cyber-dojo
flows
nginx-archived-at-1707630884
artifacts
b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24
By signing up, you agree to the
Terms of Service.
For more information about Kosli’s privacy practices, see the Kosli’s
Privacy Policy.
We’ll occasionally send you account-related emails.
We’ll occasionally send you account-related emails.
nginx-archived-at-1707630884
Reverse proxy
cyberdojo/nginx:4f9e455
Non-compliant
Download Evidence Package
JSON
{
"created_at": 1696929664.2140725,
"fingerprint": "b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24",
"filename": "cyberdojo/nginx:4f9e455",
"git_commit": "4f9e4552ae594505e3250729299b4c6dcf864fdc",
"build_url": "https://github.com/cyber-dojo/nginx/actions/runs/6467282984",
"commit_url": "https://github.com/cyber-dojo/nginx/commit/4f9e4552ae594505e3250729299b4c6dcf864fdc",
"evidence": {
"snyk-scan": {
"evidence_type": "snyk",
"is_compliant": false,
"build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6481557876",
"evidence_archive_fingerprint": "eb0648cebe58d3213be446c78f5b75970431c0988af4cdabf8411c9db101b7ad",
"user_data": {},
"snyk_results": {
"applications": [
{
"dependencyCount": 0,
"displayTargetFile": "/usr/share/java",
"docker": {},
"filesystemPolicy": true,
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": true,
"org": "jonjagger",
"packageManager": "maven",
"path": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24:/usr/share/java",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24:/usr/share/java",
"severityThreshold": "medium",
"summary": "No medium or high or critical severity vulnerabilities",
"targetFile": "/usr/share/java",
"uniqueCount": 0,
"vulnerabilities": []
}
],
"dependencyCount": 149,
"docker": {
"baseImage": "nginx:1.25.2-bookworm",
"baseImageRemediation": {
"advice": [
{
"bold": true,
"message": "According to our scan, you are currently using the most secure version of the selected base image"
}
],
"code": "NO_REMEDIATION_AVAILABLE"
}
},
"filesystemPolicy": true,
"filtered": {
"ignore": [],
"patch": []
},
"hasUnknownVersions": false,
"ignoreSettings": {
"adminOnly": false,
"disregardFilesystemIgnores": false,
"reasonRequired": false
},
"isPrivate": true,
"licensesPolicy": {
"orgLicenseRules": {
"AGPL-1.0": {
"instructions": "",
"licenseType": "AGPL-1.0",
"severity": "high"
},
"AGPL-3.0": {
"instructions": "",
"licenseType": "AGPL-3.0",
"severity": "high"
},
"Artistic-1.0": {
"instructions": "",
"licenseType": "Artistic-1.0",
"severity": "medium"
},
"Artistic-2.0": {
"instructions": "",
"licenseType": "Artistic-2.0",
"severity": "medium"
},
"CDDL-1.0": {
"instructions": "",
"licenseType": "CDDL-1.0",
"severity": "medium"
},
"CPOL-1.02": {
"instructions": "",
"licenseType": "CPOL-1.02",
"severity": "high"
},
"EPL-1.0": {
"instructions": "",
"licenseType": "EPL-1.0",
"severity": "medium"
},
"GPL-2.0": {
"instructions": "",
"licenseType": "GPL-2.0",
"severity": "high"
},
"GPL-3.0": {
"instructions": "",
"licenseType": "GPL-3.0",
"severity": "high"
},
"LGPL-2.0": {
"instructions": "",
"licenseType": "LGPL-2.0",
"severity": "medium"
},
"LGPL-2.1": {
"instructions": "",
"licenseType": "LGPL-2.1",
"severity": "medium"
},
"LGPL-3.0": {
"instructions": "",
"licenseType": "LGPL-3.0",
"severity": "medium"
},
"MPL-1.1": {
"instructions": "",
"licenseType": "MPL-1.1",
"severity": "medium"
},
"MPL-2.0": {
"instructions": "",
"licenseType": "MPL-2.0",
"severity": "medium"
},
"MS-RL": {
"instructions": "",
"licenseType": "MS-RL",
"severity": "medium"
},
"SimPL-2.0": {
"instructions": "",
"licenseType": "SimPL-2.0",
"severity": "high"
}
},
"severities": {}
},
"ok": false,
"org": "jonjagger",
"packageManager": "deb",
"path": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24/nginx",
"platform": "linux/amd64",
"policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n",
"projectName": "docker-image|cyberdojo/nginx",
"severityThreshold": "medium",
"summary": "3 medium or high or critical severity vulnerable dependency paths",
"uniqueCount": 3,
"vulnerabilities": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-08-29T02:14:12.065902Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:52.532167Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n",
"disclosureTime": "2023-10-05T19:15:11.260000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.39290",
"probability": "0.00094"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@*",
