cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:b8bf72b
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1699468044.240746,
"fingerprint": "8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa",
"filename": "cyberdojo/nginx:b8bf72b",
"git_commit": "b8bf72b392bb4116414442c79520d3a4f7179120",
"build_url": "https://github.com/cyber-dojo/nginx/actions/runs/6802462784",
"commit_url": "https://github.com/cyber-dojo/nginx/commit/b8bf72b392bb4116414442c79520d3a4f7179120",
"evidence": {
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6833338247",
"evidence_archive_fingerprint": "9d26a61e1eee90db1f1f38e9c4355082063f844a15ca358164d999b33d6a800e",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/share/java",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n",
"projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java",
"severityThreshold": "medium",
"summary": "No medium or high or critical severity vulnerabilities",
"targetFile": "/usr/share/java",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 149,
"docker": {
"baseImage": "nginx:1.25.3-bookworm",
"baseImageRemediation": {
"advice": [
{
"bold": true,
"message": "According to our scan, you are currently using the most secure version of the selected base image"
}
],
"code": "NO_REMEDIATION_AVAILABLE"
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"curl@7.88.1-10+deb12u4",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx@1.25.3-1~bookworm",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-njs@1.25.3+0.8.2-1~bookworm",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"util-linux/util-linux@2.38.1-5+b1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"apt@2.6.1",
"apt/libapt-pkg6.0@2.6.1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"apt@2.6.1",
"gnupg2/gpgv@2.2.40-1.1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"dash@0.5.12-2",
"dpkg@1.21.22",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-njs@1.25.3+0.8.2-1~bookworm",
"libxml2@2.9.14+dfsg-1.3~deb12u1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"libssh2/libssh2-1@1.10.0-3+b1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"libheif/libheif1@1.15.1-1",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"fontconfig/libfontconfig1@2.14.1-4",
"freetype/libfreetype6@2.12.1+dfsg-5",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cpes": [],
"creationTime": "2023-10-19T04:21:07.782934Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 9.8,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"modificationTime": "2023-10-19T13:10:57.430822Z",
"severity": "critical"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 5.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"modificationTime": "2023-10-27T11:02:39.566188Z",
"severity": "medium"
}
],
"cvssScore": 9.8,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n",
"disclosureTime": "2023-10-14T02:15:09.323000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.40323",
"probability": "0.00098"
},
"exploit": "Not Defined",
"filtered": {
"ignored": [
{
"created": "2023-10-21T19:31:20.581Z",
"expires": "2023-11-21T19:31:20.564Z",
"path": [
"*"
],
"reason": "Waiting for Debian upgrade",
"source": "cli"
}
]
},
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"fontconfig/libfontconfig1@2.14.1-4",
"freetype/libfreetype6@2.12.1+dfsg-5",
"libpng1.6/libpng16-16@1.6.39-2",
"zlib/zlib1g@1:1.2.13.dfsg-1"
],
"id": "SNYK-DEBIAN12-ZLIB-6008963",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-45853"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-27T11:02:39.566188Z",
"name": "zlib/zlib1g",
"nvdSeverity": "critical",
"packageManager": "debian:12",
"packageName": "zlib",
"patches": [],
"publicationTime": "2023-10-19T04:21:02.193720Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-45853",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-45853"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356",
"url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356"
},
{
"title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61",
"url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61"
},
{
"title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4",
"url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4"
},
{
"title": "https://github.com/madler/zlib/pull/843",
"url": "https://github.com/madler/zlib/pull/843"
},
{
"title": "https://www.winimage.com/zLibDll/minizip.html",
"url": "https://www.winimage.com/zLibDll/minizip.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/9"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "critical",
"severityWithCritical": "critical",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "1:1.2.13.dfsg-1"
}
],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "deb",
"path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n",
"projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b",
"severityThreshold": "medium",
"summary": "19 medium or high or critical severity vulnerable dependency paths",
"uniqueCount": 4,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H",
"cpes": [],
"creationTime": "2023-10-11T02:06:26.471182Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-14T01:11:01.801031Z",
"severity": "high"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-14T11:03:27.396232Z",
"severity": "high"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 7.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"modificationTime": "2023-11-08T09:43:54.280816Z",
"severity": "high"
}
],
"cvssScore": 7.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nThere is no fixed version for `Debian:12` `nghttp2`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-44487)\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [cve@mitre.org](https://github.com/Azure/AKS/issues/3947)\n- [cve@mitre.org](https://github.com/Kong/kong/discussions/11741)\n- [cve@mitre.org](https://github.com/akka/akka-http/issues/4323)\n- [cve@mitre.org](https://github.com/apache/apisix/issues/10320)\n- [cve@mitre.org](https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/openresty/openresty/issues/930)\n- [cve@mitre.org](https://security.paloaltonetworks.com/CVE-2023-44487)\n- [cve@mitre.org](https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/releases/tag/v2.7.5)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/9)\n- [cve@mitre.org](https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/)\n- [cve@mitre.org](https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231016-0001/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/8)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/19/6)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/8)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5540)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html)\n- [cve@mitre.org](https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5549)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n",
