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 4,
"duration": 0.002492,
"timestamp": 1707464694
},
{
"name": "Utf8CleanTest",
"failures": 0,
"errors": 0,
"skipped": 0,
"total": 1,
"duration": 0.000157,
"timestamp": 1707464694
}
],
"created_at": 1707464702.9399173,
"has_audit_package": true
},
"branch-coverage": {
"evidence_type": "generic",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330",
"description": "server & client branch-coverage reports",
"user_data": {
"client": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 8,
"missed": 0,
"total": 8
},
"lines": {
"covered": 101,
"missed": 0,
"total": 101
}
},
"test": {
"branches": {
"covered": 0,
"missed": 0,
"total": 0
},
"lines": {
"covered": 230,
"missed": 0,
"total": 230
}
}
},
"timestamp": 1707464700
},
"server": {
"command_name": "Minitest",
"groups": {
"app": {
"branches": {
"covered": 59,
"missed": 1,
"total": 60
},
"lines": {
"covered": 352,
"missed": 0,
"total": 352
}
},
"test": {
"branches": {
"covered": 0,
"missed": 0,
"total": 0
},
"lines": {
"covered": 516,
"missed": 0,
"total": 516
}
}
},
"timestamp": 1707464694
}
},
"created_at": 1707464703.5623379,
"has_audit_package": false
},
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7853942406",
"evidence_archive_fingerprint": "35d556566abd38fe945d64cb4aa4a0e55870a899dbcfed23b4de17ef56460045",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4:/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4:/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent",
"severityThreshold": "medium",
"summary": "No medium or high or critical severity vulnerabilities",
"targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 88,
"docker": {
"binariesVulns": {
"affectedPkgs": {},
"issuesData": {}
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "apk",
"path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4/differ:c65141d",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d",
"severityThreshold": "medium",
"summary": "4 medium or high or critical severity vulnerable dependency paths",
"uniqueCount": 2,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2024-02-10T02:30:12.499698Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2024-02-06T13:57:34.460600Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2024-02-09T13:11:37.934083Z",
"severity": "medium"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n",
"disclosureTime": "2024-02-04T20:15:46.120000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.16953",
"probability": "0.00051"
},
"exploit": "Not Defined",
"fixedIn": [
"2.6.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*",
"expat/libexpat@2.5.0-r2"
],
"id": "SNYK-ALPINE319-EXPAT-6241037",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-52426"
],
"CWE": [
"CWE-776"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2024-02-10T02:30:12.503964Z",
"name": "expat/libexpat",
"nearestFixedInVersion": "2.6.0-r0",
"nvdSeverity": "medium",
"packageManager": "alpine:3.19",
"packageName": "expat",
"patches": [],
"publicationTime": "2024-02-10T02:30:12.503844Z",
"references": [
{
"title": "https://cwe.mitre.org/data/definitions/776.html",
"url": "https://cwe.mitre.org/data/definitions/776.html"
},
{
"title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"
},
{
"title": "https://github.com/libexpat/libexpat/pull/777",
"url": "https://github.com/libexpat/libexpat/pull/777"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<2.6.0-r0"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",
"upgradePath": [
false,
"expat/libexpat@2.6.0-r0"
],
"version": "2.5.0-r2"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2024-02-10T02:30:17.064169Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2024-02-06T13:57:33.167998Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2024-02-09T13:11:36.880020Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n",
"disclosureTime": "2024-02-04T20:15:46.063000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.10104",
"probability": "0.00044"
},
"exploit": "Not Defined",
"fixedIn": [
"2.6.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*",
"expat/libexpat@2.5.0-r2"
],
"id": "SNYK-ALPINE319-EXPAT-6241038",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-52425"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": true,
"language": "linux",
"malicious": false,
"modificationTime": "2024-02-10T02:30:17.068136Z",
"name": "expat/libexpat",
