cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:86645b7
Compliant
Download Evidence Package
JSON
{ "created_at": 1702757562.2527735, "fingerprint": "23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13", "filename": "cyberdojo/nginx:86645b7", "git_commit": "86645b7fea5ebf9ebd6216269002b02aace70fbf", "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772", "commit_url": "https://github.com/cyber-dojo/nginx/commit/86645b7fea5ebf9ebd6216269002b02aace70fbf", "evidence": { "snyk-scan": { "evidence_type": "snyk", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772", "evidence_archive_fingerprint": "fb53e96bada773a87bef3e304fcd2c3ff2b9d81140b2fe6a50e651e33aed99cf", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/nginx:86645b7/nginx:86645b7:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "cyberdojo/nginx:86645b7:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "displayTargetFile": "/home/runner/work/nginx/nginx/Dockerfile", "docker": { "baseImage": "nginx:1.25.3", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:33.590406Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:11:00.705298Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49468)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/432)\n", "disclosureTime": "2023-12-07T20:15:38.477000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.23888", "probability": "0.00061" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105348", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49468" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:11:00.705298Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:33.595136Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49468", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49468" }, { "title": "https://github.com/strukturag/libde265/issues/432", "url": "https://github.com/strukturag/libde265/issues/432" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:36.243015Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.988820Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49467)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/434)\n", "disclosureTime": "2023-12-07T20:15:38.427000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105349", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49467" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.988820Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:36.248879Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49467", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49467" }, { "title": "https://github.com/strukturag/libde265/issues/434", "url": "https://github.com/strukturag/libde265/issues/434" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:34:09.513577Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.727911Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49465)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/435)\n", "disclosureTime": "2023-12-07T20:15:38.370000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105361", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49465" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.727911Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:34:09.516791Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49465", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49465" }, { "title": "https://github.com/strukturag/libde265/issues/435", "url": "https://github.com/strukturag/libde265/issues/435" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6+deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "deb", "path": "cyberdojo/nginx:86645b7/nginx", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/nginx", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "targetFile": "/home/runner/work/nginx/nginx/Dockerfile", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1702757570.9539273, "has_audit_package": true } }, "git_commit_info": { "sha1": "86645b7fea5ebf9ebd6216269002b02aace70fbf", "message": "Add entries to .snyk file while waiting for fix in base image", "author": "JonJagger <jon@kosli.com>", "timestamp": 1702757503, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/nginx", "template": [ "artifact", "snyk-scan" ], "last_modified_at": 1702757570.9539273, "deployments": [ 91, 90 ], "state": "COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13" }
Artifact Information |
|
Name | cyberdojo/nginx:86645b7 |
Fingerprint | 23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13 |
Git commit |
86645b7
JonJagger <jon@kosli.com> (main)
1702757503.0 • 4 months ago
Add entries to .snyk file while waiting for fix in base image
|
CI Build | https://github.com/cyber-dojo/nginx/actions/runs/7234026772 |
Running | - |
Exited | aws-beta#2448 aws-prod#1627 |
Last modified | 1702757570.9539273 • 4 months ago |
Approvals
None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772", "evidence_archive_fingerprint": "fb53e96bada773a87bef3e304fcd2c3ff2b9d81140b2fe6a50e651e33aed99cf", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/nginx:86645b7/nginx:86645b7:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "cyberdojo/nginx:86645b7:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "displayTargetFile": "/home/runner/work/nginx/nginx/Dockerfile", "docker": { "baseImage": "nginx:1.25.3", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:33.590406Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:11:00.705298Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49468)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/432)\n", "disclosureTime": "2023-12-07T20:15:38.477000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.23888", "probability": "0.00061" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105348", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49468" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:11:00.705298Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:33.595136Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49468", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49468" }, { "title": "https://github.com/strukturag/libde265/issues/432", "url": "https://github.com/strukturag/libde265/issues/432" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:36.243015Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.988820Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49467)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/434)\n", "disclosureTime": "2023-12-07T20:15:38.427000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105349", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49467" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.988820Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:36.248879Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49467", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49467" }, { "title": "https://github.com/strukturag/libde265/issues/434", "url": "https://github.com/strukturag/libde265/issues/434" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:34:09.513577Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.727911Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49465)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/435)\n", "disclosureTime": "2023-12-07T20:15:38.370000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105361", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49465" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.727911Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:34:09.516791Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49465", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49465" }, { "title": "https://github.com/strukturag/libde265/issues/435", "url": "https://github.com/strukturag/libde265/issues/435" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6+deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "deb", "path": "cyberdojo/nginx:86645b7/nginx", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/nginx", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "targetFile": "/home/runner/work/nginx/nginx/Dockerfile", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1702757570.9539273, "has_audit_package": true }