"disclosureTime": "2023-10-10T14:15:10.883000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.97205",
"probability": "0.52748"
},
"exploit": "High",
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"curl@7.88.1-10+deb12u4",
"curl/libcurl4@7.88.1-10+deb12u4",
"nghttp2/libnghttp2-14@1.52.0-1"
],
"id": "SNYK-DEBIAN12-NGHTTP2-5953379",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-44487"
],
"CWE": [
"CWE-400"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-09T15:25:02.573156Z",
"name": "nghttp2/libnghttp2-14",
"nvdSeverity": "high",
"packageManager": "debian:12",
"packageName": "nghttp2",
"patches": [],
"publicationTime": "2023-10-11T01:07:39.545468Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-44487",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-44487"
},
{
"title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
},
{
"title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/",
"url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
},
{
"title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/",
"url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/",
"url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
},
{
"title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack",
"url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
},
{
"title": "https://news.ycombinator.com/item?id=37831062",
"url": "https://news.ycombinator.com/item?id=37831062"
},
{
"title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack",
"url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
},
{
"title": "https://chaos.social/@icing/111210915918780532",
"url": "https://chaos.social/@icing/111210915918780532"
},
{
"title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764",
"url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
},
{
"title": "https://github.com/alibaba/tengine/issues/1872",
"url": "https://github.com/alibaba/tengine/issues/1872"
},
{
"title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2",
"url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
},
{
"title": "https://github.com/bcdannyboy/CVE-2023-44487",
"url": "https://github.com/bcdannyboy/CVE-2023-44487"
},
{
"title": "https://github.com/caddyserver/caddy/issues/5877",
"url": "https://github.com/caddyserver/caddy/issues/5877"
},
{
"title": "https://github.com/eclipse/jetty.project/issues/10679",
"url": "https://github.com/eclipse/jetty.project/issues/10679"
},
{
"title": "https://github.com/envoyproxy/envoy/pull/30055",
"url": "https://github.com/envoyproxy/envoy/pull/30055"
},
{
"title": "https://github.com/haproxy/haproxy/issues/2312",
"url": "https://github.com/haproxy/haproxy/issues/2312"
},
{
"title": "https://github.com/hyperium/hyper/issues/3337",
"url": "https://github.com/hyperium/hyper/issues/3337"
},
{
"title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61",
"url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
},
{
"title": "https://github.com/nghttp2/nghttp2/pull/1961",
"url": "https://github.com/nghttp2/nghttp2/pull/1961"
},
{
"title": "https://news.ycombinator.com/item?id=37830987",
"url": "https://news.ycombinator.com/item?id=37830987"
},
{
"title": "https://news.ycombinator.com/item?id=37830998",
"url": "https://news.ycombinator.com/item?id=37830998"
},
{
"title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/",
"url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
},
{
"title": "https://github.com/grpc/grpc-go/pull/6703",
"url": "https://github.com/grpc/grpc-go/pull/6703"
},
{
"title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244",
"url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244"
},
{
"title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
},
{
"title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html",
"url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
},
{
"title": "https://my.f5.com/manage/s/article/K000137106",
"url": "https://my.f5.com/manage/s/article/K000137106"
},
{
"title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988",
"url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
},
{
"title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9",
"url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
},
{
"title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/",
"url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
},
{
"title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve",
"url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
},
{
"title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088",
"url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
},
{
"title": "https://github.com/advisories/GHSA-vx74-f528-fxqg",
"url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
},
{
"title": "https://github.com/apache/trafficserver/pull/10564",
"url": "https://github.com/apache/trafficserver/pull/10564"
},
{
"title": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"title": "https://github.com/facebook/proxygen/pull/466",
"url": "https://github.com/facebook/proxygen/pull/466"
},
{
"title": "https://github.com/golang/go/issues/63417",
"url": "https://github.com/golang/go/issues/63417"
},
{
"title": "https://github.com/h2o/h2o/pull/3291",
"url": "https://github.com/h2o/h2o/pull/3291"
},
{
"title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf",
"url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
},
{
"title": "https://github.com/micrictor/http2-rst-stream",
"url": "https://github.com/micrictor/http2-rst-stream"
},
{
"title": "https://github.com/microsoft/CBL-Mariner/pull/6381",
"url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
},
{
"title": "https://github.com/nodejs/node/pull/50121",
"url": "https://github.com/nodejs/node/pull/50121"
},
{
"title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo",
"url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
},
{
"title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
},
{
"title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/",
"url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
},
{
"title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q",
"url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
},
{
"title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected",
"url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
},
{
"title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14",
"url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14"
},
{
"title": "https://www.openwall.com/lists/oss-security/2023/10/10/6",
"url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
},
{
"title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73",
