cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:86645b7
Compliant
Download Evidence Package
JSON
{
"created_at": 1702757562.2527735,
"fingerprint": "23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13",
"filename": "cyberdojo/nginx:86645b7",
"git_commit": "86645b7fea5ebf9ebd6216269002b02aace70fbf",
"build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772",
"commit_url": "https://github.com/cyber-dojo/nginx/commit/86645b7fea5ebf9ebd6216269002b02aace70fbf",
"evidence": {
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": true,
"build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772",
"evidence_archive_fingerprint": "fb53e96bada773a87bef3e304fcd2c3ff2b9d81140b2fe6a50e651e33aed99cf",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/share/java",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "cyberdojo/nginx:86645b7/nginx:86645b7:/usr/share/java",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n",
"projectName": "cyberdojo/nginx:86645b7:/usr/share/java",
"severityThreshold": "medium",
"summary": "No medium or high or critical severity vulnerabilities",
"targetFile": "/usr/share/java",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 149,
"displayTargetFile": "/home/runner/work/nginx/nginx/Dockerfile",
"docker": {
"baseImage": "nginx:1.25.3",
"baseImageRemediation": {
"advice": [
{
"bold": true,
"message": "According to our scan, you are currently using the most secure version of the selected base image"
}
],
"code": "NO_REMEDIATION_AVAILABLE"
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"cpes": [],
"creationTime": "2023-12-06T12:32:54.255158Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "SUSE",
"cvssV3BaseScore": 4,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"modificationTime": "2023-12-07T11:03:24.706424Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 4.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-15T13:31:32.883021Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"modificationTime": "2023-12-16T01:10:57.736256Z",
"severity": "medium"
}
],
"cvssScore": 5.3,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n",
"disclosureTime": "2023-12-12T02:15:06.990000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06911",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4"
],
"id": "SNYK-DEBIAN12-CURL-6100974",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-46219"
],
"CWE": [
"CWE-311"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-16T01:10:57.736256Z",
"name": "curl/libcurl4",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-12-06T12:32:54.259470Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-46219",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-46219"
},
{
"title": "https://curl.se/docs/CVE-2023-46219.html",
"url": "https://curl.se/docs/CVE-2023-46219.html"
},
{
"title": "https://hackerone.com/reports/2236133",
"url": "https://hackerone.com/reports/2236133"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Missing Encryption of Sensitive Data",
"upgradePath": [],
"version": "7.88.1-10+deb12u4"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cpes": [],
"creationTime": "2023-12-06T12:32:55.890323Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"modificationTime": "2023-12-06T13:32:04.678347Z",
"severity": "medium"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 4.2,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-07T11:03:18.055192Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-13T01:10:56.083630Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n",
"disclosureTime": "2023-12-07T01:15:07.160000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.12314",
"probability": "0.00045"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4"
],
"id": "SNYK-DEBIAN12-CURL-6100975",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-46218"
],
"CWE": []
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-13T01:10:56.083630Z",
"name": "curl/libcurl4",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-12-06T12:32:55.895688Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-46218",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-46218"
},
{
"title": "https://curl.se/docs/CVE-2023-46218.html",
"url": "https://curl.se/docs/CVE-2023-46218.html"
},
{
"title": "https://hackerone.com/reports/2212193",
"url": "https://hackerone.com/reports/2212193"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "CVE-2023-46218",
"upgradePath": [],
"version": "7.88.1-10+deb12u4"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"cpes": [],
"creationTime": "2023-12-06T12:32:54.255158Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "SUSE",
"cvssV3BaseScore": 4,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"modificationTime": "2023-12-07T11:03:24.706424Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 4.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-15T13:31:32.883021Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"modificationTime": "2023-12-16T01:10:57.736256Z",
"severity": "medium"
}
],
"cvssScore": 5.3,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n",
"disclosureTime": "2023-12-12T02:15:06.990000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06911",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4"
],
"id": "SNYK-DEBIAN12-CURL-6100974",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-46219"
],
"CWE": [
"CWE-311"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-16T01:10:57.736256Z",
"name": "curl",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-12-06T12:32:54.259470Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-46219",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-46219"
},
{
"title": "https://curl.se/docs/CVE-2023-46219.html",
"url": "https://curl.se/docs/CVE-2023-46219.html"
},
{
"title": "https://hackerone.com/reports/2236133",
"url": "https://hackerone.com/reports/2236133"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Missing Encryption of Sensitive Data",
"upgradePath": [],
