cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:b8bf72b
Non-compliant
Download Evidence Package
JSON
{ "created_at": 1699468044.240746, "fingerprint": "8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa", "filename": "cyberdojo/nginx:b8bf72b", "git_commit": "b8bf72b392bb4116414442c79520d3a4f7179120", "build_url": "https://github.com/cyber-dojo/nginx/actions/runs/6802462784", "commit_url": "https://github.com/cyber-dojo/nginx/commit/b8bf72b392bb4116414442c79520d3a4f7179120", "evidence": { "snyk-scan": { "evidence_type": "snyk", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6833338247", "evidence_archive_fingerprint": "9d26a61e1eee90db1f1f38e9c4355082063f844a15ca358164d999b33d6a800e", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "docker": { "baseImage": "nginx:1.25.3-bookworm", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "deb", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b", "severityThreshold": "medium", "summary": "19 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 4, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T02:06:26.471182Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nThere is no fixed version for `Debian:12` `nghttp2`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-44487)\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [cve@mitre.org](https://github.com/Azure/AKS/issues/3947)\n- [cve@mitre.org](https://github.com/Kong/kong/discussions/11741)\n- [cve@mitre.org](https://github.com/akka/akka-http/issues/4323)\n- [cve@mitre.org](https://github.com/apache/apisix/issues/10320)\n- [cve@mitre.org](https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/openresty/openresty/issues/930)\n- [cve@mitre.org](https://security.paloaltonetworks.com/CVE-2023-44487)\n- [cve@mitre.org](https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/releases/tag/v2.7.5)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/9)\n- [cve@mitre.org](https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/)\n- [cve@mitre.org](https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231016-0001/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/8)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/19/6)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/8)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5540)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html)\n- [cve@mitre.org](https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5549)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "nghttp2/libnghttp2-14@1.52.0-1" ], "id": "SNYK-DEBIAN12-NGHTTP2-5953379", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-09T15:25:02.573156Z", "name": "nghttp2/libnghttp2-14", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T01:07:39.545468Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-44487", "url": "https://security-tracker.debian.org/tracker/CVE-2023-44487" }, { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://github.com/Azure/AKS/issues/3947", "url": "https://github.com/Azure/AKS/issues/3947" }, { "title": "https://github.com/Kong/kong/discussions/11741", "url": "https://github.com/Kong/kong/discussions/11741" }, { "title": "https://github.com/akka/akka-http/issues/4323", "url": "https://github.com/akka/akka-http/issues/4323" }, { "title": "https://github.com/apache/apisix/issues/10320", "url": "https://github.com/apache/apisix/issues/10320" }, { "title": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "title": "https://github.com/openresty/openresty/issues/930", "url": "https://github.com/openresty/openresty/issues/930" }, { "title": "https://security.paloaltonetworks.com/CVE-2023-44487", "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "title": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/" }, { "title": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "title": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/" }, { "title": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231016-0001/", "url": "https://security.netapp.com/advisory/ntap-20231016-0001/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/19/6", "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "title": "https://www.debian.org/security/2023/dsa-5540", "url": "https://www.debian.org/security/2023/dsa-5540" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "title": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "title": "https://www.debian.org/security/2023/dsa-5549", "url": "https://www.debian.org/security/2023/dsa-5549" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.52.0-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:14:12.065902Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.532167Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.658705Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0005/)\n", "disclosureTime": "2023-10-05T19:15:11.260000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22486", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862859", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-40745" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T01:10:45.525339Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:12.010192Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-40745", "url": "https://security-tracker.debian.org/tracker/CVE-2023-40745" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-40745", "url": "https://access.redhat.com/security/cve/CVE-2023-40745" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" }, { "title": "https://security.netapp.com/advisory/ntap-20231110-0005/", "url": "https://security.netapp.com/advisory/ntap-20231110-0005/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:15:15.690236Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.697590Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.652540Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n", "disclosureTime": "2023-10-05T19:15:11.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22501", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862863", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-41175" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:43:50.652540Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:21.842855Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-41175", "url": "https://security-tracker.debian.org/tracker/CVE-2023-41175" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-41175", "url": "https://access.redhat.com/security/cve/CVE-2023-41175" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-10-05T14:53:13.833743Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:46.904290Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-07T11:03:32.405665Z", "severity": "low" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:41:20.191000Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:6575)\n", "disclosureTime": "2023-10-04T19:15:10.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10928", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5934984", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-3576" ], "CWE": [ "CWE-401" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:41:20.191000Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-10-05T14:51:44.129440Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-3576", "url": "https://security-tracker.debian.org/tracker/CVE-2023-3576" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-3576", "url": "https://access.redhat.com/security/cve/CVE-2023-3576" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340" }, { "title": "https://access.redhat.com/errata/RHSA-2023:6575", "url": "https://access.redhat.com/errata/RHSA-2023:6575" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Memory Leak", "upgradePath": [], "version": "4.5.0-6" } ] }, "created_at": 1699693918.2555888, "has_audit_package": true } }, "git_commit_info": { "sha1": "b8bf72b392bb4116414442c79520d3a4f7179120", "message": "Remove dead entries for shas service which is now called version-reporter", "author": "JonJagger <jon@kosli.com>", "timestamp": 1699467962, "branch": "main" }, "repo_url": "https://github.com/cyber-dojo/nginx", "template": [ "artifact", "snyk-scan" ], "last_modified_at": 1699693918.2555888, "deployments": [ 85, 84 ], "state": "NON-COMPLIANT", "html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa", "api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa" }