"url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73"
},
{
"title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p",
"url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
},
{
"title": "https://github.com/kubernetes/kubernetes/pull/121120",
"url": "https://github.com/kubernetes/kubernetes/pull/121120"
},
{
"title": "https://github.com/opensearch-project/data-prepper/issues/3474",
"url": "https://github.com/opensearch-project/data-prepper/issues/3474"
},
{
"title": "https://github.com/oqtane/oqtane.framework/discussions/3367",
"url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
},
{
"title": "https://netty.io/news/2023/10/10/4-1-100-Final.html",
"url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
},
{
"title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487",
"url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
},
{
"title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack",
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
},
{
"title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113",
"url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113"
},
{
"title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1",
"url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
},
{
"title": "https://github.com/kazu-yamamoto/http2/issues/93",
"url": "https://github.com/kazu-yamamoto/http2/issues/93"
},
{
"title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html",
"url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
},
{
"title": "https://news.ycombinator.com/item?id=37837043",
"url": "https://news.ycombinator.com/item?id=37837043"
},
{
"title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"title": "https://www.debian.org/security/2023/dsa-5521",
"url": "https://www.debian.org/security/2023/dsa-5521"
},
{
"title": "https://www.debian.org/security/2023/dsa-5522",
"url": "https://www.debian.org/security/2023/dsa-5522"
},
{
"title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/",
"url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
},
{
"title": "https://access.redhat.com/security/cve/cve-2023-44487",
"url": "https://access.redhat.com/security/cve/cve-2023-44487"
},
{
"title": "https://blog.vespa.ai/cve-2023-44487/",
"url": "https://blog.vespa.ai/cve-2023-44487/"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
},
{
"title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125",
"url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
},
{
"title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3",
"url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
},
{
"title": "https://github.com/etcd-io/etcd/issues/16740",
"url": "https://github.com/etcd-io/etcd/issues/16740"
},
{
"title": "https://github.com/junkurihara/rust-rpxy/issues/97",
"url": "https://github.com/junkurihara/rust-rpxy/issues/97"
},
{
"title": "https://github.com/ninenines/cowboy/issues/1615",
"url": "https://github.com/ninenines/cowboy/issues/1615"
},
{
"title": "https://github.com/tempesta-tech/tempesta/issues/1986",
"url": "https://github.com/tempesta-tech/tempesta/issues/1986"
},
{
"title": "https://github.com/varnishcache/varnish-cache/issues/3996",
"url": "https://github.com/varnishcache/varnish-cache/issues/3996"
},
{
"title": "https://istio.io/latest/news/security/istio-security-2023-004/",
"url": "https://istio.io/latest/news/security/istio-security-2023-004/"
},
{
"title": "https://ubuntu.com/security/CVE-2023-44487",
"url": "https://ubuntu.com/security/CVE-2023-44487"
},
{
"title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event",
"url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
},
{
"title": "https://github.com/apache/httpd-site/pull/10",
"url": "https://github.com/apache/httpd-site/pull/10"
},
{
"title": "https://github.com/line/armeria/pull/5232",
"url": "https://github.com/line/armeria/pull/5232"
},
{
"title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632",
"url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
},
{
"title": "https://github.com/projectcontour/contour/pull/5826",
"url": "https://github.com/projectcontour/contour/pull/5826"
},
{
"title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/",
"url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
},
{
"title": "https://github.com/Azure/AKS/issues/3947",
"url": "https://github.com/Azure/AKS/issues/3947"
},
{
"title": "https://github.com/Kong/kong/discussions/11741",
"url": "https://github.com/Kong/kong/discussions/11741"
},
{
"title": "https://github.com/akka/akka-http/issues/4323",
"url": "https://github.com/akka/akka-http/issues/4323"
},
{
"title": "https://github.com/apache/apisix/issues/10320",
"url": "https://github.com/apache/apisix/issues/10320"
},
{
"title": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487",
"url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
},
{
"title": "https://github.com/openresty/openresty/issues/930",
"url": "https://github.com/openresty/openresty/issues/930"
},
{
"title": "https://security.paloaltonetworks.com/CVE-2023-44487",
"url": "https://security.paloaltonetworks.com/CVE-2023-44487"
},
{
"title": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/",
"url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
},
{
"title": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5",
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/13/4",
"url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/13/9",
"url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
},
{
"title": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/",
"url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
},
{
"title": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html",
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
},
{
"title": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/",
"url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231016-0001/",
"url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/18/4",
"url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/18/8",
"url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/19/6",
"url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
},
{
"title": "http://www.openwall.com/lists/oss-security/2023/10/20/8",
"url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
},
{
"title": "https://www.debian.org/security/2023/dsa-5540",
"url": "https://www.debian.org/security/2023/dsa-5540"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
},
{
"title": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
},
{
"title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html",
"url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
},
{
"title": "https://www.debian.org/security/2023/dsa-5549",
"url": "https://www.debian.org/security/2023/dsa-5549"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