"version": "7.88.1-10+deb12u4"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"cpes": [],
"creationTime": "2023-12-06T12:32:55.890323Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"modificationTime": "2023-12-06T13:32:04.678347Z",
"severity": "medium"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 4.2,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-07T11:03:18.055192Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"modificationTime": "2023-12-13T01:10:56.083630Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n",
"disclosureTime": "2023-12-07T01:15:07.160000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.12314",
"probability": "0.00045"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4"
],
"id": "SNYK-DEBIAN12-CURL-6100975",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-46218"
],
"CWE": []
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-13T01:10:56.083630Z",
"name": "curl",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "curl",
"patches": [],
"publicationTime": "2023-12-06T12:32:55.895688Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-46218",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-46218"
},
{
"title": "https://curl.se/docs/CVE-2023-46218.html",
"url": "https://curl.se/docs/CVE-2023-46218.html"
},
{
"title": "https://hackerone.com/reports/2212193",
"url": "https://hackerone.com/reports/2212193"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "CVE-2023-46218",
"upgradePath": [],
"version": "7.88.1-10+deb12u4"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-12-08T01:32:33.590406Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 8.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"modificationTime": "2023-12-12T01:11:00.705298Z",
"severity": "high"
}
],
"cvssScore": 8.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49468)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/432)\n",
"disclosureTime": "2023-12-07T20:15:38.477000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.23888",
"probability": "0.00061"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"libheif/libheif1@1.15.1-1",
"libde265/libde265-0@1.0.11-1+deb12u1"
],
"id": "SNYK-DEBIAN12-LIBDE265-6105348",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-49468"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-12T01:11:00.705298Z",
"name": "libde265/libde265-0",
"nvdSeverity": "high",
"packageManager": "debian:12",
"packageName": "libde265",
"patches": [],
"publicationTime": "2023-12-08T01:32:33.595136Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-49468",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-49468"
},
{
"title": "https://github.com/strukturag/libde265/issues/432",
"url": "https://github.com/strukturag/libde265/issues/432"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [],
"version": "1.0.11-1+deb12u1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-12-08T01:32:36.243015Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 8.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"modificationTime": "2023-12-12T01:10:59.988820Z",
"severity": "high"
}
],
"cvssScore": 8.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49467)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/434)\n",
"disclosureTime": "2023-12-07T20:15:38.427000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06929",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"libheif/libheif1@1.15.1-1",
"libde265/libde265-0@1.0.11-1+deb12u1"
],
"id": "SNYK-DEBIAN12-LIBDE265-6105349",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-49467"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-12T01:10:59.988820Z",
"name": "libde265/libde265-0",
"nvdSeverity": "high",
"packageManager": "debian:12",
"packageName": "libde265",
"patches": [],
"publicationTime": "2023-12-08T01:32:36.248879Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-49467",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-49467"
},
{
"title": "https://github.com/strukturag/libde265/issues/434",
"url": "https://github.com/strukturag/libde265/issues/434"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [],
"version": "1.0.11-1+deb12u1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-12-08T01:34:09.513577Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 8.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"modificationTime": "2023-12-12T01:10:59.727911Z",
"severity": "high"
}
],
"cvssScore": 8.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49465)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/435)\n",
"disclosureTime": "2023-12-07T20:15:38.370000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.06929",
"probability": "0.00043"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-12-15T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"libheif/libheif1@1.15.1-1",
"libde265/libde265-0@1.0.11-1+deb12u1"
],
"id": "SNYK-DEBIAN12-LIBDE265-6105361",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-49465"
],
"CWE": [
"CWE-787"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-12-12T01:10:59.727911Z",
"name": "libde265/libde265-0",
"nvdSeverity": "high",
"packageManager": "debian:12",
"packageName": "libde265",
"patches": [],
"publicationTime": "2023-12-08T01:34:09.516791Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-49465",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-49465"
},
{
"title": "https://github.com/strukturag/libde265/issues/435",
"url": "https://github.com/strukturag/libde265/issues/435"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": false,
"title": "Out-of-bounds Write",
"upgradePath": [],
"version": "1.0.11-1+deb12u1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx@1.25.3-1~bookworm",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-njs@1.25.3+0.8.2-1~bookworm",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"util-linux/util-linux@2.38.1-5+b1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"apt@2.6.1",
"apt/libapt-pkg6.0@2.6.1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"apt@2.6.1",