"nginx-module-image-filter@1.25.2-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5862859",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-40745"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-11T01:10:52.604444Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-08-29T02:14:12.010192Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-40745",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-40745"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-40745",
"url": "https://access.redhat.com/security/cve/CVE-2023-40745"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "4.5.0-6"
},
{
"CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-08-29T02:15:15.690236Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "NVD",
"cvssV3BaseScore": 6.5,
"cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:52.697590Z",
"severity": "medium"
}
],
"cvssScore": 6.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n",
"disclosureTime": "2023-10-05T19:15:11.340000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.39290",
"probability": "0.00094"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@*",
"nginx-module-image-filter@1.25.2-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5862863",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-41175"
],
"CWE": [
"CWE-190"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-11T01:10:52.784935Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-08-29T02:14:21.842855Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-41175",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-41175"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-41175",
"url": "https://access.redhat.com/security/cve/CVE-2023-41175"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Integer Overflow or Wraparound",
"upgradePath": [],
"version": "4.5.0-6"
},
{
"CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cpes": [],
"creationTime": "2023-10-05T14:53:13.833743Z",
"credit": [
""
],
"cvssDetails": [
{
"assigner": "Red Hat",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-07-12T13:48:20.082991Z",
"severity": "medium"
},
{
"assigner": "NVD",
"cvssV3BaseScore": 5.5,
"cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"modificationTime": "2023-10-11T01:10:46.904290Z",
"severity": "medium"
}
],
"cvssScore": 5.5,
"description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n",
"disclosureTime": "2023-10-04T19:15:10.340000Z",
"epssDetails": {
"modelVersion": "v2023.03.01",
"percentile": "0.07179",
"probability": "0.00043"
},
"exploit": "Not Defined",
"fixedIn": [],
"from": [
"docker-image|cyberdojo/nginx@*",
"nginx-module-image-filter@1.25.2-1~bookworm",
"libgd2/libgd3@2.3.3-9",
"tiff/libtiff6@4.5.0-6"
],
"id": "SNYK-DEBIAN12-TIFF-5934984",
"identifiers": {
"ALTERNATIVE": [],
"CVE": [
"CVE-2023-3576"
],
"CWE": [
"CWE-401"
]
},
"insights": {
"triageAdvice": null
},
"isDisputed": false,
"isPatchable": false,
"isUpgradable": false,
"language": "linux",
"malicious": false,
"modificationTime": "2023-10-11T01:10:47.010194Z",
"name": "tiff/libtiff6",
"nvdSeverity": "medium",
"packageManager": "debian:12",
"packageName": "tiff",
"patches": [],
"publicationTime": "2023-10-05T14:51:44.129440Z",
"references": [
{
"title": "https://security-tracker.debian.org/tracker/CVE-2023-3576",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-3576"
},
{
"title": "https://access.redhat.com/security/cve/CVE-2023-3576",
"url": "https://access.redhat.com/security/cve/CVE-2023-3576"
},
{
"title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340"
}
],
"relativeImportance": "not yet assigned",
"semver": {
"vulnerable": [
"*"
]
},
"severity": "medium",
"severityWithCritical": "medium",
"socialTrendAlert": false,
"title": "Memory Leak",
"upgradePath": [],
"version": "4.5.0-6"
}
]
},
"created_at": 1697022058.1303988,
"has_audit_package": true
}
},
"git_commit_info": {
"sha1": "4f9e4552ae594505e3250729299b4c6dcf864fdc",
"message": "Force CI run to rebuild Docker image",
"author": "Faye <faye@kosli.com>",
"timestamp": 1696929566,
"branch": "main"
},
"repo_url": "https://github.com/cyber-dojo/nginx",
"template": [
"artifact",
"snyk-scan"
],
"last_modified_at": 1697022058.1303988,
"deployments": [
72,
71
],
"state": "NON-COMPLIANT",
"html_url": "https://app.kosli.com/cyber-dojo/flows/nginx-archived-at-1707630884/artifacts/b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24",
"api_url": "https://app.kosli.com/api/v2/artifacts/cyber-dojo/nginx-archived-at-1707630884/fingerprint/b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24"