Artifact Information |
|
Name | cyberdojo/nginx:b8bf72b |
Fingerprint | 8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa |
Git commit |
b8bf72b
JonJagger <jon@kosli.com> (main)
1699467962.0 • 6 months ago
Remove dead entries for shas service which is now called version-reporter
|
CI Build | https://github.com/cyber-dojo/nginx/actions/runs/6802462784 |
Running | - |
Exited | aws-beta#2130 aws-prod#1357 |
Last modified | 1699693918.2555888 • 6 months ago |
Approvals
None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6833338247", "evidence_archive_fingerprint": "9d26a61e1eee90db1f1f38e9c4355082063f844a15ca358164d999b33d6a800e", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "docker": { "baseImage": "nginx:1.25.3-bookworm", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "deb", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b", "severityThreshold": "medium", "summary": "19 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 4, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T02:06:26.471182Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nThere is no fixed version for `Debian:12` `nghttp2`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-44487)\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [cve@mitre.org](https://github.com/Azure/AKS/issues/3947)\n- [cve@mitre.org](https://github.com/Kong/kong/discussions/11741)\n- [cve@mitre.org](https://github.com/akka/akka-http/issues/4323)\n- [cve@mitre.org](https://github.com/apache/apisix/issues/10320)\n- [cve@mitre.org](https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/openresty/openresty/issues/930)\n- [cve@mitre.org](https://security.paloaltonetworks.com/CVE-2023-44487)\n- [cve@mitre.org](https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/releases/tag/v2.7.5)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/9)\n- [cve@mitre.org](https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/)\n- [cve@mitre.org](https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231016-0001/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/8)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/19/6)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/8)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5540)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html)\n- [cve@mitre.org](https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5549)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "nghttp2/libnghttp2-14@1.52.0-1" ], "id": "SNYK-DEBIAN12-NGHTTP2-5953379", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-09T15:25:02.573156Z", "name": "nghttp2/libnghttp2-14", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T01:07:39.545468Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-44487", "url": "https://security-tracker.debian.org/tracker/CVE-2023-44487" }, { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://github.com/Azure/AKS/issues/3947", "url": "https://github.com/Azure/AKS/issues/3947" }, { "title": "https://github.com/Kong/kong/discussions/11741", "url": "https://github.com/Kong/kong/discussions/11741" }, { "title": "https://github.com/akka/akka-http/issues/4323", "url": "https://github.com/akka/akka-http/issues/4323" }, { "title": "https://github.com/apache/apisix/issues/10320", "url": "https://github.com/apache/apisix/issues/10320" }, { "title": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "title": "https://github.com/openresty/openresty/issues/930", "url": "https://github.com/openresty/openresty/issues/930" }, { "title": "https://security.paloaltonetworks.com/CVE-2023-44487", "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "title": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/" }, { "title": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "title": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/" }, { "title": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231016-0001/", "url": "https://security.netapp.com/advisory/ntap-20231016-0001/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/19/6", "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "title": "https://www.debian.org/security/2023/dsa-5540", "url": "https://www.debian.org/security/2023/dsa-5540" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "title": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "title": "https://www.debian.org/security/2023/dsa-5549", "url": "https://www.debian.org/security/2023/dsa-5549" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.52.0-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:14:12.065902Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.532167Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.658705Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0005/)\n", "disclosureTime": "2023-10-05T19:15:11.260000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22486", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862859", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-40745" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T01:10:45.525339Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:12.010192Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-40745", "url": "https://security-tracker.debian.org/tracker/CVE-2023-40745" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-40745", "url": "https://access.redhat.com/security/cve/CVE-2023-40745" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" }, { "title": "https://security.netapp.com/advisory/ntap-20231110-0005/", "url": "https://security.netapp.com/advisory/ntap-20231110-0005/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:15:15.690236Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.697590Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.652540Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n", "disclosureTime": "2023-10-05T19:15:11.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22501", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862863", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-41175" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:43:50.652540Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:21.842855Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-41175", "url": "https://security-tracker.debian.org/tracker/CVE-2023-41175" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-41175", "url": "https://access.redhat.com/security/cve/CVE-2023-41175" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-10-05T14:53:13.833743Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:46.904290Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-07T11:03:32.405665Z", "severity": "low" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:41:20.191000Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:6575)\n", "disclosureTime": "2023-10-04T19:15:10.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10928", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5934984", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-3576" ], "CWE": [ "CWE-401" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:41:20.191000Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-10-05T14:51:44.129440Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-3576", "url": "https://security-tracker.debian.org/tracker/CVE-2023-3576" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-3576", "url": "https://access.redhat.com/security/cve/CVE-2023-3576" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340" }, { "title": "https://access.redhat.com/errata/RHSA-2023:6575", "url": "https://access.redhat.com/errata/RHSA-2023:6575" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Memory Leak", "upgradePath": [], "version": "4.5.0-6" } ] }, "created_at": 1699693918.2555888, "has_audit_package": true }