"gnupg2/gpgv@2.2.40-1.1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"dash@0.5.12-2",
"dpkg@1.21.22",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-njs@1.25.3+0.8.2-1~bookworm",
"libxml2@2.9.14+dfsg-1.3~deb12u1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"libssh2/libssh2-1@1.10.0-3+b1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"libheif/libheif1@1.15.1-1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6+deb12u1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"fontconfig/libfontconfig1@2.14.1-4",
"freetype/libfreetype6@2.12.1+dfsg-5",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-11-08T09:44:04.286134Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.46318",
"probability": "0.00122"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2024-01-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@86645b7",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"fontconfig/libfontconfig1@2.14.1-4",
"freetype/libfreetype6@2.12.1+dfsg-5",
"libpng1.6/libpng16-16@1.6.39-2",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-20T03:20:48.421195Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231130-0009/",
"url": "https://security.netapp.com/advisory/ntap-20231130-0009/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
}
],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "deb",
"path": "cyberdojo/nginx:86645b7/nginx",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n",
"projectName": "docker-image|cyberdojo/nginx",
"severityThreshold": "medium",
"summary": "No known operating system vulnerabilities",
"targetFile": "/home/runner/work/nginx/nginx/Dockerfile",
"uniqueCount": 0,
"vulnerabilities": []
},
"created_at": 1702757570.9539273,
"has_audit_package": true
}
},
"git_commit_info": {
"sha1": "86645b7fea5ebf9ebd6216269002b02aace70fbf",
"message": "Add entries to .snyk file while waiting for fix in base image",
"author": "JonJagger <jon@kosli.com>",
"timestamp": 1702757503,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/nginx",
"template": [
"artifact",
"snyk-scan"
],
"last_modified_at": 1702757570.9539273,
"deployments": [
91,
90
],
"state": "COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13"
}
Artifact Information |
|
| Name | cyberdojo/nginx:86645b7 |
| Fingerprint | 23ae06aa701ed29cdc041a55a4e18a25bce542d2d330bce3caefd27a0c83cc13 |
| Git commit |
86645b7
JonJagger <jon@kosli.com> (main)
1702757503.0 • 4 months ago
Add entries to .snyk file while waiting for fix in base image
|
| CI Build | https://github.com/cyber-dojo/nginx/actions/runs/7234026772 |
| Running | - |
| Exited | aws-beta#2448 aws-prod#1627 |
| Last modified | 1702757570.9539273 • 4 months ago |
Approvals
| None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": true, "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/7234026772", "evidence_archive_fingerprint": "fb53e96bada773a87bef3e304fcd2c3ff2b9d81140b2fe6a50e651e33aed99cf", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/nginx:86645b7/nginx:86645b7:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "cyberdojo/nginx:86645b7:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "displayTargetFile": "/home/runner/work/nginx/nginx/Dockerfile", "docker": { "baseImage": "nginx:1.25.3", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl/libcurl4", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:54.255158Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "SUSE", "cvssV3BaseScore": 4, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-07T11:03:24.706424Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 4.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-15T13:31:32.883021Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "modificationTime": "2023-12-16T01:10:57.736256Z", "severity": "medium" } ], "cvssScore": 5.3, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nWhen saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46219)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46219.html)\n- [support@hackerone.com](https://hackerone.com/reports/2236133)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/)\n", "disclosureTime": "2023-12-12T02:15:06.990000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06911", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100974", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46219" ], "CWE": [ "CWE-311" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-16T01:10:57.736256Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:54.259470Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46219", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46219" }, { "title": "https://curl.se/docs/CVE-2023-46219.html", "url": "https://curl.se/docs/CVE-2023-46219.html" }, { "title": "https://hackerone.com/reports/2236133", "url": "https://hackerone.com/reports/2236133" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Missing Encryption of Sensitive Data", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "cpes": [], "creationTime": "2023-12-06T12:32:55.890323Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "modificationTime": "2023-12-06T13:32:04.678347Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 4.2, "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-07T11:03:18.055192Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "modificationTime": "2023-12-13T01:10:56.083630Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `curl` package and not the `curl` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThis flaw allows a malicious HTTP server to set "super cookies" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n\n## Remediation\nThere is no fixed version for `Debian:12` `curl`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-46218)\n- [support@hackerone.com](https://curl.se/docs/CVE-2023-46218.html)\n- [support@hackerone.com](https://hackerone.com/reports/2212193)\n- [support@hackerone.com](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/)\n", "disclosureTime": "2023-12-07T01:15:07.160000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.12314", "probability": "0.00045" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4" ], "id": "SNYK-DEBIAN12-CURL-6100975", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-46218" ], "CWE": [] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-13T01:10:56.083630Z", "name": "curl", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "curl", "patches": [], "publicationTime": "2023-12-06T12:32:55.895688Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-46218", "url": "https://security-tracker.debian.org/tracker/CVE-2023-46218" }, { "title": "https://curl.se/docs/CVE-2023-46218.html", "url": "https://curl.se/docs/CVE-2023-46218.html" }, { "title": "https://hackerone.com/reports/2212193", "url": "https://hackerone.com/reports/2212193" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "CVE-2023-46218", "upgradePath": [], "version": "7.88.1-10+deb12u4" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:33.590406Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:11:00.705298Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49468)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/432)\n", "disclosureTime": "2023-12-07T20:15:38.477000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.23888", "probability": "0.00061" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105348", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49468" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:11:00.705298Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:33.595136Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49468", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49468" }, { "title": "https://github.com/strukturag/libde265/issues/432", "url": "https://github.com/strukturag/libde265/issues/432" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:32:36.243015Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.988820Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49467)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/434)\n", "disclosureTime": "2023-12-07T20:15:38.427000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105349", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49467" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.988820Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:32:36.248879Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49467", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49467" }, { "title": "https://github.com/strukturag/libde265/issues/434", "url": "https://github.com/strukturag/libde265/issues/434" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-12-08T01:34:09.513577Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 8.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modificationTime": "2023-12-12T01:10:59.727911Z", "severity": "high" } ], "cvssScore": 8.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `libde265` package and not the `libde265` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.\n## Remediation\nThere is no fixed version for `Debian:12` `libde265`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-49465)\n- [cve@mitre.org](https://github.com/strukturag/libde265/issues/435)\n", "disclosureTime": "2023-12-07T20:15:38.370000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.06929", "probability": "0.00043" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-12-15T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "libde265/libde265-0@1.0.11-1+deb12u1" ], "id": "SNYK-DEBIAN12-LIBDE265-6105361", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-49465" ], "CWE": [ "CWE-787" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-12-12T01:10:59.727911Z", "name": "libde265/libde265-0", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "libde265", "patches": [], "publicationTime": "2023-12-08T01:34:09.516791Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-49465", "url": "https://security-tracker.debian.org/tracker/CVE-2023-49465" }, { "title": "https://github.com/strukturag/libde265/issues/435", "url": "https://github.com/strukturag/libde265/issues/435" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": false, "title": "Out-of-bounds Write", "upgradePath": [], "version": "1.0.11-1+deb12u1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6+deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-11-08T09:44:04.286134Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231130-0009/)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.46318", "probability": "0.00122" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2024-01-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@86645b7", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-20T03:20:48.421195Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231130-0009/", "url": "https://security.netapp.com/advisory/ntap-20231130-0009/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "deb", "path": "cyberdojo/nginx:86645b7/nginx", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361563:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6070694:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105348:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105349:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6105361:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-3361567:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-LIBDE265-6062358:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-GNUTLS28-6062100:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100974:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-CURL-6100975:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2024-01-21T19:31:20.564Z\n created: 2023-12-15T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|cyberdojo/nginx", "severityThreshold": "medium", "summary": "No known operating system vulnerabilities", "targetFile": "/home/runner/work/nginx/nginx/Dockerfile", "uniqueCount": 0, "vulnerabilities": [] }, "created_at": 1702757570.9539273, "has_audit_package": true }