}
Artifact Information |
|
| Name | cyberdojo/nginx:4f9e455 |
| Fingerprint | b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24 |
| Git commit |
4f9e455
Faye <faye@kosli.com> (main)
1696929566.0 • 7 months ago
Force CI run to rebuild Docker image
|
| CI Build | https://github.com/cyber-dojo/nginx/actions/runs/6467282984 |
| Running | - |
| Exited | aws-beta#1856 aws-prod#1128 |
| Last modified | 1697022058.1303988 • 7 months ago |
Approvals
| None |
Evidence
Evidence for 'snyk-scan'
{ "evidence_type": "snyk", "name": "snyk-scan", "is_compliant": false, "build_url": "https://github.com/cyber-dojo/snyk_scans/actions/runs/6481557876", "evidence_archive_fingerprint": "eb0648cebe58d3213be446c78f5b75970431c0988af4cdabf8411c9db101b7ad", "user_data": {}, "snyk_results": { "applications": [ { "dependencyCount": 0, "displayTargetFile": "/usr/share/java", "docker": {}, "filesystemPolicy": true, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": true, "org": "jonjagger", "packageManager": "maven", "path": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24:/usr/share/java", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24:/usr/share/java", "severityThreshold": "medium", "summary": "No medium or high or critical severity vulnerabilities", "targetFile": "/usr/share/java", "uniqueCount": 0, "vulnerabilities": [] } ], "dependencyCount": 149, "docker": { "baseImage": "nginx:1.25.2-bookworm", "baseImageRemediation": { "advice": [ { "bold": true, "message": "According to our scan, you are currently using the most secure version of the selected base image" } ], "code": "NO_REMEDIATION_AVAILABLE" } }, "filesystemPolicy": true, "filtered": { "ignore": [], "patch": [] }, "hasUnknownVersions": false, "ignoreSettings": { "adminOnly": false, "disregardFilesystemIgnores": false, "reasonRequired": false }, "isPrivate": true, "licensesPolicy": { "orgLicenseRules": { "AGPL-1.0": { "instructions": "", "licenseType": "AGPL-1.0", "severity": "high" }, "AGPL-3.0": { "instructions": "", "licenseType": "AGPL-3.0", "severity": "high" }, "Artistic-1.0": { "instructions": "", "licenseType": "Artistic-1.0", "severity": "medium" }, "Artistic-2.0": { "instructions": "", "licenseType": "Artistic-2.0", "severity": "medium" }, "CDDL-1.0": { "instructions": "", "licenseType": "CDDL-1.0", "severity": "medium" }, "CPOL-1.02": { "instructions": "", "licenseType": "CPOL-1.02", "severity": "high" }, "EPL-1.0": { "instructions": "", "licenseType": "EPL-1.0", "severity": "medium" }, "GPL-2.0": { "instructions": "", "licenseType": "GPL-2.0", "severity": "high" }, "GPL-3.0": { "instructions": "", "licenseType": "GPL-3.0", "severity": "high" }, "LGPL-2.0": { "instructions": "", "licenseType": "LGPL-2.0", "severity": "medium" }, "LGPL-2.1": { "instructions": "", "licenseType": "LGPL-2.1", "severity": "medium" }, "LGPL-3.0": { "instructions": "", "licenseType": "LGPL-3.0", "severity": "medium" }, "MPL-1.1": { "instructions": "", "licenseType": "MPL-1.1", "severity": "medium" }, "MPL-2.0": { "instructions": "", "licenseType": "MPL-2.0", "severity": "medium" }, "MS-RL": { "instructions": "", "licenseType": "MS-RL", "severity": "medium" }, "SimPL-2.0": { "instructions": "", "licenseType": "SimPL-2.0", "severity": "high" } }, "severities": {} }, "ok": false, "org": "jonjagger", "packageManager": "deb", "path": "cyberdojo/nginx@sha256:b9d5301dfc6d329ed547a6751a7fded2bf5965793361b8a24e2910f220039e24/nginx", "platform": "linux/amd64", "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", "projectName": "docker-image|cyberdojo/nginx", "severityThreshold": "medium", "summary": "3 medium or high or critical severity vulnerable dependency paths", "uniqueCount": 3, "vulnerabilities": [ { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:14:12.065902Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.532167Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nLibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-40745)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-40745)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235265)\n", "disclosureTime": "2023-10-05T19:15:11.260000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.39290", "probability": "0.00094" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@*", "nginx-module-image-filter@1.25.2-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862859", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-40745" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-11T01:10:52.604444Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:12.010192Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-40745", "url": "https://security-tracker.debian.org/tracker/CVE-2023-40745" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-40745", "url": "https://access.redhat.com/security/cve/CVE-2023-40745" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235265" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-08-29T02:15:15.690236Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "NVD", "cvssV3BaseScore": 