"nearestFixedInVersion": "2.6.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.19",
"packageName": "expat",
"patches": [],
"publicationTime": "2024-02-10T02:30:17.068015Z",
"references": [
{
"title": "https://github.com/libexpat/libexpat/pull/789",
"url": "https://github.com/libexpat/libexpat/pull/789"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<2.6.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [
false,
"expat/libexpat@2.6.0-r0"
],
"version": "2.5.0-r2"
},
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2024-02-10T02:30:12.499698Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2024-02-06T13:57:34.460600Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2024-02-09T13:11:37.934083Z",
"severity": "medium"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n",
"disclosureTime": "2024-02-04T20:15:46.120000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.16953",
"probability": "0.00051"
},
"exploit": "Not Defined",
"fixedIn": [
"2.6.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*",
"git/git@2.43.0-r0",
"expat/libexpat@2.5.0-r2"
],
"id": "SNYK-ALPINE319-EXPAT-6241037",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-52426"
],
"CWE": [
"CWE-776"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2024-02-10T02:30:12.503964Z",
"name": "expat/libexpat",
"nearestFixedInVersion": "2.6.0-r0",
"nvdSeverity": "medium",
"packageManager": "alpine:3.19",
"packageName": "expat",
"patches": [],
"publicationTime": "2024-02-10T02:30:12.503844Z",
"references": [
{
"title": "https://cwe.mitre.org/data/definitions/776.html",
"url": "https://cwe.mitre.org/data/definitions/776.html"
},
{
"title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404",
"url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"
},
{
"title": "https://github.com/libexpat/libexpat/pull/777",
"url": "https://github.com/libexpat/libexpat/pull/777"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<2.6.0-r0"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",
"upgradePath": [],
"version": "2.5.0-r2"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2024-02-10T02:30:17.064169Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"modificationTime": "2024-02-06T13:57:33.167998Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2024-02-09T13:11:36.880020Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n",
"disclosureTime": "2024-02-04T20:15:46.063000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.10104",
"probability": "0.00044"
},
"exploit": "Not Defined",
"fixedIn": [
"2.6.0-r0"
],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*",
"git/git@2.43.0-r0",
"expat/libexpat@2.5.0-r2"
],
"id": "SNYK-ALPINE319-EXPAT-6241038",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-52425"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2024-02-10T02:30:17.068136Z",
"name": "expat/libexpat",
"nearestFixedInVersion": "2.6.0-r0",
"nvdSeverity": "high",
"packageManager": "alpine:3.19",
"packageName": "expat",
"patches": [],
"publicationTime": "2024-02-10T02:30:17.068015Z",
"references": [
{
"title": "https://github.com/libexpat/libexpat/pull/789",
"url": "https://github.com/libexpat/libexpat/pull/789"
}
],
"relativeImportance": null,
"semver": {
"vulnerable": [
"<2.6.0-r0"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Resource Exhaustion",
"upgradePath": [],
"version": "2.5.0-r2"
}
]
},
"created_at": 1707556503.0625648,
"has_audit_package": true
},
"pull-request": {
"evidence_type": "pull_request",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330",
"commit_sha": "c65141db87307ecf3cc253849b4045aa5ff39b59",
"evidence_url": "https://github.com/cyber-dojo/differ/pull/86",
"user_data": {},
"git_provider": "github",
"pull_requests": [
{
"merge_commit": "c65141db87307ecf3cc253849b4045aa5ff39b59",
"url": "https://github.com/cyber-dojo/differ/pull/86",
"state": "closed",
"approvers": []
}
],
"created_at": 1707464648.8770516,
"has_audit_package": false
},
"lint": {
"evidence_type": "generic",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330",
"commit_sha": "c65141db87307ecf3cc253849b4045aa5ff39b59",
"evidence_archive_fingerprint": "54117a86864fc0e97a48c5936a196bb88a3326984fa0d919ca7a9ca18f8ca281",
"user_data": {},
"created_at": 1707464649.0062163,
"has_audit_package": true
}
},
"reported_by": "ci-pipelines",
"git_commit_info": {
"sha1": "c65141db87307ecf3cc253849b4045aa5ff39b59",