},
{
"title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
},
{
"title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "high",
"severityWithCritical": "high",
"socialTrendAlert": true,
"title": "Resource Exhaustion",
"upgradePath": [],
"version": "1.52.0-1"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-08-29T02:14:12.065902Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:52.532167Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-11-08T09:43:50.658705Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0005/)\n",
"disclosureTime": "2023-10-05T19:15:11.260000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.22486",
"probability": "0.00058"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5862859",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-40745"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-11T01:10:45.525339Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-08-29T02:14:12.010192Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-40745",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-40745"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-40745",
"url": "https://access.redhat.com/security/cve/CVE-2023-40745"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265"
},
{
"title": "https://security.netapp.com/advisory/ntap-20231110-0005/",
"url": "https://security.netapp.com/advisory/ntap-20231110-0005/"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "4.5.0-6"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-08-29T02:15:15.690236Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:52.697590Z",
"severity": "medium"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-11-08T09:43:50.652540Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n",
"disclosureTime": "2023-10-05T19:15:11.340000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.22501",
"probability": "0.00058"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5862863",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-41175"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-08T09:43:50.652540Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-08-29T02:14:21.842855Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-41175",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-41175"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-41175",
"url": "https://access.redhat.com/security/cve/CVE-2023-41175"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "4.5.0-6"
},
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-10-05T14:53:13.833743Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:46.904290Z",
"severity": "medium"
},
{
"assigner": "SUSE",
"cvssV3BaseScore": 3.3,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"modificationTime": "2023-11-07T11:03:32.405665Z",
"severity": "low"
},
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-11-08T09:41:20.191000Z",
"severity": "medium"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:6575)\n",
"disclosureTime": "2023-10-04T19:15:10.340000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.10928",
"probability": "0.00044"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*",
"nginx-module-image-filter@1.25.3-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5934984",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-3576"
],
"CWE": [
"CWE-401"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-11-08T09:41:20.191000Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-10-05T14:51:44.129440Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-3576",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-3576"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-3576",
"url": "https://access.redhat.com/security/cve/CVE-2023-3576"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340"
},
{
"title": "https://access.redhat.com/errata/RHSA-2023:6575",
"url": "https://access.redhat.com/errata/RHSA-2023:6575"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Memory Leak",
"upgradePath": [],
"version": "4.5.0-6"
}
]
},
"created_at": 1699693918.2555888,
"has_audit_package": true
}
},
"git_commit_info": {
"sha1": "b8bf72b392bb4116414442c79520d3a4f7179120",
"message": "Remove dead entries for shas service which is now called version-reporter",
"author": "JonJagger <jon@kosli.com>",
"timestamp": 1699467962,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/nginx",
"template": [
"artifact",
"snyk-scan"
],
"last_modified_at": 1699693918.2555888,
"deployments": [
85,
84
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa"
}
Artifact Information |
|
| Name | cyberdojo/nginx:b8bf72b |
| Fingerprint | 8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa |
| Git commit |
b8bf72b
JonJagger <jon@kosli.com> (main)
1699467962.0 • 6 months ago
Remove dead entries for shas service which is now called version-reporter
|
| CI Build | https://github.com/cyber-dojo/nginx/actions/runs/6802462784 |
| Running | - |
| Exited | aws-beta#2130 aws-prod#1357 |
| Last modified | 1699693918.2555888 • 6 months ago |
Approvals
| None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6833338247", "evidence_archive_fingerprint": "9d26a61e1eee90db1f1f38e9c4355082063f844a15ca358164d999b33d6a800e", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "docker": { "baseImage": "nginx:1.25.3-bookworm", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx@1.25.3-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "util-linux/util-linux@2.38.1-5+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "apt/libapt-pkg6.0@2.6.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "apt@2.6.1", "gnupg2/gpgv@2.2.40-1.1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "dash@0.5.12-2", "dpkg@1.21.22", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-njs@1.25.3+0.8.2-1~bookworm", "libxml2@2.9.14+dfsg-1.3~deb12u1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "libssh2/libssh2-1@1.10.0-3+b1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-2+b2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "libheif/libheif1@1.15.1-1", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cpes": [], "creationTime": "2023-10-19T04:21:07.782934Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 9.8, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "modificationTime": "2023-10-19T13:10:57.430822Z", "severity": "critical" }, { "assigner": "SUSE", "cvssV3BaseScore": 5.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "modificationTime": "2023-10-27T11:02:39.566188Z", "severity": "medium" } ], "cvssScore": 9.8, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `zlib` package and not the `zlib` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.