6.5, "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:52.697590Z", "severity": "medium" } ], "cvssScore": 6.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-41175)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-41175)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2235264)\n", "disclosureTime": "2023-10-05T19:15:11.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.39290", "probability": "0.00094" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@*", "nginx-module-image-filter@1.25.2-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5862863", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-41175" ], "CWE": [ "CWE-190" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-11T01:10:52.784935Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-08-29T02:14:21.842855Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-41175", "url": "https://security-tracker.debian.org/tracker/CVE-2023-41175" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-41175", "url": "https://access.redhat.com/security/cve/CVE-2023-41175" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235264" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Integer Overflow or Wraparound", "upgradePath": [], "version": "4.5.0-6" }, { "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cpes": [], "creationTime": "2023-10-05T14:53:13.833743Z", "credit": [ "" ], "cvssDetails": [ { "assigner": "Red Hat", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-07-12T13:48:20.082991Z", "severity": "medium" }, { "assigner": "NVD", "cvssV3BaseScore": 5.5, "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modificationTime": "2023-10-11T01:10:46.904290Z", "severity": "medium" } ], "cvssScore": 5.5, "description": "## NVD Description\n**_Note:_** _Versions mentioned in the description apply only to the upstream `tiff` package and not the `tiff` package as distributed by `Debian`._\n_See `How to fix?` for `Debian:12` relevant fixed versions and status._\n\nA memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service.\n## Remediation\nThere is no fixed version for `Debian:12` `tiff`.\n## References\n- [ADVISORY](https://security-tracker.debian.org/tracker/CVE-2023-3576)\n- [secalert@redhat.com](https://access.redhat.com/security/cve/CVE-2023-3576)\n- [secalert@redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=2219340)\n", "disclosureTime": "2023-10-04T19:15:10.340000Z", "epssDetails": { "modelVersion": "v2023.03.01", "percentile": "0.07179", "probability": "0.00043" }, "exploit": "Not Defined", "fixedIn": [], "from": [ "docker-image|cyberdojo/nginx@*", "nginx-module-image-filter@1.25.2-1~bookworm", "libgd2/libgd3@2.3.3-9", "tiff/libtiff6@4.5.0-6" ], "id": "SNYK-DEBIAN12-TIFF-5934984", "identifiers": { "ALTERNATIVE": [], "CVE": [ "CVE-2023-3576" ], "CWE": [ "CWE-401" ] }, "insights": { "triageAdvice": null }, "isDisputed": false, "isPatchable": false, "isUpgradable": false, "language": "linux", "malicious": false, "modificationTime": "2023-10-11T01:10:47.010194Z", "name": "tiff/libtiff6", "nvdSeverity": "medium", "packageManager": "debian:12", "packageName": "tiff", "patches": [], "publicationTime": "2023-10-05T14:51:44.129440Z", "references": [ { "title": "https://security-tracker.debian.org/tracker/CVE-2023-3576", "url": "https://security-tracker.debian.org/tracker/CVE-2023-3576" }, { "title": "https://access.redhat.com/security/cve/CVE-2023-3576", "url": "https://access.redhat.com/security/cve/CVE-2023-3576" }, { "title": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219340" } ], "relativeImportance": "not yet assigned", "semver": { "vulnerable": [ "*" ] }, "severity": "medium", "severityWithCritical": "medium", "socialTrendAlert": false, "title": "Memory Leak", "upgradePath": [], "version": "4.5.0-6" } ] }, "created_at": 1697022058.1303988, "has_audit_package": true }