"message": "Add GitHub environments (#86)\n\n* Remove dead expect deployment\r\n\r\n* Add github environments to ci workflow",
"author": "Jon Jagger <jon@kosli.com>",
"timestamp": 1707464618,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/differ",
"template": [
"artifact",
"lint",
"pull-request",
"unit-test",
"branch-coverage",
"snyk-scan"
],
"last_modified_at": 1707556503.0625648,
"releases": [
124,
123
],
"deployments": [
427,
426
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/differ-archived-at-1707630536/artifacts/4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/differ-archived-at-1707630536/fingerprint/4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4"
}
Artifact Information |
|
| Name | cyberdojo/differ:c65141d |
| Fingerprint | 4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4 |
| Git commit |
c65141d
Jon Jagger <jon@kosli.com> (main)
1707464618.0 • 2 months ago
Add GitHub environments (#86)
* Remove dead expect deployment * Add github environments to ci workflow |
| CI Build | https://github.com/cyber-dojo/differ/actions/runs/7841031330 |
| Running | - |
| Exited | aws-beta#2986 aws-prod#2116 |
| Last modified | 1707556503.0625648 • 2 months ago |
Evidence
Evidence for 'lint'
{ "evidence_type": "generic", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330", "commit_sha": "c65141db87307ecf3cc253849b4045aa5ff39b59", "evidence_archive_fingerprint": "54117a86864fc0e97a48c5936a196bb88a3326984fa0d919ca7a9ca18f8ca281", "user_data": {}, "created_at": 1707464649.0062163, "has_audit_package": true }
Evidence for 'pull-request'
{ "evidence_type": "pull_request", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330", "commit_sha": "c65141db87307ecf3cc253849b4045aa5ff39b59", "evidence_url": "https://github.com/cyber-dojo/differ/pull/86", "user_data": {}, "git_provider": "github", "pull_requests": [ { "merge_commit": "c65141db87307ecf3cc253849b4045aa5ff39b59", "url": "https://github.com/cyber-dojo/differ/pull/86", "state": "closed", "approvers": [] } ], "created_at": 1707464648.8770516, "has_audit_package": false }
Evidence for 'unit-test'
{ "evidence_type": "junit", "name": "unit-test", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330", "evidence_archive_fingerprint": "e7f5f329d92e8dd7c7fd39ac0108083d402e2961a281e4991e2873d08ad052ea", "user_data": {}, "junit_results": [ { "name": "DiffSummaryTest", "failures": 0, "errors": 0, "skipped": 0, "total": 9, "duration": 0.318735, "timestamp": 1707464694 }, { "name": "DifferTest", "failures": 0, "errors": 0, "skipped": 0, "total": 16, "duration": 1.276119, "timestamp": 1707464694 }, { "name": "ExternalDiskWriterTest", "failures": 0, "errors": 0, "skipped": 0, "total": 1, "duration": 0.000209, "timestamp": 1707464694 }, { "name": "ExternalGitterTest", "failures": 0, "errors": 0, "skipped": 0, "total": 4, "duration": 0.000158, "timestamp": 1707464694 }, { "name": "ExternalShellerTest", "failures": 0, "errors": 0, "skipped": 0, "total": 5, "duration": 0.005033, "timestamp": 1707464694 }, { "name": "ExternalsTest", "failures": 0, "errors": 0, "skipped": 0, "total": 3, "duration": 8.3e-05, "timestamp": 1707464694 }, { "name": "GitDiffParseFilenamesTest", "failures": 0, "errors": 0, "skipped": 0, "total": 12, "duration": 0.001107, "timestamp": 1707464694 }, { "name": "GitDiffParserTest", "failures": 0, "errors": 0, "skipped": 0, "total": 13, "duration": 0.00158, "timestamp": 1707464694 }, { "name": "HttpProxyResponseTest", "failures": 0, "errors": 0, "skipped": 0, "total": 5, "duration": 0.000756, "timestamp": 1707464694 }, { "name": "ProberTest", "failures": 0, "errors": 0, "skipped": 0, "total": 4, "duration": 0.002492, "timestamp": 1707464694 }, { "name": "Utf8CleanTest", "failures": 0, "errors": 0, "skipped": 0, "total": 1, "duration": 0.000157, "timestamp": 1707464694 } ], "created_at": 1707464702.9399173, "has_audit_package": true }
Evidence for 'branch-coverage'
{ "evidence_type": "generic", "name": "branch-coverage", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/differ/actions/runs/7841031330", "description": "server & client branch-coverage reports", "user_data": { "client": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 8, "missed": 0, "total": 8 }, "lines": { "covered": 101, "missed": 0, "total": 101 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 230, "missed": 0, "total": 230 } } }, "timestamp": 1707464700 }, "server": { "command_name": "Minitest", "groups": { "app": { "branches": { "covered": 59, "missed": 1, "total": 60 }, "lines": { "covered": 352, "missed": 0, "total": 352 } }, "test": { "branches": { "covered": 0, "missed": 0, "total": 0 }, "lines": { "covered": 516, "missed": 0, "total": 516 } } }, "timestamp": 1707464694 } }, "created_at": 1707464703.5623379, "has_audit_package": false }
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/7853942406", "evidence_archive_fingerprint": "35d556566abd38fe945d64cb4aa4a0e55870a899dbcfed23b4de17ef56460045", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4:/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4:/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/local/bundle/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 88, "docker": { "binariesVulns": { "affectedPkgs": {}, "issuesData": {} } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "apk", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@sha256:4d85255e11641ab0c8fa758d0f1252d4e8fb8cacf0664df2d4400afd62c00ee4/differ:c65141d", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d", "severityThreshold": "medium", "summary": "4 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 2, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": true, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [ false, "expat/libexpat@2.6.0-r0" ], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:12.499698Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:34.460600Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:37.934083Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://cwe.mitre.org/data/definitions/776.html)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404)\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/777)\n", "disclosureTime": "2024-02-04T20:15:46.120000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.16953", "probability": "0.00051" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241037", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52426" ], "CWE": [ "CWE-776" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:12.503964Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "medium", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:12.503844Z", "references": [ { "title": "https://cwe.mitre.org/data/definitions/776.html", "url": "https://cwe.mitre.org/data/definitions/776.html" }, { "title": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404", "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404" }, { "title": "https://github.com/libexpat/libexpat/pull/777", "url": "https://github.com/libexpat/libexpat/pull/777" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "upgradePath": [], "version": "2.5.0-r2" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2024-02-10T02:30:17.064169Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "modificationTime": "2024-02-06T13:57:33.167998Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2024-02-09T13:11:36.880020Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `expat` package and not the `expat` package as distributed by `Alpine`._\n_See `How to fix?` for `Alpine:3.19` relevant fixed versions and status._\n\nlibexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.\n## Remediation\nUpgrade `Alpine:3.19` `expat` to version 2.6.0-r0 or higher.\n## References\n- [cve@mitre.org](https://github.com/libexpat/libexpat/pull/789)\n", "disclosureTime": "2024-02-04T20:15:46.063000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10104", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [ "2.6.0-r0" ], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/differ:c65141d@*", "git/git@2.43.0-r0", "expat/libexpat@2.5.0-r2" ], "id": "SNYK-ALPINE319-EXPAT-6241038", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-52425" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2024-02-10T02:30:17.068136Z", "name": "expat/libexpat", "nearestFixedInVersion": "2.6.0-r0", "nvdSeverity": "high", "packageManager": "alpine:3.19", "packageName": "expat", "patches": [], "publicationTime": "2024-02-10T02:30:17.068015Z", "references": [ { "title": "https://github.com/libexpat/libexpat/pull/789", "url": "https://github.com/libexpat/libexpat/pull/789" } ], "relativeImportance": null, "semver": { "vulnerable": [ "<2.6.0-r0" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Resource Exhaustion", "upgradePath": [], "version": "2.5.0-r2" } ] }, "created_at": 1707556503.0625648, "has_audit_package": true }