\n## Remediation\nThere is no fixed version for `Debian:12` `zlib`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-45853)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356)\n- [cve@mitre.org](https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61)\n- [cve@mitre.org](https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4)\n- [cve@mitre.org](https://github.com/madler/zlib/pull/843)\n- [cve@mitre.org](https://www.winimage.com/zLibDll/minizip.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/9)\n", "disclosureTime": "2023-10-14T02:15:09.323000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.40323", "probability": "0.00098" }, "exploit": "Not Defined", "filtered": { "ignored": [ { "created": "2023-10-21T19:31:20.581Z", "expires": "2023-11-21T19:31:20.564Z", "path": [ "*" ], "reason": "Waiting for Debian upgrade", "source": "cli" } ] }, "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "fontconfig/libfontconfig1@2.14.1-4", "freetype/libfreetype6@2.12.1+dfsg-5", "libpng1.6/libpng16-16@1.6.39-2", "zlib/zlib1g@1:1.2.13.dfsg-1" ], "id": "SNYK-DEBIAN12-ZLIB-6008963", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-45853" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-27T11:02:39.566188Z", "name": "zlib/zlib1g", "nvdSeverity": "critical", "packageManager": "debian:12", "packageName": "zlib", "patches": [], "publicationTime": "2023-10-19T04:21:02.193720Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-45853", "url": "https://security-tracker.debian.org/tracker/CVE-2023-45853" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356", "url": "https://chromium.googlesource.com/chromium/src/%2B/d709fb23806858847131027da95ef4c548813356" }, { "title": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61", "url": "https://chromium.googlesource.com/chromium/src/%2B/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61" }, { "title": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4", "url": "https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib%23L1-L4" }, { "title": "https://github.com/madler/zlib/pull/843", "url": "https://github.com/madler/zlib/pull/843" }, { "title": "https://www.winimage.com/zLibDll/minizip.html", "url": "https://www.winimage.com/zLibDll/minizip.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/9" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "critical", "severityWithCritical": "critical", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "1:1.2.13.dfsg-1" } ], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "deb", "path": "274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@sha256:8f2afb7bf12de36f46b424cb27abd92b6db52e52db72f11cc3dee8f9b0aea9aa/nginx:b8bf72b", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\n# ignores vulnerabilities until expiry date; change duration by modifying expiry date\nignore:\n SNYK-DEBIAN12-TIFF-5862859:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:13.235Z\n created: 2023-10-11T19:30:13.242Z\n source: cli\n SNYK-DEBIAN12-TIFF-5862863:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:34.260Z\n created: 2023-10-11T19:30:34.270Z\n source: cli\n SNYK-DEBIAN12-TIFF-5934984:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:30:47.863Z\n created: 2023-10-11T19:30:47.874Z\n source: cli\n SNYK-DEBIAN12-NGHTTP2-5953379:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-10T19:31:20.564Z\n created: 2023-10-11T19:31:20.581Z\n source: cli\n SNYK-DEBIAN12-ZLIB-6008963:\n - '*':\n reason: Waiting for Debian upgrade\n expires: 2023-11-21T19:31:20.564Z\n created: 2023-10-21T19:31:20.581Z\n source: cli\npatch: {}\n", "projectName": "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b", "severityThreshold": "medium", "summary": "19 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 4, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H", "cpes": [], "creationTime": "2023-10-11T02:06:26.471182Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T01:11:01.801031Z", "severity": "high" }, { "assigner": "SUSE", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-14T11:03:27.396232Z", "severity": "high" }, { "assigner": "Red Hat", "cvssV3BaseScore": 7.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:54.280816Z", "severity": "high" } ], "cvssScore": 7.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `nghttp2` package and not the `nghttp2` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.\n## Remediation\nThere is no fixed version for `Debian:12` `nghttp2`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-44487)\n- [cve@mitre.org](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [cve@mitre.org](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)\n- [cve@mitre.org](https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/)\n- [cve@mitre.org](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37831062)\n- [cve@mitre.org](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [cve@mitre.org](https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack)\n- [cve@mitre.org](https://chaos.social/@icing/111210915918780532)\n- [cve@mitre.org](https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764)\n- [cve@mitre.org](https://github.com/alibaba/tengine/issues/1872)\n- [cve@mitre.org](https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2)\n- [cve@mitre.org](https://github.com/bcdannyboy/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/issues/5877)\n- [cve@mitre.org](https://github.com/eclipse/jetty.project/issues/10679)\n- [cve@mitre.org](https://github.com/envoyproxy/envoy/pull/30055)\n- [cve@mitre.org](https://github.com/haproxy/haproxy/issues/2312)\n- [cve@mitre.org](https://github.com/hyperium/hyper/issues/3337)\n- [cve@mitre.org](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/pull/1961)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830987)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37830998)\n- [cve@mitre.org](https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/)\n- [cve@mitre.org](https://github.com/grpc/grpc-go/pull/6703)\n- [cve@mitre.org](https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244)\n- [cve@mitre.org](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)\n- [cve@mitre.org](https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html)\n- [cve@mitre.org](https://my.f5.com/manage/s/article/K000137106)\n- [cve@mitre.org](https://bugzilla.proxmox.com/show_bug.cgi?id=4988)\n- [cve@mitre.org](https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9)\n- [cve@mitre.org](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/)\n- [cve@mitre.org](https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve)\n- [cve@mitre.org](https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088)\n- [cve@mitre.org](https://github.com/advisories/GHSA-vx74-f528-fxqg)\n- [cve@mitre.org](https://github.com/apache/trafficserver/pull/10564)\n- [cve@mitre.org](https://github.com/dotnet/announcements/issues/277)\n- [cve@mitre.org](https://github.com/facebook/proxygen/pull/466)\n- [cve@mitre.org](https://github.com/golang/go/issues/63417)\n- [cve@mitre.org](https://github.com/h2o/h2o/pull/3291)\n- [cve@mitre.org](https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf)\n- [cve@mitre.org](https://github.com/micrictor/http2-rst-stream)\n- [cve@mitre.org](https://github.com/microsoft/CBL-Mariner/pull/6381)\n- [cve@mitre.org](https://github.com/nodejs/node/pull/50121)\n- [cve@mitre.org](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [cve@mitre.org](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [cve@mitre.org](https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/)\n- [cve@mitre.org](https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q)\n- [cve@mitre.org](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected)\n- [cve@mitre.org](https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14)\n- [cve@mitre.org](https://www.openwall.com/lists/oss-security/2023/10/10/6)\n- [cve@mitre.org](https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73)\n- [cve@mitre.org](https://github.com/advisories/GHSA-xpw8-rcwv-8f8p)\n- [cve@mitre.org](https://github.com/kubernetes/kubernetes/pull/121120)\n- [cve@mitre.org](https://github.com/opensearch-project/data-prepper/issues/3474)\n- [cve@mitre.org](https://github.com/oqtane/oqtane.framework/discussions/3367)\n- [cve@mitre.org](https://netty.io/news/2023/10/10/4-1-100-Final.html)\n- [cve@mitre.org](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487)\n- [cve@mitre.org](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack)\n- [cve@mitre.org](https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1)\n- [cve@mitre.org](https://github.com/kazu-yamamoto/http2/issues/93)\n- [cve@mitre.org](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html)\n- [cve@mitre.org](https://news.ycombinator.com/item?id=37837043)\n- [cve@mitre.org](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5521)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5522)\n- [cve@mitre.org](https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/)\n- [cve@mitre.org](https://access.redhat.com/security/cve/cve-2023-44487)\n- [cve@mitre.org](https://blog.vespa.ai/cve-2023-44487/)\n- [cve@mitre.org](https://bugzilla.redhat.com/show_bug.cgi?id=2242803)\n- [cve@mitre.org](https://bugzilla.suse.com/show_bug.cgi?id=1216123)\n- [cve@mitre.org](https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125)\n- [cve@mitre.org](https://github.com/advisories/GHSA-qppj-fm5r-hxr3)\n- [cve@mitre.org](https://github.com/etcd-io/etcd/issues/16740)\n- [cve@mitre.org](https://github.com/junkurihara/rust-rpxy/issues/97)\n- [cve@mitre.org](https://github.com/ninenines/cowboy/issues/1615)\n- [cve@mitre.org](https://github.com/tempesta-tech/tempesta/issues/1986)\n- [cve@mitre.org](https://github.com/varnishcache/varnish-cache/issues/3996)\n- [cve@mitre.org](https://istio.io/latest/news/security/istio-security-2023-004/)\n- [cve@mitre.org](https://ubuntu.com/security/CVE-2023-44487)\n- [cve@mitre.org](https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event)\n- [cve@mitre.org](https://github.com/apache/httpd-site/pull/10)\n- [cve@mitre.org](https://github.com/line/armeria/pull/5232)\n- [cve@mitre.org](https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632)\n- [cve@mitre.org](https://github.com/projectcontour/contour/pull/5826)\n- [cve@mitre.org](https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/)\n- [cve@mitre.org](https://github.com/Azure/AKS/issues/3947)\n- [cve@mitre.org](https://github.com/Kong/kong/discussions/11741)\n- [cve@mitre.org](https://github.com/akka/akka-http/issues/4323)\n- [cve@mitre.org](https://github.com/apache/apisix/issues/10320)\n- [cve@mitre.org](https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487)\n- [cve@mitre.org](https://github.com/openresty/openresty/issues/930)\n- [cve@mitre.org](https://security.paloaltonetworks.com/CVE-2023-44487)\n- [cve@mitre.org](https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/)\n- [cve@mitre.org](https://github.com/caddyserver/caddy/releases/tag/v2.7.5)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/13/9)\n- [cve@mitre.org](https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/)\n- [cve@mitre.org](https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)\n- [cve@mitre.org](https://security.netapp.com/advisory/ntap-20231016-0001/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/4)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/18/8)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/19/6)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](http://www.openwall.com/lists/oss-security/2023/10/20/8)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5540)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html)\n- [cve@mitre.org](https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html)\n- [cve@mitre.org](https://www.debian.org/security/2023/dsa-5549)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)\n- [cve@mitre.org](https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", "disclosureTime": "2023-10-10T14:15:10.883000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.97205", "probability": "0.52748" }, "exploit": "High", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "curl@7.88.1-10+deb12u4", "curl/libcurl4@7.88.1-10+deb12u4", "nghttp2/libnghttp2-14@1.52.0-1" ], "id": "SNYK-DEBIAN12-NGHTTP2-5953379", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-44487" ], "CWE": [ "CWE-400" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-09T15:25:02.573156Z", "name": "nghttp2/libnghttp2-14", "nvdSeverity": "high", "packageManager": "debian:12", "packageName": "nghttp2", "patches": [], "publicationTime": "2023-10-11T01:07:39.545468Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-44487", "url": "https://security-tracker.debian.org/tracker/CVE-2023-44487" }, { "title": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/" }, { "title": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/" }, { "title": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/" }, { "title": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/" }, { "title": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "title": "https://news.ycombinator.com/item?id=37831062", "url": "https://news.ycombinator.com/item?id=37831062" }, { "title": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/" }, { "title": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "title": "https://chaos.social/@icing/111210915918780532", "url": "https://chaos.social/@icing/111210915918780532" }, { "title": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "title": "https://github.com/alibaba/tengine/issues/1872", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "title": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "title": "https://github.com/bcdannyboy/CVE-2023-44487", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "title": "https://github.com/caddyserver/caddy/issues/5877", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "title": "https://github.com/eclipse/jetty.project/issues/10679", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "title": "https://github.com/envoyproxy/envoy/pull/30055", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "title": "https://github.com/haproxy/haproxy/issues/2312", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "title": "https://github.com/hyperium/hyper/issues/3337", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "title": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "title": "https://github.com/nghttp2/nghttp2/pull/1961", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "title": "https://news.ycombinator.com/item?id=37830987", "url": "https://news.ycombinator.com/item?id=37830987" }, { "title": "https://news.ycombinator.com/item?id=37830998", "url": "https://news.ycombinator.com/item?id=37830998" }, { "title": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/" }, { "title": "https://github.com/grpc/grpc-go/pull/6703", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "title": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1%23L239-L244" }, { "title": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "title": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "title": "https://my.f5.com/manage/s/article/K000137106", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "title": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "title": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "title": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/" }, { "title": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "title": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "title": "https://github.com/advisories/GHSA-vx74-f528-fxqg", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "title": "https://github.com/apache/trafficserver/pull/10564", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "title": "https://github.com/dotnet/announcements/issues/277", "url": "https://github.com/dotnet/announcements/issues/277" }, { "title": "https://github.com/facebook/proxygen/pull/466", "url": "https://github.com/facebook/proxygen/pull/466" }, { "title": "https://github.com/golang/go/issues/63417", "url": "https://github.com/golang/go/issues/63417" }, { "title": "https://github.com/h2o/h2o/pull/3291", "url": "https://github.com/h2o/h2o/pull/3291" }, { "title": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "title": "https://github.com/micrictor/http2-rst-stream", "url": "https://github.com/micrictor/http2-rst-stream" }, { "title": "https://github.com/microsoft/CBL-Mariner/pull/6381", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "title": "https://github.com/nodejs/node/pull/50121", "url": "https://github.com/nodejs/node/pull/50121" }, { "title": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "title": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "title": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/" }, { "title": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "title": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "title": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14", "url": "https://tomcat.apache.org/security-10.html%23Fixed_in_Apache_Tomcat_10.1.14" }, { "title": "https://www.openwall.com/lists/oss-security/2023/10/10/6", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "title": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1%23L73" }, { "title": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "title": "https://github.com/kubernetes/kubernetes/pull/121120", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "title": "https://github.com/opensearch-project/data-prepper/issues/3474", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "title": "https://github.com/oqtane/oqtane.framework/discussions/3367", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "title": "https://netty.io/news/2023/10/10/4-1-100-Final.html", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "title": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "title": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "title": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c%23L1101-L1113" }, { "title": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "title": "https://github.com/kazu-yamamoto/http2/issues/93", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "title": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "title": "https://news.ycombinator.com/item?id=37837043", "url": "https://news.ycombinator.com/item?id=37837043" }, { "title": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "title": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "title": "https://www.debian.org/security/2023/dsa-5522", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "title": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/" }, { "title": "https://access.redhat.com/security/cve/cve-2023-44487", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "title": "https://blog.vespa.ai/cve-2023-44487/", "url": "https://blog.vespa.ai/cve-2023-44487/" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "title": "https://bugzilla.suse.com/show_bug.cgi?id=1216123", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "title": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "title": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "title": "https://github.com/etcd-io/etcd/issues/16740", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "title": "https://github.com/junkurihara/rust-rpxy/issues/97", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "title": "https://github.com/ninenines/cowboy/issues/1615", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "title": "https://github.com/tempesta-tech/tempesta/issues/1986", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "title": "https://github.com/varnishcache/varnish-cache/issues/3996", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "title": "https://istio.io/latest/news/security/istio-security-2023-004/", "url": "https://istio.io/latest/news/security/istio-security-2023-004/" }, { "title": "https://ubuntu.com/security/CVE-2023-44487", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "title": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "title": "https://github.com/apache/httpd-site/pull/10", "url": "https://github.com/apache/httpd-site/pull/10" }, { "title": "https://github.com/line/armeria/pull/5232", "url": "https://github.com/line/armeria/pull/5232" }, { "title": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "title": "https://github.com/projectcontour/contour/pull/5826", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "title": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/" }, { "title": "https://github.com/Azure/AKS/issues/3947", "url": "https://github.com/Azure/AKS/issues/3947" }, { "title": "https://github.com/Kong/kong/discussions/11741", "url": "https://github.com/Kong/kong/discussions/11741" }, { "title": "https://github.com/akka/akka-http/issues/4323", "url": "https://github.com/akka/akka-http/issues/4323" }, { "title": "https://github.com/apache/apisix/issues/10320", "url": "https://github.com/apache/apisix/issues/10320" }, { "title": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487", "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "title": "https://github.com/openresty/openresty/issues/930", "url": "https://github.com/openresty/openresty/issues/930" }, { "title": "https://security.paloaltonetworks.com/CVE-2023-44487", "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "title": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/", "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/" }, { "title": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/13/9", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "title": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/", "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/" }, { "title": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html", "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/", "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "title": "https://security.netapp.com/advisory/ntap-20231016-0001/", "url": "https://security.netapp.com/advisory/ntap-20231016-0001/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/4", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/18/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/19/6", "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "http://www.openwall.com/lists/oss-security/2023/10/20/8", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "title": "https://www.debian.org/security/2023/dsa-5540", "url": "https://www.debian.org/security/2023/dsa-5540" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "title": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715", "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "title": "https://www.debian.org/security/2023/dsa-5549", "url": "https://www.debian.org/security/2023/dsa-5549" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/" }, { "title": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/" }, { "title": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "high", "severityWithCritical": "high", "socialTrendAlert": true, "title": "Resource Exhaustion", "upgradePath": [], "version": "1.52.0-1" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:14:12.065902Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.532167Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.658705Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n- [secalert@redhat.com](https://security.netapp.com/advisory/ntap-20231110-0005/)\n", "disclosureTime": "2023-10-05T19:15:11.260000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22486", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862859", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-40745" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-11T01:10:45.525339Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:12.010192Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-40745", "url": "https://security-tracker.debian.org/tracker/CVE-2023-40745" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-40745", "url": "https://access.redhat.com/security/cve/CVE-2023-40745" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" }, { "title": "https://security.netapp.com/advisory/ntap-20231110-0005/", "url": "https://security.netapp.com/advisory/ntap-20231110-0005/" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:15:15.690236Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.697590Z", "severity": "medium" }, { "assigner": "Red Hat", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:43:50.652540Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n", "disclosureTime": "2023-10-05T19:15:11.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.22501", "probability": "0.00058" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862863", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-41175" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:43:50.652540Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:21.842855Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-41175", "url": "https://security-tracker.debian.org/tracker/CVE-2023-41175" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-41175", "url": "https://access.redhat.com/security/cve/CVE-2023-41175" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-10-05T14:53:13.833743Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:46.904290Z", "severity": "medium" }, { "assigner": "SUSE", "cvssV3BaseScore": 3.3, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "modificationTime": "2023-11-07T11:03:32.405665Z", "severity": "low" }, { "assigner": "Red Hat", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-11-08T09:41:20.191000Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n- [secalert@redhat.com](https://access.redhat.com/errata/RHSA-2023:6575)\n", "disclosureTime": "2023-10-04T19:15:10.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.10928", "probability": "0.00044" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|274425519734.dkr.ecr.eu-central-1.amazonaws.com/nginx:b8bf72b@*", "nginx-module-image-filter@1.25.3-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5934984", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-3576" ], "CWE": [ "CWE-401" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-11-08T09:41:20.191000Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-10-05T14:51:44.129440Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-3576", "url": "https://security-tracker.debian.org/tracker/CVE-2023-3576" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-3576", "url": "https://access.redhat.com/security/cve/CVE-2023-3576" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340" }, { "title": "https://access.redhat.com/errata/RHSA-2023:6575", "url": "https://access.redhat.com/errata/RHSA-2023:6575" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Memory Leak", "upgradePath": [], "version": "4.5.0-6" } ] }, "created_at": 1699693918.2555888, "has_audit_package": true }